sshd exponential backoff patch

Bob Proulx bob at proulx.com
Thu Jan 29 08:52:01 EST 2009


Jefferson Ogata wrote:
> Bob Proulx wrote:
> > I read "hundreds of login attempts" in order to brute force a
> > password.  But it actually takes orders of magnitudes more to brute
> > force attack a password.  This is okay.  You really do want the best
> > attack available to be a brute force attack.  The present safeguards
> > will prevent the attack from succeeding before the end of time.
> 
> If that were true, password guessing attacks against sshd wouldn't 
> happen all the freakin' time (q.v.).

Yes they would.  The cost structure is similar to the one for spam.
It doesn't cost anything to be annoying.  Script kiddies do it just to
do it.  As long as the appearance of anonymity exists and there is no
punishment then it will continue.

> It would be nice if one could then also get sshd to shut up about
> all the password guessing attacks that write all over your logs,
> even when PasswordAuthentication is set to "no":

That sounds like a valid issue.  A different separate issue but quite
valid.  I would bet something there could be improved.

> > I think it would be an interesting whitehat project to build an attack
> > program against ssh using a password guesser.  Then people who fear
> 
> There are already such programs in wide circulation. If you want one, 
> just set up a box on the 'Net with an account oh, say, "bianca" with 
> password "bianca", wait a couple of weeks, and then look around the 
> filesystem until you find the ssh brute-force password guessing program 
> your new friend is now running on your box.
...in the next mail...
> I should clarify: I'm really talking about dictionary attacks, not
> pure brute force.

I am definitely talking about brute force password guessing attacks.
If you have passwords that can be guessed from a dictionary attack
then you have serious problems.  But it is a different serious problem
from the one we were talking about.

Your example of a user with the same password might actually be
guessed on the very first attempt!  I know you were making an extreme
example but again that is a different problem and although rate limit
blocking will help it won't completely fix the problem.  It is a
white-wash at best.

> Unfortunately, it isn't difficult at all. As another already pointed 
> out, people commonly choose crappy passwords and in a lot of 
> environments this is difficult for admins to prevent. Admins also set up 
> temporary accounts with crappy passwords and then forget to disable 
> them. It happens all the time.

Of course you are correct.  People are the problem.  If we can remove
them from the system then everything could be perfect.  :-)

Many sites run password strength checkers such as crack to test the
strength of users passwords when they create them.  Passwords that can
be dictionary guessed easily are rejected.  Passwords that pass the
crack attempts are allowed.  This is a very useful password policy.

I am not inclined to try to add protection against admins.  That seems
counter productive.

> I'm not saying exponential backoff is necessarily a great solution. But 
> this is a real problem, and there are other related problems that could 
> be solved as well (e.g. the aforementioned log blathering).

The already existing 'fail2ban' solution is perfectly suited for your
example case.

Bob


More information about the openssh-unix-dev mailing list