Because a potential intruder can establish multiple or "tag-teamed"
TCP sessions (possibly from different IPs) to the SSH server, a
per-session limit is barely useful and will not slow a determined
attacker. A global limit might, but would enable DoS attacks.
--Brett Glass
At 01:19 PM 7/17/2015, Mike Tancsa wrote:
Not sure if others have seen this yet
------------------
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/
"OpenSSH has a default value of six authentication tries before it will
close the connection (the ssh client allows only three password entries
per default).
With this vulnerability an attacker is able to request as many password
prompts limited by the âlogin graced timeâ setting, that is set to two
minutes by default."
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
