Brute-Force SSH Server Attacks Surge (InformationWeek) [LWN.net]

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:20 UTC (Wed) by ssam (subscriber, #46587)
In reply to: Brute-Force SSH Server Attacks Surge (InformationWeek) by AJWM
Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek)

4 billion ip address, biggest botnets are of the order of 1 million machines. the default on
denyhosts is something like 10 fails per IP address.

there are 26^5 = 11 million, 5 character lowercase passwords

there are 26^7 = 8 billion, 7 character lowercase passwords

Ubuntu does not install an ssh server by default. which consumer distros do?

Ubuntu also, by default does not have a root user, so if you want to brute force you have to
guess a username as well.

crazy idea:
what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has
succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?

(Log in to post comments)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 14, 2008 16:37 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

what if, once in 10 times, when an ssh login failed, the ssh server pretended that it has succeeded, and gave a pretend shell that did nothing. would that confuse the crackers?

What you describe sounds like a variation of a honeypot. Interesting concept, IMO, but I'm certain that whatever functionality incorporated in this "pretend" shell would necessarily be a small subset of what a real shell could contain.

Taking your idea further, how about a completely "functional" pretend shell whose programs and commands are all faked as well.... Sounds like a lot of work just to snoop on the bad guys, but a peculiarly interesting idea nevertheless...