[Dshield] SSH Bots

lucy@lucindrea.com lucy at lucindrea.com
Wed Mar 8 08:36:12 GMT 2006


one password per second?!? try 20-30ms per request/answer ( depending on
the conncetion speed ) not to mention bots will open several sessions at
once , ok the encryption of ssh probly puts another 2 or 3 ms overhead on
that ...

the problem isnt the passwords , the problem is that it's never random
chars ( ok , most admins make their root random ) , but you can encode
every word in the english dictonary with all the possable
caps/lower/symbol and you still dont come anywhere near 88^14 , it may
take a month to crack , but it's not 1000's of years ... the problem is
when humans make their passwords , useing a random password genorator will
give you that 88^14 number .. but the bots arnt looking for them , they
just looking for one weak shell account ..  once in the system they have
much better chance at getting to root.

>>  Just doing some maths in my head, assuming 14 characters in the brute
> force and lets assume a simple password of a-z, A-Z and 0-9, plus a few
>> punctation characters -,+,!@#$, that gives 88 characters, thats 88^14
> different combinations.  Which is a lot.  An awful lot.  Assuming you
> can try one
>> password per second, thats still several thousand (million?) years
> before you try them all.  I say one per second so it allows for
> connection time.  Our
>> linux boxes allow for three attempts, each one taking longer before
> returning success or failure, then you get disconnected and need to
> reconnect.  I > think we've still got the time outs on the actual
> sessions as well, but not sure.
>> (we had problems with that).
>
>
> So, do you think it is enough to force users towards complex passwords?
> It can't hurt, I'm sure.
>
> I run a secondary server behind our main system and due to corporate
> regulations, there is only one person in the entire building allowed
> access to the main server system. He normally doesn't have time to
> address daily security concerns or check logs every day. I feel like
> it's a bomb waiting to go off.
>
> Is there anything do you guys can suggest in my unfortunate
> configuration?
>
> S. Smith
>
>
>
>
>
>
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>


-- 
Time to revamp Kindergarten

1. Sharing is ILLEGAL


More information about the list mailing list