sshd exponential backoff patch

Chris Wilson chris at qwirx.com
Thu Jan 29 09:07:36 EST 2009


Hi Jefferson,

On Wed, 28 Jan 2009, Jefferson Ogata wrote:

> On 2009-01-26 16:32, Bob Proulx wrote:
>> I read "hundreds of login attempts" in order to brute force a
>> password.  But it actually takes orders of magnitudes more to brute
>> force attack a password.  This is okay.  You really do want the best
>> attack available to be a brute force attack.  The present safeguards
>> will prevent the attack from succeeding before the end of time.
>
> If that were true, password guessing attacks against sshd wouldn't
> happen all the freakin' time (q.v.).
>
>> Avoiding passwords entirely and using rsa pub keys instead also avoids
>> the issue.  That is a good security measure.
>
> Yes it is. It would be nice if one could then also get sshd to shut up
> about all the password guessing attacks that write all over your logs,
> even when PasswordAuthentication is set to "no":
>
> Aug  9 15:57:41 brillig sshd[26058]: Failed password for illegal user
> aleb from xxx.xxx.xxx.xxx port yyyyy ssh2

I always move public sshds to a non-standard port. Removes all the worm 
spam and automated brute-force attacks for me.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |


More information about the openssh-unix-dev mailing list