-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It wouldn't pass the pf overload rules if set correctly, that's just obvious. ipfw on the other hand I'm either not that conversed on and with the lack of named tables I would think it isn't going to catch it like pf would.
It's trivial to just adjust the defaults for the server to 3 login attempts and from my perspective there should not be any negative community impact of such. I've been changing it from the default of 5-6 to 3 for years as a higher value just doesn't make logical sense. Personally I would like to also see some defaults set of the MaxStartups which is not on by default. 10:30:100 seems to be the default but id rather see something more along the likes of 5:15:30 which has worked out quite well for my instances that accept inward connections for shell access along with the pf overload rules that I will not live without and along with the MaxAuthTries 3. Sorry for the top-post, some clients just don’t work that way ;) - -- Jason Hellenthal JJH48-ARIN On Jul 18, 2015, at 18:10, Mark Felder <f...@freebsd.org> wrote: On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote: Not sure if others have seen this yet - ------------------ https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ "OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default). With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default." Does it produce multiple entries in the server logs? I'm curious if sshguard etc would detect this. If I understand what's going on, this might appear as if it's a single "session" and be able to bypass pf overload rules. I'll have to play around with it and see what it does. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVqvXcAAoJEDLu+wRc4KcIiJsH+gNOOUAf/qqOHkMI8Xkmn0nA 9eqGYBqdY7y5/R4GUnQrFwuMo5va8EnYJwJqqlMceePImgRNegw8qnuNkX/TZYvs xBIhIhQOTsRhYG8TSQpeWAsnwwdtsVbw+s8vbj7X6HM+hs2SCF4yRy0DHpm/Ld5H z+ITNLjGpaO2T+YvroY0lCPbfa/7TwbhqEuYHT6PnFUY5MedvzgMKU9OW+1OJMhr WGDCfYlpOdu7ZXxmJMcPkhQiK65bqQVMDhkdCYggSYXTb+i5nmBHkZzpaCqHBk/U dq2KNGzYsudYdBA2+1vsuFIx4Yr6OwZc09rOVtAXcw0sITBWBrycjo7Q7J74W/Y= =gRYp -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
