Bugtraq mailing list archives

Re: Strengthen OpenSSH security?

From: MaddHatter <maddhatt+bugtraq () cat pdx edu>
Date: Wed, 19 Apr 2006 21:33:38 -0700

Brett Glass <brett () lariat org> said (on 2006/04/17):

To: bugtraq () securityfocus com
From: Brett Glass <brett () lariat org>
Subject: Strengthen OpenSSH security?

...
It seems to me that sshd should not tip its hand by returning
different responses ...


I agree. I also wish OpenSSH would implement the same security measures
already available in other SSH servers and authentication products --
a dynamic black list. The idea is simple, but effective: connections
from IP addresses that have failed to authenticate X times in the last
Y minutes are refused for Z minutes. For adequate values of Y and Z,
brute force attacks quickly lose feasibility.

Current thread:

Strengthen OpenSSH security? Brett Glass (Apr 19)
- Re: Strengthen OpenSSH security? Mike Hoskins (Apr 20)
- Re: Strengthen OpenSSH security? Carson Gaspar (Apr 20)
  - Re: Strengthen OpenSSH security? Theo de Raadt (Apr 21)
- Re: Strengthen OpenSSH security? Kd (Apr 20)
- Re: Strengthen OpenSSH security? MaddHatter (Apr 20)
- Re: Strengthen OpenSSH security? Damien Miller (Apr 20)
- Re: Strengthen OpenSSH security? c0redump (Apr 20)
- <Possible follow-ups>
- Re: Strengthen OpenSSH security? Bob Goodman (Apr 23)