Forgot your password?
Security IT

The Optimum Attack Rate For SSH Bruteforce? Once Every Ten Seconds 167

Posted by Unknown Lamer
from the and-that's-why-you-use-denyhosts dept. writes "Remember the glacially slow Hail Mary Cloud SSH bruteforcers? They're doing speedup tweaks and are preparing a comeback, some preliminary data reported by Peter Hansteen appear to indicate. The optimum rate of connections seems to be 1 per ten seconds, smack in the middle of the 'probably human' interval."
This discussion has been archived. No new comments can be posted.

The Optimum Attack Rate For SSH Bruteforce? Once Every Ten Seconds

Comments Filter:
  • WTF, Editors? (Score:0, Insightful)

    by Anonymous Coward on Friday April 06, 2012 @02:23PM (#39600011)

    WTF is a "Hail Mary Cloud"?

    I clicked the link in the summary, which talks about something I'm supposed to "remember", but must have missed the first time it was discussed. That goes to another summary that also doesn't explain what it is, but also mentions that it's been discussed before. Then I click the link on that summary and I get a big long page of information.

    Does anyone review submissions at all before they go live?

  • by aztracker1 (702135) on Friday April 06, 2012 @02:26PM (#39600083) Homepage
    RSA key/pair is something you have... you still need something you are, and something you know... Once someone has your key, it's no more secure than your password. A trojan can read local files, just as easily, if not more so than snoop for a password.
  • by 0racle (667029) on Friday April 06, 2012 @02:35PM (#39600193)
    If you have a trojan keylogger, you probably don't have to worry about SSH bruteforcing.
  • by nine-times (778537) <> on Friday April 06, 2012 @03:00PM (#39600521) Homepage

    Once someone has your key, it's no more secure than your password.

    Whether the token is something you know, something you are, or something you have, it *all* becomes useless once someone else has it. That's not really the issue here. The issue is brute-force attacks on SSH, and using a key makes them significantly more difficult than passwords.

    Stealing someone's key/password is not a brute-force attack.

  • by Culture20 (968837) on Friday April 06, 2012 @03:20PM (#39600803)
    That's only useful if there's one attacker IP. TFA is talking about a botnet doing the attacking. Hundreds, if not thousands of IPs per minute. The only way to "protect" against that with iptables is to have iptables block all incoming on port 22 from any address. But then you're left with a DDoS where your ssh port is down nearly all the time. Same deal with locking accounts; if hundreds of attempts occur per minute, a lot of accounts can be locked out as a DDoS, intentionally or not.
  • by TheRaven64 (641858) on Friday April 06, 2012 @04:33PM (#39601581) Journal
    The problem is that botnets have a lot of IP addresses. They can do one try from one machine then another from the next. If you disable the account entirely after a certain number of failed logins, you've just created a simple DoS attack. If you disable it just from that IP, it doesn't matter because it will just try from another. There are some realtime block lists that you can use to reject things, but these add another attack route that can let someone who can spoof DNS prevent you from logging in to your own machine...
  • by nine-times (778537) <> on Friday April 06, 2012 @04:54PM (#39601803) Homepage

    That's nice in theory and all, but it depends on what that "something you are" is. Essentially we're talking about biometrics, so what are we measuring? Is it a thumbprint scan? Those have been defeated in the past by taking a thumbprint and replicating it by some means. Is it a DNA scan? Then they might just need to get ahold of your DNA.

    Really, the "something you are" is still "something you have", but you "have" it attached to your body. That doesn't necessarily mean it can't be stolen or replicated somehow. Similarly, the "something you know" can also be considered to be "something you have", but you "have" it in your mind. In some circumstances, it can still be figured out or retrieved, or you might be tricked into providing it.

    Real security isn't quite as simple as you make it sound.

If at first you don't succeed, you must be a programmer.