[Discuss] ssh keys question
Dan Ritter
dsr at randomstring.org
Sat Jun 18 05:52:34 EDT 2016
On Sat, Jun 18, 2016 at 01:01:32AM -0400, Bill Ricker wrote:
> But that still leaves me with executing the 2^32 dictionary attack.
>
> Which is likely only interesting if i've stolen all your users' hashes
> already and you have poor salts and hashes so i can rainbow table to find
> multiple users at once. Doing 2^32 trials coming in the front door of a
> server is likely to get noticed as a DOS, aside from taking literally
> forever.
This works pretty well *if*:
- you really do rate-limit incoming connections. If you didn't
do that right, the rate-limit becomes your total bandwidth during
the period of time that you don't notice the attack. Do you have
suitable monitors set up? Can they alert you? Do you pay attention to
such alerts?
- you rate-limit other authenticated services, too. Got a mail
server running? Your POP3 or IMAP4 needs to be rate-limited or do
authentication completely separately from the system method.
- you don't run any nonauthenticated services that might have a flaw that
allows an attacker to read /etc/shadow. (Everyone uses shadow passwords
these days, right? No legacy systems without it?) Most web servers
are good about this, but then they let all sorts of things run via CGI,
php-fm, mod-perl, whatever. All of those are attackable areas.
- all your users are as good and conscientious as you are. This
is easiest if they don't exist. AllowUsers, one by one, is a
good move, too.
-dsr-
More information about the Discuss
mailing list