Why not utilize OpenVPN to tunnel to the network and allow only local connections made to the ssh server?
It solves all my problems. On Apr 2, 2011, at 2:09 AM, "Ward, Jon" <jon_w...@syntelinc.com> wrote: > 1.) Great idea. > 2.) This could be a massive impediment to legitimate automated connections. > Part of a process that would make large numbers of connections per unit of > time will be slowed unnecessarily. > 3.) There are similar techniques implemented in many of today's > authentication mechanisms, but they only slow the retries after the first > attempt fails. This effectively remedies the above problem while still > accomplishing the goal. > > > Jon Ward, CEPT, CISA > Vulnerability Testing Technical Lead > Syntel, Inc. > jon_w...@syntelinc.com > > > > > -----Original Message----- > From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On > Behalf Of nagygabor88 > Sent: Wednesday, March 30, 2011 2:20 PM > To: OpenSSH list > Subject: a GOOD idea to harden OpenSSH! > > I'm writing here, because the ssh dev list says: > > Mail Delivery Status Notification (Delay) > [Status: Error, Address: <openssh-unix-...@mindrot.org>, ResponseCode 451, > Temporary failure, please try again later.] > > So: > > What is you're opinion about the next idea? Please write down ++/-- thoughts: > > it's against brute-force attacks on sshd: > > if a user wants to connect to an ssh server then he have to wait a couple of > seconds, then he can write his passphare. > the "couple of seconds" is defined in the sshd config, e.g.: 2 seconds > the method musn't show that the user have to wait 2 seconds to write his > passphare. > > important: the user could type in his password before the 2 seconds, but the > sshd will only process the chars that has been typed after 2 second! > > effect: > > in this way, if a brute force "robot" comes, and tries to log in with a > generated password it will likely input that in a matter of miliseconds, ok. > BUT: the sshd will only give back that, that the password is bad. - because > it only processes the password that has been typed 2 seconds after the "type > you're password" appear on client side. > > if this idea would spread, then the attackers would "adapt", and wait e.g.: 5 > seconds before their robot gives the generated password to sshd. - BUT: this > will take them too much resources, and the brute-force will be far less > effective. > > so can this be a feature in sshd? :O > > What do you think? > > Thank you! >
