Wojciech Puchar wrote: >> If for some reason you would prefer to use password authentication, I >> would recommend that you look into automatic brute force detection. >> There are a number of utilities in ports available for this purpose, >> including security/sshguard and security/denyhosts. > > good, but not really important with properly chosen password. > You can't do more than maybe 10 attempts/second this way, while cracking > 10 character password consisting of just small letters and digits needs
10 characters is a longer than usual password. Most people have been conditioned into using a 7 or 8 character password, which is at least a 1000 times easier to crack using your measure. (Still a pretty big possible space though). > 36^10=3656158440062976 possible passwords, and over 11 milion years to > check all possibilities, so say 100000 years if someone is really lucky > and will get it after checking 1% possible password. There is a very big flaw in your analysis here. You're assuming that the passwords people might use are randomly and evenly distributed over the whole possible password space. That is simply untrue. A lot of people -- perhaps the majority -- will use a password consisting of an English word, possibly with StUdLy CaPs or 3lite SP3LL1NG and with some random extra characters!*99 tacked on[*]. That's a whole lot smaller search space -- and it must be possible to brute-force passwords or it wouldn't be worthwhile for the brute-force attackers to keep trying. Agreed however that if people can be educated to use good passwords then a brute force attack like this really is unfeasible. I like apg(1) for generating passwords where there is no alternative to using strong crypto. > Of course - you must not look at logs in 100000 years and not see this > 10 attempts per second. Sure. My experience is that any machine on the internet with a port 22 listener will attract about 2 to 5 brute force attackers a day -- that is, a sequence of brute force attempts originating from 2 -- 5 independent IPs per day. In fact, given that you have taken reasonable measures like using ssh keys exclusively or enforcing strong passwords then the biggest problems caused by these sort of attacks are the drain on system resources and the excess verbiage in log files. Getting rid of that is why I like to implement connection-rate based SSH blocking via pf(4) -- not because it gives any extra security. > I give this example against common paranoia that exist on that group - > mix of real "security paranoid" persons and pseudo-experts that like to > repeat "intelligent" phrases to show up themselves. > > Actually - there is no need for extra protection for ssh, but for humans. > > 99% of crack attempts are done by "kevin mitnick" methods, not password > cracking. Absolutely true. Mitnick was an early exponent of Social Engineering attacks, which are still the easiest and most effective methods for breaking computer security. Now, if we could just get rid of all the users, our lives as Sys Admins would be a whole lot easier... Cheers, Matthew [*] It's amazing how many people, when you tell them to use a mix of upper and lower case letters, just capitalize the *first* letter of their password. -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK
signature.asc
Description: OpenPGP digital signature