OpenSSH max auth tries issue

Sun Jul 19 00:57:04 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It wouldn't pass the pf overload rules if set correctly, that's just obvious. ipfw on the other hand I'm either not that conversed on and with the lack of named tables I would think it isn't going to catch it like pf would.

It's trivial to just adjust the defaults for the server to 3 login attempts and from my perspective there should not be any negative community impact of such. I've been changing it from the default of 5-6 to 3 for years as a higher value just doesn't make logical sense.

Personally I would like to also see some defaults set of the MaxStartups which is not on by default. 10:30:100 seems to be the default but id rather see something more along the likes of 5:15:30 which has worked out quite well for my instances that accept inward connections for shell access along with the pf overload rules that I will not live without and along with the MaxAuthTries 3.

Sorry for the top-post, some clients just don’t work that way ;)

- -- 
Jason Hellenthal
JJH48-ARIN

On Jul 18, 2015, at 18:10, Mark Felder <feld at FreeBSD.org> wrote:

On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote:
Not sure if others have seen this yet

- ------------------

https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/

"OpenSSH has a default value of six authentication tries before it will
close the connection (the ssh client allows only three password entries
per default).

With this vulnerability an attacker is able to request as many password
prompts limited by the “login graced time” setting, that is set to two
minutes by default."

Does it produce multiple entries in the server logs? I'm curious if
sshguard etc would detect this. If I understand what's going on, this
might appear as if it's a single "session" and be able to bypass pf
overload rules. I'll have to play around with it and see what it does.
_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJVqvXcAAoJEDLu+wRc4KcIiJsH+gNOOUAf/qqOHkMI8Xkmn0nA
9eqGYBqdY7y5/R4GUnQrFwuMo5va8EnYJwJqqlMceePImgRNegw8qnuNkX/TZYvs
xBIhIhQOTsRhYG8TSQpeWAsnwwdtsVbw+s8vbj7X6HM+hs2SCF4yRy0DHpm/Ld5H
z+ITNLjGpaO2T+YvroY0lCPbfa/7TwbhqEuYHT6PnFUY5MedvzgMKU9OW+1OJMhr
WGDCfYlpOdu7ZXxmJMcPkhQiK65bqQVMDhkdCYggSYXTb+i5nmBHkZzpaCqHBk/U
dq2KNGzYsudYdBA2+1vsuFIx4Yr6OwZc09rOVtAXcw0sITBWBrycjo7Q7J74W/Y=
=gRYp
-----END PGP SIGNATURE-----