Date: Sat, 18 Jul 2015 18:10:17 -0500 From: Mark Felder <feld@FreeBSD.org> To: Mike Tancsa <mike@sentex.net>, freebsd-security@freebsd.org Subject: Re: OpenSSH max auth tries issue Message-ID: <1437261017.3368395.327186961.64104619@webmail.messagingengine.com> In-Reply-To: <55A95526.3070509@sentex.net>
index | next in thread | previous in thread | raw e-mail
On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote: > Not sure if others have seen this yet > > ------------------ > > > https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ > > "OpenSSH has a default value of six authentication tries before it will > close the connection (the ssh client allows only three password entries > per default). > > With this vulnerability an attacker is able to request as many password > prompts limited by the “login graced time” setting, that is set to two > minutes by default." > > Does it produce multiple entries in the server logs? I'm curious if sshguard etc would detect this. If I understand what's going on, this might appear as if it's a single "session" and be able to bypass pf overload rules. I'll have to play around with it and see what it does.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1437261017.3368395.327186961.64104619>