Secure Shell
a GOOD idea to harden OpenSSH! Mar 30 2011 07:19PM
nagygabor88 (nagygabor88 zoho com) (3 replies)
RE: a GOOD idea to harden OpenSSH! Mar 31 2011 07:39PM
Ward, Jon (Jon_Ward syntelinc com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 02 2011 10:37PM
Eric Jaw (naisanza gmail com)
Re: a GOOD idea to harden OpenSSH! Mar 31 2011 06:24PM
Joseph Spenner (joseph85750 yahoo com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 03 2011 07:17PM
Lamont Granquist (lamont scriptkiddie org) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 06 2011 03:30AM
Mike Ramirez (gufymike gmail com)
Re: a GOOD idea to harden OpenSSH! Mar 31 2011 06:20PM
Christian Grunfeld (christian grunfeld gmail com) (1 replies)
hi,

a couple of years ago I submit an idea like yours !
My idea was that ssh server waits up to ...say 2^N seconds between
failed logins to show again the login prompt, being N the Nth try !

So the first login cames instantly. After a failed login I have to
wait 2 seconds, after a second failed login I have to wait
4s......8s.......16s........32s........2^N seconds !

This will not disturb a normal human login with a couple failures but
makes a robot to wait with a potential law.

I dont know why but mi idea didnt like anybody

Cheers !

2011/3/30 nagygabor88 <nagygabor88 (at) zoho (dot) com [email concealed]>:
> I'm writing here, because the ssh dev list says:
>
> Mail Delivery Status Notification (Delay)
> [Status: Error, Address: <openssh-unix-dev (at) mindrot (dot) org [email concealed]>, ResponseCode 451, Temporary failure, please try again later.]
>
> So:
>
> What is you're opinion about the next idea? Please write down ++/-- thoughts:
>
> it's against brute-force attacks on sshd:
>
> if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare.
> the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds
> the method musn't show that the user have to wait 2 seconds to write his passphare.
>
> important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second!
>
> effect:
>
> in this way, if a brute force "robot" comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok.
> BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the "type you're password" appear on client side.
>
> if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective.
>
> so can this be a feature in sshd? :O
>
> What do you think?
>
> Thank you!
>
>

[ reply ]
Re: a GOOD idea to harden OpenSSH! Apr 02 2011 11:57AM
Aaron Toponce (aaron toponce gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus