OpenSSH daemon security bug?
Michael Stone
mstone at mathom.us
Thu Jan 7 03:44:49 EST 2010
On Wed, Jan 06, 2010 at 09:35:59AM -0700, you wrote:
>Michael Stone wrote:
>> I won't challenge anyone else's experience, but I will say that I have
>> not seen attackers trying to exhaustively brute-force passwords via ssh.
>> Against a shadow file, sure, but the math on doing that over the network
>> even with the default configuration that forces a new connection (and
>> handshake overhead) after a few failures isn't pretty.
>
>My logs are filled with attackers trying dictionary guessing attacks.
Agreed. (Dictionary guessing != exhaustive brute force.)
>They have no hope of getting into the machine. I can't understand why
>they are even trying.
Because they're depressingly successful. It's absolutely amazing how
many people will create an account like "bob" and give it a password
like "fish".
Mike Stone
More information about the openssh-unix-dev
mailing list