[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass)
From: Dirk-Willem van Gulik <dirkx () webweaving ! org>
Date: 2015-07-20 8:24:08
Message-ID: 1C77EA92-5D2D-4C0E-942F-645A9EC3889B () webweaving ! org
[Download RAW message or body]
> On 18 Jul 2015, at 23:23, Reed Loden <reed@reedloden.com> wrote:
>
> On Friday, July 17, 2015, <devel@roosoft.ltd.uk> wrote:
>
> > Do you know if this is still affected if you have fail2ban in place.
> > Fail2ban uses the auth logs to monitor failed password attempts. I
> > assume that the auth log is still updated even if x number of attempts
> > is allowed. Thanks
>
>
>
> http://www.reddit.com/r/netsec/comments/3dnzcq/openssh_keyboardinteractive_authentication_brute/ct726ni
> goes over this question pretty well, so as not to rehash everything.
Arguably the question then should be to have a MaxChallengeTries as an analog of MaxAuthTries - \
and perhaps by default set MaxChallengeTries to the same (sane) value of MaxAuthTries.
Dw.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic