[Dshield] SSH Bots
lucy at lucindrea.com
Wed Mar 8 08:36:12 GMT 2006
one password per second?!? try 20-30ms per request/answer ( depending on
the conncetion speed ) not to mention bots will open several sessions at
once , ok the encryption of ssh probly puts another 2 or 3 ms overhead on
the problem isnt the passwords , the problem is that it's never random
chars ( ok , most admins make their root random ) , but you can encode
every word in the english dictonary with all the possable
caps/lower/symbol and you still dont come anywhere near 88^14 , it may
take a month to crack , but it's not 1000's of years ... the problem is
when humans make their passwords , useing a random password genorator will
give you that 88^14 number .. but the bots arnt looking for them , they
just looking for one weak shell account .. once in the system they have
much better chance at getting to root.
>> Just doing some maths in my head, assuming 14 characters in the brute
> force and lets assume a simple password of a-z, A-Z and 0-9, plus a few
>> punctation characters -,+,!@#$, that gives 88 characters, thats 88^14
> different combinations. Which is a lot. An awful lot. Assuming you
> can try one
>> password per second, thats still several thousand (million?) years
> before you try them all. I say one per second so it allows for
> connection time. Our
>> linux boxes allow for three attempts, each one taking longer before
> returning success or failure, then you get disconnected and need to
> reconnect. I > think we've still got the time outs on the actual
> sessions as well, but not sure.
>> (we had problems with that).
> So, do you think it is enough to force users towards complex passwords?
> It can't hurt, I'm sure.
> I run a secondary server behind our main system and due to corporate
> regulations, there is only one person in the entire building allowed
> access to the main server system. He normally doesn't have time to
> address daily security concerns or check logs every day. I feel like
> it's a bomb waiting to go off.
> Is there anything do you guys can suggest in my unfortunate
> S. Smith
> Learn about Intrusion Detection in Depth from the comfort of your own
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
Time to revamp Kindergarten
1. Sharing is ILLEGAL
More information about the list