sshd exponential backoff patch

Jefferson Ogata Jefferson.Ogata at noaa.gov
Wed Jan 28 11:59:44 EST 2009 

On 2009-01-26 16:32, Bob Proulx wrote:
> I read "hundreds of login attempts" in order to brute force a
> password.  But it actually takes orders of magnitudes more to brute
> force attack a password.  This is okay.  You really do want the best
> attack available to be a brute force attack.  The present safeguards
> will prevent the attack from succeeding before the end of time.

If that were true, password guessing attacks against sshd wouldn't 
happen all the freakin' time (q.v.).

> Avoiding passwords entirely and using rsa pub keys instead also avoids
> the issue.  That is a good security measure.

Yes it is. It would be nice if one could then also get sshd to shut up 
about all the password guessing attacks that write all over your logs, 
even when PasswordAuthentication is set to "no":

Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user 
aleb from xxx.xxx.xxx.xxx port yyyyy ssh2
Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user 
bianca from xxx.xxx.xxx.xxx port yyyyy ssh2
Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user 
bianca123 from xxx.xxx.xxx.xxx port yyyyy ssh2
Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user 
bianca321 from xxx.xxx.xxx.xxx port yyyyy ssh2
Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user 
abcde from xxx.xxx.xxx.xxx port yyyyy ssh2
Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user 
abcd from xxx.xxx.xxx.xxx port yyyyy ssh2

... etc, etc, etc.

> I think it would be an interesting whitehat project to build an attack
> program against ssh using a password guesser.  Then people who fear

There are already such programs in wide circulation. If you want one, 
just set up a box on the 'Net with an account oh, say, "bianca" with 
password "bianca", wait a couple of weeks, and then look around the 
filesystem until you find the ssh brute-force password guessing program 
your new friend is now running on your box.

> that ssh passwords can be guessed too easily can play with it and be
> assured that a successful brute force attack against ssh by password
> guessing is actually quite difficult.

Unfortunately, it isn't difficult at all. As another already pointed 
out, people commonly choose crappy passwords and in a lot of 
environments this is difficult for admins to prevent. Admins also set up 
temporary accounts with crappy passwords and then forget to disable 
them. It happens all the time.

I'm not saying exponential backoff is necessarily a great solution. But 
this is a real problem, and there are other related problems that could 
be solved as well (e.g. the aforementioned log blathering).

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the openssh-unix-dev mailing list