Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Users
a GOOD idea to harden OpenSSH!
 

Index | Next | Previous | View Flat


nagygabor88 at zoho

Mar 30, 2011, 12:19 PM


Views: 2686
Permalink
a GOOD idea to harden OpenSSH!

I'm writing here, because the ssh dev list says:

Mail Delivery Status Notification (Delay)
[.Status: Error, Address: <openssh-unix-dev [at] mindrot>, ResponseCode 451, Temporary failure, please try again later.]

So:

What is you're opinion about the next idea? Please write down ++/-- thoughts:

it's against brute-force attacks on sshd:

if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare.
the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds
the method musn't show that the user have to wait 2 seconds to write his passphare.

important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second!

effect:

in this way, if a brute force "robot" comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok.
BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the "type you're password" appear on client side.

if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective.

so can this be a feature in sshd? :O

What do you think?

Thank you!

Subject User Time
a GOOD idea to harden OpenSSH! nagygabor88 at zoho Mar 30, 2011, 12:19 PM
    Re: a GOOD idea to harden OpenSSH! christian.grunfeld at gmail Mar 31, 2011, 11:20 AM
    Re: a GOOD idea to harden OpenSSH! joseph85750 at yahoo Mar 31, 2011, 11:24 AM
        Re: a GOOD idea to harden OpenSSH! lamont at scriptkiddie Apr 3, 2011, 12:17 PM
            Re: a GOOD idea to harden OpenSSH! gufymike at gmail Apr 5, 2011, 8:30 PM
    RE: a GOOD idea to harden OpenSSH! Jon_Ward at syntelinc Mar 31, 2011, 12:39 PM
    Re: a GOOD idea to harden OpenSSH! aaron.toponce at gmail Apr 2, 2011, 4:57 AM
    Re: a GOOD idea to harden OpenSSH! naisanza at gmail Apr 2, 2011, 3:37 PM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.