[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secure-shell
Subject:    RE: a GOOD idea to harden OpenSSH!
From:       "Ward, Jon" <Jon_Ward () syntelinc ! com>
Date:       2011-03-31 19:39:50
Message-ID: 7F3F6B512AF9414789943E9CD953BFF1022BB7E9 () crycorexch01 ! syntelorg ! com
[Download RAW message or body]

1.) Great idea.
2.) This could be a massive impediment to legitimate automated connections.  Part of \
a process that would make large numbers of connections per unit of time will be \
slowed unnecessarily. 3.) There are similar techniques implemented in many of today's \
authentication mechanisms, but they only slow the retries after the first attempt \
fails.  This effectively remedies the above problem while still accomplishing the \
goal.


Jon Ward, CEPT, CISA
Vulnerability Testing Technical Lead
Syntel, Inc.
Jon_Ward@syntelinc.com




-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of \
                nagygabor88
Sent: Wednesday, March 30, 2011 2:20 PM
To: OpenSSH list
Subject: a GOOD idea to harden OpenSSH!

I'm writing here, because the ssh dev list says: 

Mail Delivery Status Notification (Delay) 
[Status: Error, Address: <openssh-unix-dev@mindrot.org>, ResponseCode 451, Temporary \
failure, please try again later.] 

So: 

What is you're opinion about the next idea? Please write down ++/-- thoughts: 

it's against brute-force attacks on sshd: 

if a user wants to connect to an ssh server then he have to wait a couple of seconds, \
then he can write his passphare.  the "couple of seconds" is defined in the sshd \
config, e.g.: 2 seconds  the method musn't show that the user have to wait 2 seconds \
to write his passphare. 

important: the user could type in his password before the 2 seconds, but the sshd \
will only process the chars that has been typed after 2 second! 

effect: 

in this way, if a brute force "robot" comes, and tries to log in with a generated \
                password it will likely input that in a matter of miliseconds, ok. 
BUT: the sshd will only give back that, that the password is bad. - because it only \
processes the password that has been typed 2 seconds after the "type you're password" \
appear on client side. 

if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds \
before their robot gives the generated password to sshd. - BUT: this will take them \
too much resources, and the brute-force will be far less effective. 

so can this be a feature in sshd? :O 

What do you think? 

Thank you! 


[prev in list] [next in list] [prev in thread] [next in thread]