"jdow" <jdow@xxxxxxxxxxxxx> writes: > The common attack is a dictionary attack with several attempts a second. > So of course, they get one shot to crack a password, usually for <snicker> > root, which is dumb to begin with. After that first attempt they are > blocked for the rest of their run. Why not just disallow unix-passwords in ssh? No passwords, no dictionary attack. Guessing an RSA 1k passowrd by trying each should keep them busy for quite a long time. (many, many times the lifetime of the universe even if they can test multiple billions per second.) Here is a page I wrote years ago when sshd attacker wee starting to hammer a machine I help run in a university setting. I couldn't be sure that the users actually had good passwords. This fixed the problem because it really don't matter at all what passwords they chose. Ssh never uses those passwords on the wire. The only thing that matters is the 1k number the computer chose for them. http://www.wsrcc.com/wolfgang/sshd-config.html -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ Hints for IPv6 on FC6 http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.html
