RE: a GOOD idea to harden OpenSSH!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



1.) Great idea.
2.) This could be a massive impediment to legitimate automated connections.  Part of a process that would make large numbers of connections per unit of time will be slowed unnecessarily.
3.) There are similar techniques implemented in many of today's authentication mechanisms, but they only slow the retries after the first attempt fails.  This effectively remedies the above problem while still accomplishing the goal.


Jon Ward, CEPT, CISA
Vulnerability Testing Technical Lead
Syntel, Inc.
Jon_Ward@xxxxxxxxxxxxx




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of nagygabor88
Sent: Wednesday, March 30, 2011 2:20 PM
To: OpenSSH list
Subject: a GOOD idea to harden OpenSSH!

I'm writing here, because the ssh dev list says: 

Mail Delivery Status Notification (Delay) 
[Status: Error, Address: <openssh-unix-dev@xxxxxxxxxxx>, ResponseCode 451, Temporary failure, please try again later.] 

So: 

What is you're opinion about the next idea? Please write down ++/-- thoughts: 

it's against brute-force attacks on sshd: 

if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare. 
the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds 
the method musn't show that the user have to wait 2 seconds to write his passphare. 

important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second! 

effect: 

in this way, if a brute force "robot" comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok. 
BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the "type you're password" appear on client side. 

if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective. 

so can this be a feature in sshd? :O 

What do you think? 

Thank you! 




[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux