Back to list
a GOOD idea to harden OpenSSH!
Mar 30 2011 07:19PM
nagygabor88 (nagygabor88 zoho com)
I'm writing here, because the ssh dev list says:
Mail Delivery Status Notification (Delay)
[Status: Error, Address: <openssh-unix-dev (at) mindrot (dot) org [email concealed]>, ResponseCode 451, Temporary failure, please try again later.]
What is you're opinion about the next idea? Please write down ++/-- thoughts:
it's against brute-force attacks on sshd:
if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare.
the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds
the method musn't show that the user have to wait 2 seconds to write his passphare.
important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second!
in this way, if a brute force "robot" comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok.
BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the "type you're password" appear on client side.
if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective.
so can this be a feature in sshd? :O
What do you think?
[ reply ]
Copyright 2010, SecurityFocus