RE: Deliberately create slow SSH response?



I think you misunderstood how my suggesting differs from Kevin's. I
wish I had more time and I would just write the patch myself... here's
the idea...

sample sshd.conf

# enable bad IP penalty box
penalty_box = yes

# 3 bad attempts within 60 seconds places the offending IP address
# in a penalty box
penalty_attempts = 3
penalty_window = 60

# login delay for IP address in penalty box (in seconds)
penalty_delay = 30

# how long an IP address stays in the penalty box (in minutes)
# the timer would be reset every time there is an invalid attempt.
# a value of 0 means the IP address stays in the penalty box permanently
# until a valid login is supplied. valid logins would always remove an
# IP address from the penalty box
penalty_timeout = 5

# add an extra 5 seconds to the penalty_delay for each subsequent
# invalid login
penalty_delay_perturb = 5


I've never looked at the source, but I can't imagine this being much
more difficult that a simple structure and a linked-list.

Bryan


On Thu, 2008-07-10 at 19:16 +0000, Sergio Castro wrote:
I'm sorry Bryan, this thread is getting confusing.
What do I mean about what?

-----Mensaje original-----
De: Bryan Christ [mailto:bryan.christ@xxxxxx]
Enviado el: Jueves, 10 de Julio de 2008 02:17 p.m.
Para: Sergio Castro
Asunto: RE: Deliberately create slow SSH response?

What do you mean?

On Thu, 2008-07-10 at 19:12 +0000, Sergio Castro wrote:
So there you go, then IP filtering is not an option.

-----Mensaje original-----
De: Bryan Christ [mailto:bryan.christ@xxxxxx] Enviado el: Jueves, 10
de Julio de 2008 02:10 p.m.
Para: Sergio Castro
CC: 'Zembower, Kevin'; secureshell@xxxxxxxxxxxxxxxxx
Asunto: RE: Deliberately create slow SSH response?

Unfortunately, I never know exactly where I'll be logging in from and
maintaining a blacklist/whitelist is tiresome. As for moving the port
(another suggestion I saw) that's not really a possibility for me
either because some of the remote locations I shell in from don't
allow traffic out non-standard ports.

On Thu, 2008-07-10 at 18:54 +0000, Sergio Castro wrote:
Indeed, I agree.
The point I'm trying to convey is that if the objective is to reduce
the chance of an attack getting through, and given the fact that the
service is SSH, then a better solution may be to limit access to
trusted
IPs.
That's all I'm saying :)

-----Mensaje original-----
De: Bryan Christ [mailto:bryan.christ@xxxxxx] Enviado el: Jueves, 10
de Julio de 2008 01:51 p.m.
Para: Sergio Castro
CC: 'Zembower, Kevin'; secureshell@xxxxxxxxxxxxxxxxx
Asunto: RE: Deliberately create slow SSH response?

Sergio,

I think Kevin and I realize that dictionary attacks are automated,
but a 30-60 second delay would significantly slow them down to the
point where it could hardly be called a brute force attack.

On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
The brute force attacks are most likely automated, so if your
objective is to bore a human to death with 30 second delays, it wont'
work.

Have you thought about limiting access to the service to only
certain
IPs?

- Sergio

-----Mensaje original-----
De: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de
2008 11:56 a.m.
Para: secureshell@xxxxxxxxxxxxxxxxx
Asunto: Deliberately create slow SSH response?

This might seem like a strange question to ask, but is there a way
to deliberately create a slow response to an SSH request? I'm
annoyed at the large number of distributed SSH brute-force attacks
on a server I administer, trying to guess the password for 'root'
and
other accounts.
I think that my server is pretty secure; doesn't allow root to log
in through SSH, only a restricted number of accounts are allowed
SSH access, with I think pretty good passwords. But still, the
attempts annoy
me.

I wouldn't mind if SSH took say 30 seconds to ask me for my password.
This would slow the attempts. Is there any way to configure
OpenSSH to do this? I searched the archives of this group with
'slow' and
'delay'
but didn't come up with anything on this topic. Please point it
out to me if I overlooked anything. In addition, I can limit the
number of SSH connections to 3-5 and still operate okay.

Ultimately, I need this solution for hosts running OpenSSH_3.9p1
under RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and
Fedora
Core 6.

Thanks in advance for your advice and suggestions.

-Kevin

Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202
410-659-6139


__________ NOD32 3255 (20080709) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com




__________ NOD32 3257 (20080710) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com




__________ NOD32 3257 (20080710) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com




__________ NOD32 3257 (20080710) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com





Relevant Pages