Date: Tue, 21 Jul 2015 06:40:52 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSH max auth tries issue In-Reply-To: <201507190220.UAA14096@mail.lariat.net> References: <55A95526.3070509@sentex.net> <201507190220.UAA14096@mail.lariat.net>
| previous in thread | raw e-mail | index | archive | help
Brett Glass wrote: > Because a potential intruder can establish multiple or "tag-teamed" TCP > sessions (possibly from different IPs) to the SSH server, a per-session limit > is barely useful and will not slow a determined attacker. A global limit > might, but would enable DoS attacks. If you run sshd under inetd the "-C" flag will enforce rate limits on a per IP basis. Still vulnerable to resource exhaustion under a DDOS perhaps but it would have to be a serious effort. Considering the potential interactions between inetd.conf, login.conf, sshd_config and perhaps fail2ban or portsentry it's surprising there isn't more documentation on this important topic. Roger >> >> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ >> >> "OpenSSH has a default value of six authentication tries before it will >> close the connection (the ssh client allows only three password entries >> per default). >> >> With this vulnerability an attacker is able to request as many password >> prompts limited by the ???login graced time??? setting, that is set to two >> minutes by default." >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>