Hi all, Actually, Kevin's idea makes sense: for a good password, a brute force attack easily reaches 100 000 attempts. Who will have the patience to wait 3 million seconds? That's more than 34 days of continuous attack. 30 seconds delay before requesting the password will discourage 99% of the script kiddies.
Best regards, George Iacob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Castro Sent: Thursday, July 10, 2008 11:53 To: 'Fromm, Stephen (NIH/NIMH) [C]'; 'Zembower, Kevin'; [email protected] Subject: RE: Deliberately create slow SSH response? Sure, by logic the attack will slow down. It won't prevent continuous attacks though. So my suggestion is, if the service is used only by certain IPs, then filter all others. -----Mensaje original----- De: Fromm, Stephen (NIH/NIMH) [C] [mailto:[EMAIL PROTECTED] Enviado el: Jueves, 10 de Julio de 2008 12:51 p.m. Para: Sergio Castro; Zembower, Kevin; [email protected] Asunto: RE: Deliberately create slow SSH response? Yes, but if the attacker is coming from one point and takes 30 seconds for each attempt, versus 0.03 seconds... Stephen J. Fromm, PhD Contractor, NIMH/MAP (301) 451-9265 -----Original Message----- From: Sergio Castro [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2008 1:15 PM To: 'Zembower, Kevin'; [email protected] Subject: RE: Deliberately create slow SSH response? The brute force attacks are most likely automated, so if your objective is to bore a human to death with 30 second delays, it wont' work. Have you thought about limiting access to the service to only certain IPs? - Sergio -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Zembower, Kevin Enviado el: MiƩrcoles, 09 de Julio de 2008 11:56 a.m. Para: [email protected] Asunto: Deliberately create slow SSH response? This might seem like a strange question to ask, but is there a way to deliberately create a slow response to an SSH request? I'm annoyed at the large number of distributed SSH brute-force attacks on a server I administer, trying to guess the password for 'root' and other accounts. I think that my server is pretty secure; doesn't allow root to log in through SSH, only a restricted number of accounts are allowed SSH access, with I think pretty good passwords. But still, the attempts annoy me. I wouldn't mind if SSH took say 30 seconds to ask me for my password. This would slow the attempts. Is there any way to configure OpenSSH to do this? I searched the archives of this group with 'slow' and 'delay' but didn't come up with anything on this topic. Please point it out to me if I overlooked anything. In addition, I can limit the number of SSH connections to 3-5 and still operate okay. Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6. Thanks in advance for your advice and suggestions. -Kevin Kevin Zembower Internet Services Group manager Center for Communication Programs Bloomberg School of Public Health Johns Hopkins University 111 Market Place, Suite 310 Baltimore, Maryland 21202 410-659-6139 __________ NOD32 3255 (20080709) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com __________ NOD32 3257 (20080710) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com
