begin quoting Tracy R Reed as of Fri, Jan 28, 2005 at 10:39:08PM -0800: [snip] > I consider the chances of anyone actually brute forcing a password by > entering at the login prompt extremely remote. I can't think of a single > case I have ever seen where that actually happened if the password was not > set to some incredibly stupid default or "password". Especially given that
. . . Jan 28 13:54:13 straumli sshd[9412]: [ID 800047 auth.info] Failed password for root from 212.71.168.123 port 34079 ssh2 Jan 28 13:54:16 straumli sshd[9414]: [ID 800047 auth.info] Illegal user test from 212.71.168.123 Jan 28 13:54:16 straumli sshd[9414]: [ID 800047 auth.info] Failed password for illegal user test from 212.71.168.123 port 34234 ssh2 Jan 28 13:54:19 straumli sshd[9416]: [ID 800047 auth.info] Illegal user test from 212.71.168.123 Jan 28 13:54:19 straumli sshd[9416]: [ID 800047 auth.info] Failed password for illegal user test from 212.71.168.123 port 34289 ssh2 Jan 28 13:54:26 straumli sshd[9418]: [ID 800047 auth.info] Illegal user test from 212.71.168.123 Jan 28 13:54:26 straumli sshd[9418]: [ID 800047 auth.info] Failed password for illegal user test from 212.71.168.123 port 34430 ssh2 . . . Yeah, I suspect they're looking for misconfigured machines. > password delays a few seconds after each attempt a dictionary or brute > force attack will surely take ages. Hm.... I think I'm getting concurrent attempts. Do I disallow concurrent login attempts? (Dangerous -- DoS time!) Concurrent attempts from the same IP (hey, I do that sometimes)? > So I am not sure it is really worth > the hassle of occasionally not being able to log into your own box. The > only real attack I can see this stopping is that of someone brute-forcing > the password hash from a stolen /etc/passwd file. Although it would give > me a real good reason to carry around my USB keychain drive with my keys > on it. I'm thinking one-time passwords and/or medium-sized one-time keys. Hmm.... perhaps it's time to dump my little router box and get something that would support one-time key port-knocking. (Encrypt the date with the one-time key, convert the resulting number into a sequence of digits corresponding to a set of ports, and then use port-knocking to allow for password connections. . . and carry data and programs on a USB thumbdrive.) -Stewart "Complicated Solutions Can Be Fun!" Stremler -- KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
