Steps to reproduce: 1) PermitRootLogin no in sshd_config 2) login with "root" user from other host Present behaviour: 1) it asks for password 3 times and only then close the connection. 2) cpu consumption during bruteforce "attacks". Expected behaviour: Immediate disconnect/login fail Workaround is to change ssh port, or ban IP after some login fails, or limit IP that can connect to this port or number of connections per IP per unit of time using firewall. All of them have disadvantages. I use patched version 6.7_p1-r3 from Gentoo portage. But I guess it's unlikely that this behaviour is affected by patches.
Damien Miller
2015-Feb-21 21:02 UTC
"PermitRootLogin no" should not proceed with root login
On Sat, 21 Feb 2015, tot-to wrote:> Steps to reproduce: > 1) PermitRootLogin no in sshd_config > 2) login with "root" user from other host > > Present behaviour: > 1) it asks for password 3 times and only then close the connection. > 2) cpu consumption during bruteforce "attacks".This is intentional behaviour. The intention is to not give clues as to which accounts may be valid for login.> Expected behaviour: > Immediate disconnect/login failIf you want this, then use: Match user root MaxAuthTries 0
Hi Damien, Thank you for the explanation and suggesting the option that does exactly what I want. The intention looks reasonable to me. I aclually have a related question about the reasoning: Why "PermitRootLogin no" is not a default option? That would be much secure and would make such kind of bruteforce attacks useless or at least much less effective for most of the users. On Sun, 22 Feb 2015 08:02:11 +1100 (AEDT) Damien Miller <djm at mindrot.org> wrote:> On Sat, 21 Feb 2015, tot-to wrote: > > > Steps to reproduce: > > 1) PermitRootLogin no in sshd_config > > 2) login with "root" user from other host > > > > Present behaviour: > > 1) it asks for password 3 times and only then close the connection. > > 2) cpu consumption during bruteforce "attacks". > > This is intentional behaviour. The intention is to not give clues as > to which accounts may be valid for login. > > > Expected behaviour: > > Immediate disconnect/login fail > > If you want this, then use: > > Match user root > MaxAuthTries 0 >