OpenSSH max auth tries issue

Roger Marquis marquis at roble.com
Tue Jul 21 13:40:59 UTC 2015


Brett Glass wrote:
> Because a potential intruder can establish multiple or "tag-teamed" TCP 
> sessions (possibly from different IPs) to the SSH server, a per-session limit 
> is barely useful and will not slow a determined attacker. A global limit 
> might, but would enable DoS attacks.

If you run sshd under inetd the "-C" flag will enforce rate limits on a
per IP basis.  Still vulnerable to resource exhaustion under a DDOS
perhaps but it would have to be a serious effort.

Considering the potential interactions between inetd.conf, login.conf,
sshd_config and perhaps fail2ban or portsentry it's surprising there
isn't more documentation on this important topic.

Roger


>> 
>> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
>> 
>> "OpenSSH has a default value of six authentication tries before it will
>> close the connection (the ssh client allows only three password entries
>> per default).
>> 
>> With this vulnerability an attacker is able to request as many password
>> prompts limited by the ???login graced time??? setting, that is set to two
>> minutes by default."
>>


More information about the freebsd-security mailing list