sshd exponential backoff patch
chris at qwirx.com
Thu Jan 29 09:07:36 EST 2009
On Wed, 28 Jan 2009, Jefferson Ogata wrote:
> On 2009-01-26 16:32, Bob Proulx wrote:
>> I read "hundreds of login attempts" in order to brute force a
>> password. But it actually takes orders of magnitudes more to brute
>> force attack a password. This is okay. You really do want the best
>> attack available to be a brute force attack. The present safeguards
>> will prevent the attack from succeeding before the end of time.
> If that were true, password guessing attacks against sshd wouldn't
> happen all the freakin' time (q.v.).
>> Avoiding passwords entirely and using rsa pub keys instead also avoids
>> the issue. That is a good security measure.
> Yes it is. It would be nice if one could then also get sshd to shut up
> about all the password guessing attacks that write all over your logs,
> even when PasswordAuthentication is set to "no":
> Aug 9 15:57:41 brillig sshd: Failed password for illegal user
> aleb from xxx.xxx.xxx.xxx port yyyyy ssh2
I always move public sshds to a non-standard port. Removes all the worm
spam and automated brute-force attacks for me.
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |
More information about the openssh-unix-dev