sshd exponential backoff patch
Gert Doering
gert at greenie.muc.de
Sun Feb 1 00:48:04 EST 2009
Hi,
On Mon, Jan 26, 2009 at 09:32:43AM -0700, Bob Proulx wrote:
> Sam Watkins wrote:
> > I wrote a patch to openssh sshd.c which enables "exponential backoff",
> > so that an attacker cannot brute force your password by making hundreds
> > of login attempts.
>
> I read "hundreds of login attempts" in order to brute force a
> password. But it actually takes orders of magnitudes more to brute
> force attack a password. This is okay. You really do want the best
> attack available to be a brute force attack. The present safeguards
> will prevent the attack from succeeding before the end of time.
The problem is that people still pick poor passwords. So the attacker
might not have to test (70^8) combinations (lower+uppercase+digits+
few special caracters, 8 of them long) but might succeed after a few
hundred probes.
... and slowing down attackers might actually help things here.
(I use fail2ban for that, which works quite well)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list