Re: bruteforce ssh

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 10/27/05 

Date: 27 Oct 2005 02:02:18 GMT

dagon@dagon.net (Mark Rafn) writes:

>David <shadoweyez@hotpop.com> wrote:
>>now) and the problem is that the attackers will usually change IP
>>address frequently making the filtering approach useful, but somewhat
>>marginal.

>Indeed. It's VERY hard to combat a distributed dictionary attack.

>>On my ssh server I use non-standard user names, deny root login, and use
>>strong passwords, which will keep the automated-dictionary-list script
>>kiddes out.

>Disallowing password auth entirely, and using only RSA authentication can work
>too. Is it possible to use different options based on incoming IP address?
>It would be great to allow password auth and root logins from some IP
>addresses, but limit logins to certain users using only RSA keys from
>everywhere else.

>>I think the long term solution to this problem involves some sort of
>>built-in mechanism to sshd that would allow exponential-retry login
>>times

>The problem is that it turns a failing dictionary attack into a successful
>denial attack. The bad guys can't try many passwords, but you can't login
>either!

Of course you could have the exponential retry be source dependant. Thus IF
you were trying to log in from the same IP that the attacker was using,
then you would have trouble. The question is whether that would be a likely
scenario even given the spoofing problems.