RE: Deliberately create slow SSH response?

Sure, by logic the attack will slow down. It won't prevent continuous
attacks though. So my suggestion is, if the service is used only by certain
IPs, then filter all others.

-----Mensaje original-----
De: Fromm, Stephen (NIH/NIMH) [C] [mailto:fromms@xxxxxxxxxxxx]
Enviado el: Jueves, 10 de Julio de 2008 12:51 p.m.
Para: Sergio Castro; Zembower, Kevin; secureshell@xxxxxxxxxxxxxxxxx
Asunto: RE: Deliberately create slow SSH response?

Yes, but if the attacker is coming from one point and takes 30 seconds for
each attempt, versus 0.03 seconds...

Stephen J. Fromm, PhD
Contractor, NIMH/MAP
(301) 451-9265

-----Original Message-----
From: Sergio Castro [mailto:sergio.castro@xxxxxxxxxx]
Sent: Wednesday, July 09, 2008 1:15 PM
To: 'Zembower, Kevin'; secureshell@xxxxxxxxxxxxxxxxx
Subject: RE: Deliberately create slow SSH response?

The brute force attacks are most likely automated, so if your objective is
to bore a human to death with 30 second delays, it wont' work.

Have you thought about limiting access to the service to only certain IPs?

- Sergio

-----Mensaje original-----
De: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] En
nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de 2008 11:56
Para: secureshell@xxxxxxxxxxxxxxxxx
Asunto: Deliberately create slow SSH response?

This might seem like a strange question to ask, but is there a way to
deliberately create a slow response to an SSH request? I'm annoyed at the
large number of distributed SSH brute-force attacks on a server I
administer, trying to guess the password for 'root' and other accounts.
I think that my server is pretty secure; doesn't allow root to log in
through SSH, only a restricted number of accounts are allowed SSH access,
with I think pretty good passwords. But still, the attempts annoy me.

I wouldn't mind if SSH took say 30 seconds to ask me for my password.
This would slow the attempts. Is there any way to configure OpenSSH to do
this? I searched the archives of this group with 'slow' and 'delay'
but didn't come up with anything on this topic. Please point it out to me if
I overlooked anything. In addition, I can limit the number of SSH
connections to 3-5 and still operate okay.

Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL
ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

Thanks in advance for your advice and suggestions.


Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202

__________ NOD32 3255 (20080709) Information __________

This message was checked by NOD32 antivirus system.

__________ NOD32 3257 (20080710) Information __________

This message was checked by NOD32 antivirus system.

Relevant Pages

  • RE: Deliberately create slow SSH response?
    ... Deliberately create slow SSH response? ... The brute force attacks are most likely automated, ... Internet Services Group manager ...
  • Re: [SLE] stopping dictionary attacks on sshd (a tcp_wrappers problem)
    ... ssh login does not work when one has just booted, until jifie gets 0 and starts incrementing, then it works. ... We need open ssh connections from the outside. ... We want to defend against these attacks in a reasonable way. ... logsurfer is used because I don't know a better log watching and event ...
  • Fwd: CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations
    ... Multiple vendors' implementations of the secure shell (SSH) transport ... The vulnerabilities affect SSH ... SSH clients can reduce the risk of attacks by only connecting to ...
  • RE: OT: Security....
    ... > SSH sessions. ... Consequently, most spoofing attacks ... traffic based on communication AFTER TCP connection set up only effects the ... addresses on SSH sessions required two-way communication wasn't clear--my ...
  • Re: Securing SSH
    ... is to have a second door. ... you can also configure it to avoid adding the IP of your office to the /etc/hosts.deny/ even if you fail the logging, ... I'm looking to tighten up my ssh configuration. ... So far all attacks have been steady streams at VERY high ...