[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-shell
Subject: RE: a GOOD idea to harden OpenSSH!
From: "Ward, Jon" <Jon_Ward () syntelinc ! com>
Date: 2011-03-31 19:39:50
Message-ID: 7F3F6B512AF9414789943E9CD953BFF1022BB7E9 () crycorexch01 ! syntelorg ! com
[Download RAW message or body]
1.) Great idea.
2.) This could be a massive impediment to legitimate automated connections. Part of \
a process that would make large numbers of connections per unit of time will be \
slowed unnecessarily. 3.) There are similar techniques implemented in many of today's \
authentication mechanisms, but they only slow the retries after the first attempt \
fails. This effectively remedies the above problem while still accomplishing the \
goal.
Jon Ward, CEPT, CISA
Vulnerability Testing Technical Lead
Syntel, Inc.
Jon_Ward@syntelinc.com
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of \
nagygabor88
Sent: Wednesday, March 30, 2011 2:20 PM
To: OpenSSH list
Subject: a GOOD idea to harden OpenSSH!
I'm writing here, because the ssh dev list says:
Mail Delivery Status Notification (Delay)
[Status: Error, Address: <openssh-unix-dev@mindrot.org>, ResponseCode 451, Temporary \
failure, please try again later.]
So:
What is you're opinion about the next idea? Please write down ++/-- thoughts:
it's against brute-force attacks on sshd:
if a user wants to connect to an ssh server then he have to wait a couple of seconds, \
then he can write his passphare. the "couple of seconds" is defined in the sshd \
config, e.g.: 2 seconds the method musn't show that the user have to wait 2 seconds \
to write his passphare.
important: the user could type in his password before the 2 seconds, but the sshd \
will only process the chars that has been typed after 2 second!
effect:
in this way, if a brute force "robot" comes, and tries to log in with a generated \
password it will likely input that in a matter of miliseconds, ok.
BUT: the sshd will only give back that, that the password is bad. - because it only \
processes the password that has been typed 2 seconds after the "type you're password" \
appear on client side.
if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds \
before their robot gives the generated password to sshd. - BUT: this will take them \
too much resources, and the brute-force will be far less effective.
so can this be a feature in sshd? :O
What do you think?
Thank you!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic