I got a packet capture of one of the SSH2 sessions trying to log in as a couple of illegal usernames. The contents of one packet suggests an attempt to buffer overflow the SSH server; ethereal's SSH decoding says "overly large value". It didn't seem to work against my system (I see no strange processes running; all files changed in past ten days look normal). I am cross-posting this message and the attached tcpdump packet capture file to the following places to let better people than I analyze it: openssh-unix-dev at mindrot.org secureshell at securityfocus.com full-disclosure at lists.netsys.com vulnwatch at vulnwatch.org -Jay Libove, CISSP
Jay Libove
2004-Dec-15 12:42 UTC
Time to add exponential backoff for SSH interactive login failures?
With the growing number of username/password pairs being tried by the low level SSH attack which we've all seen in the past few months (I am now seeing some series of attempted logins through SSH which try fifty-plus different IDs, some with more than one password; I've seen 60 hits on "root" in a row), I propose that it is time to add exponential backoff for SSH interactive login failures. Configurably in 'sshd_config' and/or on the sshd command line, a new option would set the delay suffered after the first failed login on a given connection before the next prompt would appear, along with the multiplier for subsequent delays. e.g. 'sshd -eat_this_delay_you_attackers 5 2' .. would result in an SSH daemon running where an attacker would experience a five second delay after the first failed interactive login attempt before the next password prompt came up, then a ten second delay after the second, a twenty second delay after the third, &etc up until the existing authentication timeout value is reached and the connection is closed. This would reduce the effectiveness of any kind of brute force attack against SSH, and would reduce the impact on our systems by slowing the number of authentication attempts per unit time. Discussion, pros/cons? Thanks -Jay Libove, CISSP libove at felines.org Atlanta, GA, US