Re: OpenSSH - Dictionary Attacks

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 05/29/05

  • Next message: Nico Kadel-Garcia: "Re: recursive ssh invocation" 
    Date: 29 May 2005 03:52:42 GMT

    On 2005-05-29, Unruh <unruh-spam@physics.ubc.ca> wrote:
    > Darren Tucker <dtucker@gate.dodgy.net.au> writes:
    [among other things]
    >>* If you have built sshd to use PAM, one option is to use pam_abl to
    >>blacklist source IP addresses after N bad login attempts:
    >> http://www.hexten.net/sw/pam_abl/index.mhtml
    >
    > OOO, good. Now the outsiders spoof your own addresses and cause ssh to
    > block your own logins.

    Sure, but they have to spoof not only a TCP handshake but an SSH key
    exchange and auth request. If you have an outsider with that much control
    over your routing then DoS lockouts are the least of your problems.

    Anyway, I pointed out the risk of false-positive lockouts in the part you
    snipped.

    > Useful. This is cure worse than the disease.

    Maybe. Like most things in security, it's a tradeoff: you're trading off
    a reduced risk of someone successfully guessing a password against an
    increased risk of a false positive and DoS due to lockout.

    Is this a good tradeoff in your environment? Apparently not.

    Is it a good tradeoff in mine? No, I have a very small user population
    and only allow key-based authentication from off-site, so I don't do it.

    Is it a good tradeoff in the original poster's? I dunno, but the OP is
    is in the best position to make that judgement. 

    -- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
  • Next message: Nico Kadel-Garcia: "Re: recursive ssh invocation"