Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Posted Oct 25, 2016 8:48 UTC (Tue) by bytelicker (guest, #92320)Parent article: Dealing with automated SSH password-guessing
Posted Oct 25, 2016 9:55 UTC (Tue)
by rsidd (subscriber, #2582)
[Link] (2 responses)
I have always wondered, if you ran a site that required an email-address as login (or for other reasons) and a password, and you were feeling malicious, you could collect quite a few gmail passwords -- either because of the user's bad finger memory, or because it's the same password! A good site should not store the password you type, just hash it and compare it with their hash, but how many sites do that? Several, I'm sure, store the passwords in plain text (eg, er, most GNU Mailman lists...)
How big is this problem in real life?
Posted Oct 26, 2016 11:11 UTC (Wed)
by bytelicker (guest, #92320)
[Link]
I set this up because I am the only valid person SSH'ing to my server and for fun! I was stunned at how many login attempts my SSH daemon got. I'm not using the dictionary for anything but I certainly could. The dictionary contains around ~24 million records as of today.
Posted Oct 26, 2016 18:06 UTC (Wed)
by josh (subscriber, #17465)
[Link]
Posted Oct 27, 2016 2:51 UTC (Thu)
by karkhaz (subscriber, #99844)
[Link] (1 responses)
this sounds like good fun, are you hosting the patch anywhere?
Posted Oct 27, 2016 7:21 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Nov 6, 2016 0:47 UTC (Sun)
by JanC_ (guest, #34940)
[Link] (3 responses)
Posted Nov 6, 2016 3:35 UTC (Sun)
by raven667 (subscriber, #5198)
[Link] (2 responses)
That's actually a terrible idea, you don't own the computers that are scanning you, they are probably themselves just infected with a botnet, but even if it was the attacker, you have no right to log into their computers, as they have no right to log into yours. I don't think everyone going all vigilante justice on everyone else results in a stable system.
Posted Nov 7, 2016 20:23 UTC (Mon)
by JanC_ (guest, #34940)
[Link] (1 responses)
Still, trying this “reverse login” might be useful for more ethical purposes (even if it would possibly be illegal still), e.g.:
* researching which devices use what default/backdoor passwords
Also: if that other system is owned by another person, then is it illegal or legal that you try to help them and/or the community? If you see a child/dog in a closed car suffering under a heavy sun, and the owners doesn't seem to be around, then is it illegal or legal (or even legally required) to break into that car because you aren't the owner? If you see a car that rolled halfway on the road because somebody forgot to pull their handbrake, then is it illegal or legal to enter that car, push it off the street, and pull the handbrake?
Sounds like an interesting question for someone who actually has a clue about the law/jurisprudence on such things.
Posted Nov 8, 2016 17:16 UTC (Tue)
by raven667 (subscriber, #5198)
[Link]
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
Dealing with automated SSH password-guessing
* disabling the botnet
Dealing with automated SSH password-guessing