OpenSSH max auth tries issue
Roger Marquis
marquis at roble.com
Tue Jul 21 13:40:59 UTC 2015
Brett Glass wrote:
> Because a potential intruder can establish multiple or "tag-teamed" TCP
> sessions (possibly from different IPs) to the SSH server, a per-session limit
> is barely useful and will not slow a determined attacker. A global limit
> might, but would enable DoS attacks.
If you run sshd under inetd the "-C" flag will enforce rate limits on a
per IP basis. Still vulnerable to resource exhaustion under a DDOS
perhaps but it would have to be a serious effort.
Considering the potential interactions between inetd.conf, login.conf,
sshd_config and perhaps fail2ban or portsentry it's surprising there
isn't more documentation on this important topic.
Roger
>>
>> https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
>>
>> "OpenSSH has a default value of six authentication tries before it will
>> close the connection (the ssh client allows only three password entries
>> per default).
>>
>> With this vulnerability an attacker is able to request as many password
>> prompts limited by the ???login graced time??? setting, that is set to two
>> minutes by default."
>>
More information about the freebsd-security
mailing list