|
|

Posted Oct 24, 2009 14:45 UTC (Sat) by NAR (subscriber, #1313)
Parent article: Distributed brute force ssh attacks

I think a brute force attack with one attempt per hour is not a problem if the passwords are at least half-decent. The password will expire long before the brute force attack succeeds.

Posted Oct 24, 2009 15:38 UTC (Sat) by ikm (subscriber, #493) [Link]

Multiply by 1000 nodes and you get 1000 attempts per hour.

I think though, too, the password lists are limited to some most common passwords only (e.g. 123, qwerty and so on). I think in that sense server-side password auditing would be enough to secure the host.

Posted Oct 26, 2009 16:07 UTC (Mon) by giraffedata (subscriber, #1954) [Link]

Multiply by 1000 nodes and you get 1000 attempts per hour.

And divide that by 1000 nodes and you get 1 attempt per hour, and since my actions will secure 1 of the 1000 nodes, that's the number that matters for me.

I think we're talking about two kinds of hacks: 1) someone wants into my system; 2) someone wants into any system. In (2), there's no reason for the hacker to hit my system frequently, but there's also correspondingly less chance he'll get into my system.

Hey another statistical reality: the user's password change interval is irrelevant to the probability of successfuly guessing. The expected number of guesses it takes is the same no matter how many how times the password changes while the guessing is going on.

Posted Oct 26, 2009 19:19 UTC (Mon) by ikm (subscriber, #493) [Link]

We're talking about the same kind of attack: someone wants into your system. It's YOUR host which gets probed 1000 times per hour. It's just that it's done by 1000 different machines simultaneously -- each of which probing only once an hour.

Posted Oct 26, 2009 19:35 UTC (Mon) by NAR (subscriber, #1313) [Link]

But after the third try, the user will be locked out for 2 minutes, so the next 33 tries will be in vain, even if the attacker would guess the right password...

Posted Oct 26, 2009 19:45 UTC (Mon) by ikm (subscriber, #493) [Link]

That does make sense. Though you'd have to combine it with IP-based banning too. Otherwise it'd be really easy to DoS a specific person one happens to dislike, and also bots tend to try many different user names, not just one over and over again.