top | item 41248277

(no title)

mdtancsa | 1 year ago

I suspect the distributed cracking will move to the same pattern as the SMTP/pop3 brute force guys did and use one IP per x+1 seconds where x=the ssh penalty window. We have seen this on our customer facing smtp server where we have hundreds of remote compromised IPs trying each one password per 30-60min. Still, I welcome this change as there are enough single prick attackers out there where this will help cut down on the size of the logs to process / digest.

discuss

catkitcourt|1 year ago

Actually this already is the SOTA of cracking. My honeypot can see several different IP is brute forcing concurrently, and they seems irrelevant. But once you let one of them login, it will quit immediately and all those IPs will quiet after ~15sec. Then one of those IPs will login again to deploy miner.

superjan|1 year ago

Next level: let them login and forward the ssh connection to the digital equivalent of a room full of mirrors.

iforgotpassword|1 year ago

This is already the practice in my experience. Fail2ban has become completely useless for ssh about 5~6 years ago. Always just one to three tries per IP address.

So looks like this openssh feature is a decade late.

lathiat|1 year ago

That doesn’t make it useless. It still severely limits the rate of brute force versus having no limit.