Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Optimum Attack Rate For SSH Bruteforce? Once Every Ten Seconds

Posted by Unknown on from the and-that's-why-you-use-denyhosts dept.

badger.foo writes "Remember the glacially slow Hail Mary Cloud SSH bruteforcers? They're doing speedup tweaks and are preparing a comeback, some preliminary data reported by Peter Hansteen appear to indicate. The optimum rate of connections seems to be 1 per ten seconds, smack in the middle of the 'probably human' interval."

2 of 167 comments (clear)

  1. Passwords are for philistines by halber_mensch · · Score: 5, Informative

    RSA keypair auth, disable password auth, bruteforcers irrelevant.

    --
    perl -e "eval pack(q{H*},join q{},qw{70 72696e74207061636b28717b482a7d2c717b343 637323635363534323533343430617d293b})"
  2. I have a portknocking setup by ledow · · Score: 5, Interesting

    I have a portknocking setup. All your packets bounce when you touch my port 22 until you have touched a "magic sequence" of port numbers first. That sequence can be cryptographically strong, time-dependent, etc. but even a simple one-port knock is enough to stop all this random SSH spam and has been for years.

    And if you do "get lucky" and find the right ports and then detect that port 22 is open and then start a brute-force on that? Public-key-only authentication and no root logins allowed.

    Impact on me? Another line in a shell script that I use to connect (and hell, even Android has free port-knocking apps, not to mention them being standard-enough to be in Ubuntu/Debian). Impact on server? Greatly reduced number of fake connections bouncing off iptables and a tiny little daemon that does nothing but listen on the ports I need (and can ONLY open the SSH port even if compromised). Impact on brute-forcers? They might as well give up and go home.

    Even those remote companies that we do allow to port-forward direct to their device on my work network (e.g. telecoms providers, etc.) understand it and "knock" before they come in (which tells us exactly when they are about to log in), while everyone else in the world sees closed ports.

    Why everyone doesn't use it, I have no idea. Even our VPN users have an automated script that just knocks to open the VPN ports (and only the VPN ports) before they connect. Transparent to them, invisible to everyone else, no different if "compromised".