Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Jun 2009 08:44:27 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>
Cc:        Benjamin Lee <ben@b1c1l1.com>, Daniel Underwood <djuatdelta@gmail.com>, freebsd-questions@freebsd.org
Subject:   Re: Best practices for securing SSH server
Message-ID:  <4A4087DB.5010700@infracaninophile.co.uk>
In-Reply-To: <alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl>
References:  <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com>	<4A403324.6090300@b1c1l1.com> <alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7F126A8A80C99D6BDA7E1D00
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Wojciech Puchar wrote:
>> If for some reason you would prefer to use password authentication, I
>> would recommend that you look into automatic brute force detection.
>> There are a number of utilities in ports available for this purpose,
>> including security/sshguard and security/denyhosts.
>=20
> good, but not really important with properly chosen password.
> You can't do more than maybe 10 attempts/second this way, while crackin=
g
> 10 character password consisting of just small letters and digits needs=


10 characters is a longer than usual password.  Most people have been
conditioned into using a 7 or 8 character password, which is at least a
1000 times easier to crack using your measure.  (Still a pretty big
possible space though).

> 36^10=3D3656158440062976 possible passwords, and over 11 milion years t=
o
> check all possibilities, so say 100000 years if someone is really lucky=

> and will get it after checking 1% possible password.

There is a very big flaw in your analysis here.  You're assuming that
the passwords people might use are randomly and evenly distributed over
the whole possible password space.  That is simply untrue.  A lot of
people -- perhaps the majority -- will use a password consisting of an
English word, possibly with StUdLy CaPs or 3lite SP3LL1NG and with some
random extra characters!*99 tacked on[*].  That's a whole lot smaller
search space -- and it must be possible to brute-force passwords or it
wouldn't be worthwhile for the brute-force attackers to keep trying.

Agreed however that if people can be educated to use good passwords then
a brute force attack like this really is unfeasible.  I like apg(1) for
generating passwords where there is no alternative to using strong
crypto.

> Of course - you must not look at logs in 100000 years and not see this
> 10 attempts per second.

Sure.  My experience is that any machine on the internet with a port 22
listener will attract about 2 to 5 brute force attackers a day -- that
is, a sequence of brute force attempts originating from 2 -- 5
independent IPs per day.  In fact, given that you have taken reasonable
measures like using ssh keys exclusively or enforcing strong passwords
then the biggest problems caused by these sort of attacks are the drain
on system resources and the excess verbiage in log files.  Getting rid
of that is why I like to implement connection-rate based SSH blocking
via pf(4) -- not because it gives any extra security.

> I give this example against common paranoia that exist on that group -
> mix of real "security paranoid" persons and pseudo-experts that like to=

> repeat "intelligent" phrases to show up themselves.
>=20
> Actually - there is no need for extra protection for ssh, but for human=
s.
>=20
> 99% of crack attempts are done by "kevin mitnick" methods, not password=

> cracking.

Absolutely true.  Mitnick was an early exponent of Social Engineering
attacks, which are still the easiest and most effective methods for
breaking computer security.  Now, if we could just get rid of all the
users, our lives as Sys Admins would be a whole lot easier...

	Cheers,

	Matthew

[*] It's amazing how many people, when you tell them to use a mix of
upper and lower case letters, just capitalize the *first* letter of
their password.

--=20
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK


--------------enig7F126A8A80C99D6BDA7E1D00
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpAh+IACgkQ3jDkPpsZ+VahZQCgi18fEOa26Nl5g+u+81jCa+IG
PJ0AmQGupxw+LD+eyJuDw+3SaEU7JjHk
=cBIN
-----END PGP SIGNATURE-----

--------------enig7F126A8A80C99D6BDA7E1D00--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A4087DB.5010700>