Brett Glass wrote:
Because a potential intruder can establish multiple or "tag-teamed" TCP sessions (possibly from different IPs) to the SSH server, a per-session limit is barely useful and will not slow a determined attacker. A global limit might, but would enable DoS attacks.
If you run sshd under inetd the "-C" flag will enforce rate limits on a per IP basis. Still vulnerable to resource exhaustion under a DDOS perhaps but it would have to be a serious effort. Considering the potential interactions between inetd.conf, login.conf, sshd_config and perhaps fail2ban or portsentry it's surprising there isn't more documentation on this important topic. Roger
https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ "OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default). With this vulnerability an attacker is able to request as many password prompts limited by the ???login graced time??? setting, that is set to two minutes by default."
_______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
