OpenSSH daemon security bug?

[Bob Proulx]

Michael Stone wrote:
> I won't challenge anyone else's experience, but I will say that I have  
> not seen attackers trying to exhaustively brute-force passwords via ssh.  
> Against a shadow file, sure, but the math on doing that over the network  
> even with the default configuration that forces a new connection (and  
> handshake overhead) after a few failures isn't pretty.

My logs are filled with attackers trying dictionary guessing attacks.
They have no hope of getting into the machine.  I can't understand why
they are even trying.  But they *are* trying.  To prevent most of the
noise I use 'fail2ban'.  For a long time that kept the noise in the
log files low.

> You can make the math more favorable by doing it in a distributed
> fashion, and hitting a bunch of targets if they're using centralized
> auth, but in that case why wouldn't the centralized auth disable the
> account after, say, 1000 failures?

Just very recently I started seeing attacks from a distributed set of
IPs.  Currently there is a 277 IP strong distributed attack engine
that is probing constantly with a dictionary guessing attack.  Also it
is probing quite slowly.  This is below the ban trigger threshold.
But at that rate I can't imagine there to be any success from any
victim system even if it used actually guessable logins and passwords.

> At any rate, as above, if you're enough of a high-profile target
> that this is a serious risk to you, you should be using multifactor
> auth.

The attacks I have been receiving have no hope of succeeding.  So I am
not worried.  Just reporting that distributed attack engines have been
seen in the wild.  Their use will only increase over time.  But this
does not lower the security of ssh any.

If external brute force attacks against passwords are the strongest
attack then life is good and we are still winning.

Bob