Secure Shell
a GOOD idea to harden OpenSSH! Mar 30 2011 07:19PM
nagygabor88 (nagygabor88 zoho com) (3 replies)
RE: a GOOD idea to harden OpenSSH! Mar 31 2011 07:39PM
Ward, Jon (Jon_Ward syntelinc com) (1 replies)
1.) Great idea.

2.) This could be a massive impediment to legitimate automated connections. Part of a process that would make large numbers of connections per unit of time will be slowed unnecessarily.

3.) There are similar techniques implemented in many of today's authentication mechanisms, but they only slow the retries after the first attempt fails. This effectively remedies the above problem while still accomplishing the goal.

Jon Ward, CEPT, CISA

Vulnerability Testing Technical Lead

Syntel, Inc.

Jon_Ward (at) syntelinc (dot) com [email concealed]

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of nagygabor88

Sent: Wednesday, March 30, 2011 2:20 PM

To: OpenSSH list

Subject: a GOOD idea to harden OpenSSH!

I'm writing here, because the ssh dev list says:

Mail Delivery Status Notification (Delay)

[Status: Error, Address: <openssh-unix-dev (at) mindrot (dot) org [email concealed]>, ResponseCode 451, Temporary failure, please try again later.]

So:

What is you're opinion about the next idea? Please write down ++/-- thoughts:

it's against brute-force attacks on sshd:

if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare.

the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds

the method musn't show that the user have to wait 2 seconds to write his passphare.

important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second!

effect:

in this way, if a brute force "robot" comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok.

BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the "type you're password" appear on client side.

if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective.

so can this be a feature in sshd? :O

What do you think?

Thank you!

[ reply ]
Re: a GOOD idea to harden OpenSSH! Apr 02 2011 10:37PM
Eric Jaw (naisanza gmail com)
Re: a GOOD idea to harden OpenSSH! Mar 31 2011 06:24PM
Joseph Spenner (joseph85750 yahoo com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 03 2011 07:17PM
Lamont Granquist (lamont scriptkiddie org) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 06 2011 03:30AM
Mike Ramirez (gufymike gmail com)
Re: a GOOD idea to harden OpenSSH! Mar 31 2011 06:20PM
Christian Grunfeld (christian grunfeld gmail com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 02 2011 11:57AM
Aaron Toponce (aaron toponce gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus