From: "Wolfgang S. Rupprecht" <wolfgang.rupprecht+gnus200705@xxxxxxxxx>
"jdow" <jdow@xxxxxxxxxxxxx> writes:
The common attack is a dictionary attack with several attempts a second.
So of course, they get one shot to crack a password, usually for
<snicker>
root, which is dumb to begin with. After that first attempt they are
blocked for the rest of their run.
Why not just disallow unix-passwords in ssh? No passwords, no
dictionary attack. Guessing an RSA 1k passowrd by trying each should
keep them busy for quite a long time. (many, many times the lifetime
of the universe even if they can test multiple billions per second.)
Here is a page I wrote years ago when sshd attacker wee starting to
hammer a machine I help run in a university setting. I couldn't be
sure that the users actually had good passwords. This fixed the
problem because it really don't matter at all what passwords they
chose. Ssh never uses those passwords on the wire. The only thing
that matters is the 1k number the computer chose for them.
http://www.wsrcc.com/wolfgang/sshd-config.html
I wasn't always sure it would be used from a machine that had the
necessary key on it. Sometimes getting PuTTY or a real ssh onto a
machine is tough enough. For keeping people out belt, suspenders,
and a buncha safety pins to the shirt is maybe enough. If I gotta
get in myself and don't want to dedicate days doing so then I need
at least belt and suspenders, key and password, access. Key access
is for easy access. Password access is for when the key isn't all
present and accounted for. And as I say, even guessing "abcdefg"
as a password is bad enough. "abcDefg" would be even worse. And I
fully expect to have a new password in place before the goof gets
past the password dictionary into systematic alphabetic attacks.
They become obvious in the logs astonishingly quickly compared to
any possible guessing time.
(Besides, if I just went to the "key" thing one of the last things
keeping me from moving to FreeBSD would be gone; and, I'd not be
here to pester you guys from time to time over silly rants. {^_-})
{^_^}