Re: bruteforce ssh
From: Mark Rafn (dagon_at_dagon.net)
Date: 10/27/05
- Previous message: Jack Patteeuw: "wrong authentication protocol attempted"
- In reply to: David: "Re: bruteforce ssh"
- Next in thread: Unruh: "Re: bruteforce ssh"
- Reply: Unruh: "Re: bruteforce ssh"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Oct 2005 17:45:28 -0700
David <shadoweyez@hotpop.com> wrote:
>now) and the problem is that the attackers will usually change IP
>address frequently making the filtering approach useful, but somewhat
>marginal.
Indeed. It's VERY hard to combat a distributed dictionary attack.
>On my ssh server I use non-standard user names, deny root login, and use
>strong passwords, which will keep the automated-dictionary-list script
>kiddes out.
Disallowing password auth entirely, and using only RSA authentication can work
too. Is it possible to use different options based on incoming IP address?
It would be great to allow password auth and root logins from some IP
addresses, but limit logins to certain users using only RSA keys from
everywhere else.
>I think the long term solution to this problem involves some sort of
>built-in mechanism to sshd that would allow exponential-retry login
>times
The problem is that it turns a failing dictionary attack into a successful
denial attack. The bad guys can't try many passwords, but you can't login
either!
-- Mark Rafn dagon@dagon.net <http://www.dagon.net/>
- Previous message: Jack Patteeuw: "wrong authentication protocol attempted"
- In reply to: David: "Re: bruteforce ssh"
- Next in thread: Unruh: "Re: bruteforce ssh"
- Reply: Unruh: "Re: bruteforce ssh"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
