[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH Access Issues



"jdow" <jdow earthlink net> writes:
> It's possible to configure a firewall to give one shot every three minutes
> to logging in via ssh.

It is possible, but not usually done that way.  

The ssh-attacking programs are pretty good at hammering sshd.  If any
of the users of the machine have a password that is in its attack
dictionary, then your out of luck.  You'd be surprised how many folks
pick utterly crap passwords. When I spot checked a machine I helped
run against a common attack dictionary, a full 15% fell to it.  That
was only a 50k word dictionary too.  The ssh attack programs I saw
could run through that in under a day.

Better would be to just allow RSA (or DSA) and make the attacker guess
a 1024-bit *computer* generated key.

> How long do you think it would take to guess "12345678" as a password
> at one try every three seconds? (Or for the real paranoids one try
> every three minutes.)

Sure, if you use computer generated passwords and they have a
white-noise distribution across the whole search space then you would
also be safe.

-wolfgang
-- 
Wolfgang S. Rupprecht              http://www.full-steam.org/  (ipv6-only)
         You may need to config 6to4 to see the above pages.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]