Brett Glass <brett (at) lariat (dot) org [email concealed]> said (on 2006/04/17):
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> From: Brett Glass <brett (at) lariat (dot) org [email concealed]>
> Subject: Strengthen OpenSSH security?
>
> ...
> It seems to me that sshd should not tip its hand by returning
> different responses ...
I agree. I also wish OpenSSH would implement the same security measures
already available in other SSH servers and authentication products --
a dynamic black list. The idea is simple, but effective: connections
from IP addresses that have failed to authenticate X times in the last
Y minutes are refused for Z minutes. For adequate values of Y and Z,
brute force attacks quickly lose feasibility.
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> From: Brett Glass <brett (at) lariat (dot) org [email concealed]>
> Subject: Strengthen OpenSSH security?
>
> ...
> It seems to me that sshd should not tip its hand by returning
> different responses ...
I agree. I also wish OpenSSH would implement the same security measures
already available in other SSH servers and authentication products --
a dynamic black list. The idea is simple, but effective: connections
from IP addresses that have failed to authenticate X times in the last
Y minutes are refused for Z minutes. For adequate values of Y and Z,
brute force attacks quickly lose feasibility.
[ reply ]