On Tue, Feb 24, 2015 at 8:45 AM, Stephen John Smoogen <smooge@xxxxxxxxx> wrote: > > > On 24 February 2015 at 05:46, Hubert Kario <hkario@xxxxxxxxxx> wrote: >> >> On Tuesday 24 February 2015 13:08:46 Tomas Mraz wrote: >> > On Út, 2015-02-24 at 12:32 +0100, Hubert Kario wrote: >> >> > > rate limiting and denyhosts have no impact what so ever when the >> > > attacker >> > > has a botnet to his disposal >> > >> > Large botnet means that the attack is targeted. I do not think we can >> > prevent targeted attack against weak password in the default >> > configuration. What we should aim at is prevention of non-targeted >> > attacks such as attacks you can see when you open ssh port on a public >> > IP almost immediately. These attacks usually come from single IP >> > address. >> >> Not necessarily, I've seen both - where an IP did try just 2 or 3 >> password/user combinations and ones that did try dozens. >> >> Having access to botnet is not uncommon or expensive, making it possible >> for >> "bored student" kind of targeted attacks. You can do low level of such an >> attack with just EC2. >> >> I'm not saying that we shouldn't have rate limiting, but it shouldn't be >> the >> only thing above simple dictionary check. >> > > That matches what I am seeing with a couple of random servers I have out > there. The number of attacks where IP address one is doing > > apple:apple > apple:123456 > apple:trustn01 > apple:... > bob:bob > bob:123456 > bob:trustn01 > bob:password Half of these will be allowed with the current installer behavior: # pwscore apple:123456 55 # pwscore apple:trustn01 84 # pwscore bob:trustn01 55 # pwscore bob:password 58 -- Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
