SSH Access Issues
Wolfgang S. Rupprecht
wolfgang.rupprecht+gnus200810 at gmail.com
Sun Oct 12 03:14:55 UTC 2008
"jdow" <jdow at earthlink.net> writes:
> It's possible to configure a firewall to give one shot every three minutes
> to logging in via ssh.
It is possible, but not usually done that way.
The ssh-attacking programs are pretty good at hammering sshd. If any
of the users of the machine have a password that is in its attack
dictionary, then your out of luck. You'd be surprised how many folks
pick utterly crap passwords. When I spot checked a machine I helped
run against a common attack dictionary, a full 15% fell to it. That
was only a 50k word dictionary too. The ssh attack programs I saw
could run through that in under a day.
Better would be to just allow RSA (or DSA) and make the attacker guess
a 1024-bit *computer* generated key.
> How long do you think it would take to guess "12345678" as a password
> at one try every three seconds? (Or for the real paranoids one try
> every three minutes.)
Sure, if you use computer generated passwords and they have a
white-noise distribution across the whole search space then you would
also be safe.
-wolfgang
--
Wolfgang S. Rupprecht http://www.full-steam.org/ (ipv6-only)
You may need to config 6to4 to see the above pages.
More information about the fedora-list
mailing list