RE: Deliberately create slow SSH response? - openssh

This is a discussion on RE: Deliberately create slow SSH response? - openssh ; The brute force attacks are most likely automated, so if your objective is to bore a human to death with 30 second delays, it wont' work. Have you thought about limiting access to the service to only certain IPs? - ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: RE: Deliberately create slow SSH response?

  1. RE: Deliberately create slow SSH response?

    The brute force attacks are most likely automated, so if your objective is
    to bore a human to death with 30 second delays, it wont' work.

    Have you thought about limiting access to the service to only certain IPs?

    - Sergio

    -----Mensaje original-----
    De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] En
    nombre de Zembower, Kevin
    Enviado el: Miércoles, 09 de Julio de 2008 11:56 a.m.
    Para: secureshell@securityfocus.com
    Asunto: Deliberately create slow SSH response?

    This might seem like a strange question to ask, but is there a way to
    deliberately create a slow response to an SSH request? I'm annoyed at the
    large number of distributed SSH brute-force attacks on a server I
    administer, trying to guess the password for 'root' and other accounts.
    I think that my server is pretty secure; doesn't allow root to log in
    through SSH, only a restricted number of accounts are allowed SSH access,
    with I think pretty good passwords. But still, the attempts annoy me.

    I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    This would slow the attempts. Is there any way to configure OpenSSH to do
    this? I searched the archives of this group with 'slow' and 'delay'
    but didn't come up with anything on this topic. Please point it out to me if
    I overlooked anything. In addition, I can limit the number of SSH
    connections to 3-5 and still operate okay.

    Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL
    ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

    Thanks in advance for your advice and suggestions.

    -Kevin

    Kevin Zembower
    Internet Services Group manager
    Center for Communication Programs
    Bloomberg School of Public Health
    Johns Hopkins University
    111 Market Place, Suite 310
    Baltimore, Maryland 21202
    410-659-6139


    __________ NOD32 3255 (20080709) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com


  2. RE: Deliberately create slow SSH response?

    Yes, but if the attacker is coming from one point and takes 30 seconds for each attempt, versus 0.03 seconds...

    Stephen J. Fromm, PhD
    Contractor, NIMH/MAP
    (301) 451-9265



    -----Original Message-----
    From: Sergio Castro [mailto:sergio.castro@unicin.net]
    Sent: Wednesday, July 09, 2008 1:15 PM
    To: 'Zembower, Kevin'; secureshell@securityfocus.com
    Subject: RE: Deliberately create slow SSH response?

    The brute force attacks are most likely automated, so if your objective is
    to bore a human to death with 30 second delays, it wont' work.

    Have you thought about limiting access to the service to only certain IPs?

    - Sergio

    -----Mensaje original-----
    De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] En
    nombre de Zembower, Kevin
    Enviado el: Miércoles, 09 de Julio de 2008 11:56 a.m.
    Para: secureshell@securityfocus.com
    Asunto: Deliberately create slow SSH response?

    This might seem like a strange question to ask, but is there a way to
    deliberately create a slow response to an SSH request? I'm annoyed at the
    large number of distributed SSH brute-force attacks on a server I
    administer, trying to guess the password for 'root' and other accounts.
    I think that my server is pretty secure; doesn't allow root to log in
    through SSH, only a restricted number of accounts are allowed SSH access,
    with I think pretty good passwords. But still, the attempts annoy me.

    I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    This would slow the attempts. Is there any way to configure OpenSSH to do
    this? I searched the archives of this group with 'slow' and 'delay'
    but didn't come up with anything on this topic. Please point it out to me if
    I overlooked anything. In addition, I can limit the number of SSH
    connections to 3-5 and still operate okay.

    Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL
    ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

    Thanks in advance for your advice and suggestions.

    -Kevin

    Kevin Zembower
    Internet Services Group manager
    Center for Communication Programs
    Bloomberg School of Public Health
    Johns Hopkins University
    111 Market Place, Suite 310
    Baltimore, Maryland 21202
    410-659-6139


    __________ NOD32 3255 (20080709) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com


  3. RE: Deliberately create slow SSH response?

    Sure, by logic the attack will slow down. It won't prevent continuous
    attacks though. So my suggestion is, if the service is used only by certain
    IPs, then filter all others.



    -----Mensaje original-----
    De: Fromm, Stephen (NIH/NIMH) [C] [mailto:fromms@mail.nih.gov]
    Enviado el: Jueves, 10 de Julio de 2008 12:51 p.m.
    Para: Sergio Castro; Zembower, Kevin; secureshell@securityfocus.com
    Asunto: RE: Deliberately create slow SSH response?

    Yes, but if the attacker is coming from one point and takes 30 seconds for
    each attempt, versus 0.03 seconds...

    Stephen J. Fromm, PhD
    Contractor, NIMH/MAP
    (301) 451-9265



    -----Original Message-----
    From: Sergio Castro [mailto:sergio.castro@unicin.net]
    Sent: Wednesday, July 09, 2008 1:15 PM
    To: 'Zembower, Kevin'; secureshell@securityfocus.com
    Subject: RE: Deliberately create slow SSH response?

    The brute force attacks are most likely automated, so if your objective is
    to bore a human to death with 30 second delays, it wont' work.

    Have you thought about limiting access to the service to only certain IPs?

    - Sergio

    -----Mensaje original-----
    De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] En
    nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de 2008 11:56
    a.m.
    Para: secureshell@securityfocus.com
    Asunto: Deliberately create slow SSH response?

    This might seem like a strange question to ask, but is there a way to
    deliberately create a slow response to an SSH request? I'm annoyed at the
    large number of distributed SSH brute-force attacks on a server I
    administer, trying to guess the password for 'root' and other accounts.
    I think that my server is pretty secure; doesn't allow root to log in
    through SSH, only a restricted number of accounts are allowed SSH access,
    with I think pretty good passwords. But still, the attempts annoy me.

    I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    This would slow the attempts. Is there any way to configure OpenSSH to do
    this? I searched the archives of this group with 'slow' and 'delay'
    but didn't come up with anything on this topic. Please point it out to me if
    I overlooked anything. In addition, I can limit the number of SSH
    connections to 3-5 and still operate okay.

    Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL
    ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

    Thanks in advance for your advice and suggestions.

    -Kevin

    Kevin Zembower
    Internet Services Group manager
    Center for Communication Programs
    Bloomberg School of Public Health
    Johns Hopkins University
    111 Market Place, Suite 310
    Baltimore, Maryland 21202
    410-659-6139


    __________ NOD32 3255 (20080709) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com




    __________ NOD32 3257 (20080710) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com


  4. RE: Deliberately create slow SSH response?

    Sergio,

    I think Kevin and I realize that dictionary attacks are automated, but a
    30-60 second delay would significantly slow them down to the point where
    it could hardly be called a brute force attack.

    On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
    > The brute force attacks are most likely automated, so if your objective is
    > to bore a human to death with 30 second delays, it wont' work.
    >
    > Have you thought about limiting access to the service to only certain IPs?
    >
    > - Sergio
    >
    > -----Mensaje original-----
    > De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] En
    > nombre de Zembower, Kevin
    > Enviado el: Miércoles, 09 de Julio de 2008 11:56 a.m.
    > Para: secureshell@securityfocus.com
    > Asunto: Deliberately create slow SSH response?
    >
    > This might seem like a strange question to ask, but is there a way to
    > deliberately create a slow response to an SSH request? I'm annoyed at the
    > large number of distributed SSH brute-force attacks on a server I
    > administer, trying to guess the password for 'root' and other accounts.
    > I think that my server is pretty secure; doesn't allow root to log in
    > through SSH, only a restricted number of accounts are allowed SSH access,
    > with I think pretty good passwords. But still, the attempts annoy me.
    >
    > I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    > This would slow the attempts. Is there any way to configure OpenSSH to do
    > this? I searched the archives of this group with 'slow' and 'delay'
    > but didn't come up with anything on this topic. Please point it out to me if
    > I overlooked anything. In addition, I can limit the number of SSH
    > connections to 3-5 and still operate okay.
    >
    > Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL
    > ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.
    >
    > Thanks in advance for your advice and suggestions.
    >
    > -Kevin
    >
    > Kevin Zembower
    > Internet Services Group manager
    > Center for Communication Programs
    > Bloomberg School of Public Health
    > Johns Hopkins University
    > 111 Market Place, Suite 310
    > Baltimore, Maryland 21202
    > 410-659-6139
    >
    >
    > __________ NOD32 3255 (20080709) Information __________
    >
    > This message was checked by NOD32 antivirus system.
    > http://www.eset.com
    >
    >



  5. RE: Deliberately create slow SSH response?

    Indeed, I agree.
    The point I'm trying to convey is that if the objective is to reduce the
    chance of an attack getting through, and given the fact that the service is
    SSH, then a better solution may be to limit access to trusted IPs.
    That's all I'm saying

    -----Mensaje original-----
    De: Bryan Christ [mailto:bryan.christ@hp.com]
    Enviado el: Jueves, 10 de Julio de 2008 01:51 p.m.
    Para: Sergio Castro
    CC: 'Zembower, Kevin'; secureshell@securityfocus.com
    Asunto: RE: Deliberately create slow SSH response?

    Sergio,

    I think Kevin and I realize that dictionary attacks are automated, but a
    30-60 second delay would significantly slow them down to the point where it
    could hardly be called a brute force attack.

    On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
    > The brute force attacks are most likely automated, so if your
    > objective is to bore a human to death with 30 second delays, it wont'

    work.
    >
    > Have you thought about limiting access to the service to only certain IPs?
    >
    > - Sergio
    >
    > -----Mensaje original-----
    > De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
    > En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de
    > 2008 11:56 a.m.
    > Para: secureshell@securityfocus.com
    > Asunto: Deliberately create slow SSH response?
    >
    > This might seem like a strange question to ask, but is there a way to
    > deliberately create a slow response to an SSH request? I'm annoyed at
    > the large number of distributed SSH brute-force attacks on a server I
    > administer, trying to guess the password for 'root' and other accounts.
    > I think that my server is pretty secure; doesn't allow root to log in
    > through SSH, only a restricted number of accounts are allowed SSH
    > access, with I think pretty good passwords. But still, the attempts annoy

    me.
    >
    > I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    > This would slow the attempts. Is there any way to configure OpenSSH to
    > do this? I searched the archives of this group with 'slow' and 'delay'
    > but didn't come up with anything on this topic. Please point it out to
    > me if I overlooked anything. In addition, I can limit the number of
    > SSH connections to 3-5 and still operate okay.
    >
    > Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under
    > RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.
    >
    > Thanks in advance for your advice and suggestions.
    >
    > -Kevin
    >
    > Kevin Zembower
    > Internet Services Group manager
    > Center for Communication Programs
    > Bloomberg School of Public Health
    > Johns Hopkins University
    > 111 Market Place, Suite 310
    > Baltimore, Maryland 21202
    > 410-659-6139
    >
    >
    > __________ NOD32 3255 (20080709) Information __________
    >
    > This message was checked by NOD32 antivirus system.
    > http://www.eset.com
    >
    >



    __________ NOD32 3257 (20080710) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com


  6. RE: Deliberately create slow SSH response?

    Unfortunately, I never know exactly where I'll be logging in from and
    maintaining a blacklist/whitelist is tiresome. As for moving the port
    (another suggestion I saw) that's not really a possibility for me either
    because some of the remote locations I shell in from don't allow traffic
    out non-standard ports.

    On Thu, 2008-07-10 at 18:54 +0000, Sergio Castro wrote:
    > Indeed, I agree.
    > The point I'm trying to convey is that if the objective is to reduce the
    > chance of an attack getting through, and given the fact that the service is
    > SSH, then a better solution may be to limit access to trusted IPs.
    > That's all I'm saying
    >
    > -----Mensaje original-----
    > De: Bryan Christ [mailto:bryan.christ@hp.com]
    > Enviado el: Jueves, 10 de Julio de 2008 01:51 p.m.
    > Para: Sergio Castro
    > CC: 'Zembower, Kevin'; secureshell@securityfocus.com
    > Asunto: RE: Deliberately create slow SSH response?
    >
    > Sergio,
    >
    > I think Kevin and I realize that dictionary attacks are automated, but a
    > 30-60 second delay would significantly slow them down to the point where it
    > could hardly be called a brute force attack.
    >
    > On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
    > > The brute force attacks are most likely automated, so if your
    > > objective is to bore a human to death with 30 second delays, it wont'

    > work.
    > >
    > > Have you thought about limiting access to the service to only certain IPs?
    > >
    > > - Sergio
    > >
    > > -----Mensaje original-----
    > > De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
    > > En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de
    > > 2008 11:56 a.m.
    > > Para: secureshell@securityfocus.com
    > > Asunto: Deliberately create slow SSH response?
    > >
    > > This might seem like a strange question to ask, but is there a way to
    > > deliberately create a slow response to an SSH request? I'm annoyed at
    > > the large number of distributed SSH brute-force attacks on a server I
    > > administer, trying to guess the password for 'root' and other accounts.
    > > I think that my server is pretty secure; doesn't allow root to log in
    > > through SSH, only a restricted number of accounts are allowed SSH
    > > access, with I think pretty good passwords. But still, the attempts annoy

    > me.
    > >
    > > I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    > > This would slow the attempts. Is there any way to configure OpenSSH to
    > > do this? I searched the archives of this group with 'slow' and 'delay'
    > > but didn't come up with anything on this topic. Please point it out to
    > > me if I overlooked anything. In addition, I can limit the number of
    > > SSH connections to 3-5 and still operate okay.
    > >
    > > Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under
    > > RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.
    > >
    > > Thanks in advance for your advice and suggestions.
    > >
    > > -Kevin
    > >
    > > Kevin Zembower
    > > Internet Services Group manager
    > > Center for Communication Programs
    > > Bloomberg School of Public Health
    > > Johns Hopkins University
    > > 111 Market Place, Suite 310
    > > Baltimore, Maryland 21202
    > > 410-659-6139
    > >
    > >
    > > __________ NOD32 3255 (20080709) Information __________
    > >
    > > This message was checked by NOD32 antivirus system.
    > > http://www.eset.com
    > >
    > >

    >
    >
    > __________ NOD32 3257 (20080710) Information __________
    >
    > This message was checked by NOD32 antivirus system.
    > http://www.eset.com
    >
    >



  7. RE: Deliberately create slow SSH response?

    I think you misunderstood how my suggesting differs from Kevin's. I
    wish I had more time and I would just write the patch myself... here's
    the idea...

    sample sshd.conf

    # enable bad IP penalty box
    penalty_box = yes

    # 3 bad attempts within 60 seconds places the offending IP address
    # in a penalty box
    penalty_attempts = 3
    penalty_window = 60

    # login delay for IP address in penalty box (in seconds)
    penalty_delay = 30

    # how long an IP address stays in the penalty box (in minutes)
    # the timer would be reset every time there is an invalid attempt.
    # a value of 0 means the IP address stays in the penalty box permanently
    # until a valid login is supplied. valid logins would always remove an
    # IP address from the penalty box
    penalty_timeout = 5

    # add an extra 5 seconds to the penalty_delay for each subsequent
    # invalid login
    penalty_delay_perturb = 5


    I've never looked at the source, but I can't imagine this being much
    more difficult that a simple structure and a linked-list.

    Bryan


    On Thu, 2008-07-10 at 19:16 +0000, Sergio Castro wrote:
    > I'm sorry Bryan, this thread is getting confusing.
    > What do I mean about what?
    >
    > -----Mensaje original-----
    > De: Bryan Christ [mailto:bryan.christ@hp.com]
    > Enviado el: Jueves, 10 de Julio de 2008 02:17 p.m.
    > Para: Sergio Castro
    > Asunto: RE: Deliberately create slow SSH response?
    >
    > What do you mean?
    >
    > On Thu, 2008-07-10 at 19:12 +0000, Sergio Castro wrote:
    > > So there you go, then IP filtering is not an option.
    > >
    > > -----Mensaje original-----
    > > De: Bryan Christ [mailto:bryan.christ@hp.com] Enviado el: Jueves, 10
    > > de Julio de 2008 02:10 p.m.
    > > Para: Sergio Castro
    > > CC: 'Zembower, Kevin'; secureshell@securityfocus.com
    > > Asunto: RE: Deliberately create slow SSH response?
    > >
    > > Unfortunately, I never know exactly where I'll be logging in from and
    > > maintaining a blacklist/whitelist is tiresome. As for moving the port
    > > (another suggestion I saw) that's not really a possibility for me
    > > either because some of the remote locations I shell in from don't
    > > allow traffic out non-standard ports.
    > >
    > > On Thu, 2008-07-10 at 18:54 +0000, Sergio Castro wrote:
    > > > Indeed, I agree.
    > > > The point I'm trying to convey is that if the objective is to reduce
    > > > the chance of an attack getting through, and given the fact that the
    > > > service is SSH, then a better solution may be to limit access to
    > > > trusted

    > > IPs.
    > > > That's all I'm saying
    > > >
    > > > -----Mensaje original-----
    > > > De: Bryan Christ [mailto:bryan.christ@hp.com] Enviado el: Jueves, 10
    > > > de Julio de 2008 01:51 p.m.
    > > > Para: Sergio Castro
    > > > CC: 'Zembower, Kevin'; secureshell@securityfocus.com
    > > > Asunto: RE: Deliberately create slow SSH response?
    > > >
    > > > Sergio,
    > > >
    > > > I think Kevin and I realize that dictionary attacks are automated,
    > > > but a 30-60 second delay would significantly slow them down to the
    > > > point where it could hardly be called a brute force attack.
    > > >
    > > > On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
    > > > > The brute force attacks are most likely automated, so if your
    > > > > objective is to bore a human to death with 30 second delays, it wont'
    > > > work.
    > > > >
    > > > > Have you thought about limiting access to the service to only
    > > > > certain

    > > IPs?
    > > > >
    > > > > - Sergio
    > > > >
    > > > > -----Mensaje original-----
    > > > > De: listbounce@securityfocus.com
    > > > > [mailto:listbounce@securityfocus.com]
    > > > > En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de
    > > > > 2008 11:56 a.m.
    > > > > Para: secureshell@securityfocus.com
    > > > > Asunto: Deliberately create slow SSH response?
    > > > >
    > > > > This might seem like a strange question to ask, but is there a way
    > > > > to deliberately create a slow response to an SSH request? I'm
    > > > > annoyed at the large number of distributed SSH brute-force attacks
    > > > > on a server I administer, trying to guess the password for 'root'
    > > > > and

    > > other accounts.
    > > > > I think that my server is pretty secure; doesn't allow root to log
    > > > > in through SSH, only a restricted number of accounts are allowed
    > > > > SSH access, with I think pretty good passwords. But still, the
    > > > > attempts annoy
    > > > me.
    > > > >
    > > > > I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    > > > > This would slow the attempts. Is there any way to configure
    > > > > OpenSSH to do this? I searched the archives of this group with
    > > > > 'slow' and

    > > 'delay'
    > > > > but didn't come up with anything on this topic. Please point it
    > > > > out to me if I overlooked anything. In addition, I can limit the
    > > > > number of SSH connections to 3-5 and still operate okay.
    > > > >
    > > > > Ultimately, I need this solution for hosts running OpenSSH_3.9p1
    > > > > under RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and
    > > > > Fedora

    > > Core 6.
    > > > >
    > > > > Thanks in advance for your advice and suggestions.
    > > > >
    > > > > -Kevin
    > > > >
    > > > > Kevin Zembower
    > > > > Internet Services Group manager
    > > > > Center for Communication Programs
    > > > > Bloomberg School of Public Health
    > > > > Johns Hopkins University
    > > > > 111 Market Place, Suite 310
    > > > > Baltimore, Maryland 21202
    > > > > 410-659-6139
    > > > >
    > > > >
    > > > > __________ NOD32 3255 (20080709) Information __________
    > > > >
    > > > > This message was checked by NOD32 antivirus system.
    > > > > http://www.eset.com
    > > > >
    > > > >
    > > >
    > > >
    > > > __________ NOD32 3257 (20080710) Information __________
    > > >
    > > > This message was checked by NOD32 antivirus system.
    > > > http://www.eset.com
    > > >
    > > >

    > >
    > >
    > > __________ NOD32 3257 (20080710) Information __________
    > >
    > > This message was checked by NOD32 antivirus system.
    > > http://www.eset.com
    > >
    > >

    >
    >
    > __________ NOD32 3257 (20080710) Information __________
    >
    > This message was checked by NOD32 antivirus system.
    > http://www.eset.com
    >
    >



  8. RE: Deliberately create slow SSH response?

    Bryan,

    Were I in your shoes - which I by the way basically am - I would
    seriously consider denyhost, to which a link was given on the list.

    Denyhosts works a treat for us in blocking new and blacklisting known
    brute-force kiddies. Throw in portsentry for good measure, and the
    little SOB's are denied the pleasure of scanning your system in order to
    find another way to annoy you.

    IMHO this combo works way better than the tarpit approach, since some of
    these kids - and most are kids - just let their computer do the work,
    while they are at school or out seducing members of the opposite sex...

    Bjarne

    tor, 10 07 2008 kl. 14:10 -0500, skrev Bryan Christ:
    > Unfortunately, I never know exactly where I'll be logging in from and
    > maintaining a blacklist/whitelist is tiresome. As for moving the port
    > (another suggestion I saw) that's not really a possibility for me either
    > because some of the remote locations I shell in from don't allow traffic
    > out non-standard ports.
    >
    > On Thu, 2008-07-10 at 18:54 +0000, Sergio Castro wrote:
    > > Indeed, I agree.
    > > The point I'm trying to convey is that if the objective is to reduce the
    > > chance of an attack getting through, and given the fact that the service is
    > > SSH, then a better solution may be to limit access to trusted IPs.
    > > That's all I'm saying
    > >
    > > -----Mensaje original-----
    > > De: Bryan Christ [mailto:bryan.christ@hp.com]
    > > Enviado el: Jueves, 10 de Julio de 2008 01:51 p.m.
    > > Para: Sergio Castro
    > > CC: 'Zembower, Kevin'; secureshell@securityfocus.com
    > > Asunto: RE: Deliberately create slow SSH response?
    > >
    > > Sergio,
    > >
    > > I think Kevin and I realize that dictionary attacks are automated, but a
    > > 30-60 second delay would significantly slow them down to the point where it
    > > could hardly be called a brute force attack.
    > >
    > > On Wed, 2008-07-09 at 17:14 +0000, Sergio Castro wrote:
    > > > The brute force attacks are most likely automated, so if your
    > > > objective is to bore a human to death with 30 second delays, it wont'

    > > work.
    > > >
    > > > Have you thought about limiting access to the service to only certain IPs?
    > > >
    > > > - Sergio
    > > >
    > > > -----Mensaje original-----
    > > > De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
    > > > En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de
    > > > 2008 11:56 a.m.
    > > > Para: secureshell@securityfocus.com
    > > > Asunto: Deliberately create slow SSH response?
    > > >
    > > > This might seem like a strange question to ask, but is there a way to
    > > > deliberately create a slow response to an SSH request? I'm annoyed at
    > > > the large number of distributed SSH brute-force attacks on a server I
    > > > administer, trying to guess the password for 'root' and other accounts.
    > > > I think that my server is pretty secure; doesn't allow root to log in
    > > > through SSH, only a restricted number of accounts are allowed SSH
    > > > access, with I think pretty good passwords. But still, the attempts annoy

    > > me.
    > > >
    > > > I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    > > > This would slow the attempts. Is there any way to configure OpenSSH to
    > > > do this? I searched the archives of this group with 'slow' and 'delay'
    > > > but didn't come up with anything on this topic. Please point it out to
    > > > me if I overlooked anything. In addition, I can limit the number of
    > > > SSH connections to 3-5 and still operate okay.
    > > >
    > > > Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under
    > > > RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.
    > > >
    > > > Thanks in advance for your advice and suggestions.
    > > >
    > > > -Kevin
    > > >
    > > > Kevin Zembower
    > > > Internet Services Group manager
    > > > Center for Communication Programs
    > > > Bloomberg School of Public Health
    > > > Johns Hopkins University
    > > > 111 Market Place, Suite 310
    > > > Baltimore, Maryland 21202
    > > > 410-659-6139
    > > >
    > > >
    > > > __________ NOD32 3255 (20080709) Information __________
    > > >
    > > > This message was checked by NOD32 antivirus system.
    > > > http://www.eset.com
    > > >
    > > >

    > >
    > >
    > > __________ NOD32 3257 (20080710) Information __________
    > >
    > > This message was checked by NOD32 antivirus system.
    > > http://www.eset.com
    > >
    > >

    >
    >



  9. RE: Deliberately create slow SSH response?

    Hi all,

    Actually, Kevin's idea makes sense: for a good password, a brute force attack easily reaches 100 000 attempts. Who will have the patience to wait 3 million seconds? That's more than 34 days of continuous attack. 30 seconds delay before requesting the password will discourage 99% of the script kiddies.

    Best regards,

    George Iacob

    -----Original Message-----
    From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Sergio Castro
    Sent: Thursday, July 10, 2008 11:53
    To: 'Fromm, Stephen (NIH/NIMH) [C]'; 'Zembower, Kevin'; secureshell@securityfocus.com
    Subject: RE: Deliberately create slow SSH response?

    Sure, by logic the attack will slow down. It won't prevent continuous attacks though. So my suggestion is, if the service is used only by certain IPs, then filter all others.



    -----Mensaje original-----
    De: Fromm, Stephen (NIH/NIMH) [C] [mailto:fromms@mail.nih.gov] Enviado el: Jueves, 10 de Julio de 2008 12:51 p.m.
    Para: Sergio Castro; Zembower, Kevin; secureshell@securityfocus.com
    Asunto: RE: Deliberately create slow SSH response?

    Yes, but if the attacker is coming from one point and takes 30 seconds for each attempt, versus 0.03 seconds...

    Stephen J. Fromm, PhD
    Contractor, NIMH/MAP
    (301) 451-9265



    -----Original Message-----
    From: Sergio Castro [mailto:sergio.castro@unicin.net]
    Sent: Wednesday, July 09, 2008 1:15 PM
    To: 'Zembower, Kevin'; secureshell@securityfocus.com
    Subject: RE: Deliberately create slow SSH response?

    The brute force attacks are most likely automated, so if your objective is to bore a human to death with 30 second delays, it wont' work.

    Have you thought about limiting access to the service to only certain IPs?

    - Sergio

    -----Mensaje original-----
    De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de 2008 11:56 a.m.
    Para: secureshell@securityfocus.com
    Asunto: Deliberately create slow SSH response?

    This might seem like a strange question to ask, but is there a way to deliberately create a slow response to an SSH request? I'm annoyed at the large number of distributed SSH brute-force attacks on a server I administer, trying to guess the password for 'root' and other accounts.
    I think that my server is pretty secure; doesn't allow root to log in through SSH, only a restricted number of accounts are allowed SSH access, with I think pretty good passwords. But still, the attempts annoy me.

    I wouldn't mind if SSH took say 30 seconds to ask me for my password.
    This would slow the attempts. Is there any way to configure OpenSSH to do this? I searched the archives of this group with 'slow' and 'delay'
    but didn't come up with anything on this topic. Please point it out to me if I overlooked anything. In addition, I can limit the number of SSH connections to 3-5 and still operate okay.

    Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

    Thanks in advance for your advice and suggestions.

    -Kevin

    Kevin Zembower
    Internet Services Group manager
    Center for Communication Programs
    Bloomberg School of Public Health
    Johns Hopkins University
    111 Market Place, Suite 310
    Baltimore, Maryland 21202
    410-659-6139


    __________ NOD32 3255 (20080709) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com




    __________ NOD32 3257 (20080710) Information __________

    This message was checked by NOD32 antivirus system.
    http://www.eset.com


+ Reply to Thread