You need to disable “ChallengeResponse” (aka keyboard-interactive) authentication, not password authentication, to protect against this attack. On Jul 22, 2015, at 1:56 PM, Bostjan Skufca <bostjan@xxxxxx> wrote: > > And to answer your question about what to do, you have three options: > - disable access to ssh with a firewall > - disable password authentication > - install and enable IDS to mitigate brute forcing > > b. > > > On 22 July 2015 at 22:54, Bostjan Skufca <bostjan@xxxxxx> wrote: >> I just stumbled upon this story too (on /.), and as far as I >> understand it, it allows a bit simpler way to perform brute force >> attacks. >> >> If you go about bruteforcing ssh, does it really matter that much if >> you do it over one or 10 tcp connections? >> >> If you do not have IDS (Intrusion Detection System, fail2ban or ossec >> HIDS) installed and functioning, this bug does not matter all that >> much. Determined attacker has this covered, regardles of number of >> kbd-interactive attempts you allow per single connection. >> >> b. >> >> PS: Actually I tried the proof of concept + patch provided for ssh. >> Openssh, patched with this patch, does not even compile. >> >> On 22 July 2015 at 21:41, Scott Neugroschl <scott_n@xxxxxxxxx> wrote: >>> I read an article today about keyboard interactive auth allowing bruteforcing. >>> >>> I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? >>> >>> >>> --- >>> Scott Neugroschl | XYPRO Technology Corporation >>> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | -- Ron Frederick ronf@xxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
