[Dshield] SSH Bots

Sean Smith ssmith at kwqc.com
Tue Mar 7 20:29:09 GMT 2006


>  Just doing some maths in my head, assuming 14 characters in the brute
force and lets assume a simple password of a-z, A-Z and 0-9, plus a few 
> punctation characters -,+,!@#$, that gives 88 characters, thats 88^14
different combinations.  Which is a lot.  An awful lot.  Assuming you
can try one 
> password per second, thats still several thousand (million?) years
before you try them all.  I say one per second so it allows for
connection time.  Our 
> linux boxes allow for three attempts, each one taking longer before
returning success or failure, then you get disconnected and need to
reconnect.  I > think we've still got the time outs on the actual
sessions as well, but not sure. 
> (we had problems with that).


So, do you think it is enough to force users towards complex passwords?
It can't hurt, I'm sure. 

I run a secondary server behind our main system and due to corporate
regulations, there is only one person in the entire building allowed
access to the main server system. He normally doesn't have time to
address daily security concerns or check logs every day. I feel like
it's a bomb waiting to go off. 

Is there anything do you guys can suggest in my unfortunate
configuration?

S. Smith











More information about the list mailing list