Re: brute force

[buckaroo () 2600 com (Buckaroo Banzai)]

> > > > > On Thu, 11 Jul 1996 02:54:52 (-0400) Jacob Langseth
> > > > > <jacob () esisys com> said:

} Interestingly,
} o It is the ssh client that disconnects after the first failure.
} o Sshd (v1.2.13, atleast) will allow unlimited password attempts
} and does not produce logs regarding the failure(s).

Ok, here's a fix: (against 1.2.14)

--- sshd.c.~1~  Thu Jun  6 04:39:34 1996
+++ sshd.c Tue Jul 16 11:41:04 1996
@@ -1247,6 +1247,7 @@
   char *client_user;
   unsigned int client_host_key_bits;
   MP_INT client_host_key_e, client_host_key_n;
+  int chances = 3;

   /* Verify that the user is a valid user.  We disallow usernames
starting
      with any characters that are commonly used to start NIS
entries. */
@@ -1463,6 +1464,11 @@
              break;
            }
          debug("Password authentication for %.100s failed.", user);
+         if (--chances < 0) {
+             debug("Too many password attempts for %.100s.", user);
+             packet_disconnect("Too many password attempts.");
+            /* NOTREACHED */
+         }
          memset(password, 0, strlen(password));
          xfree(password);
          break;

} o Ssh is often allowed through otherwise restrictive filters or firewalls.

Not where I'm currently working.  I've had to set up a tight-binding
proxy for the service on a telnet port.

} This makes ssh a bit more appealing for brute-force cracks than one might
} first suspect...

Agreed.

I should actually extend this to notify the shadow library of a failed
login attempt, and get it to log it in faillog.  That way at least the
user is made aware that someone has been trying to get in...

Buckaroo.

--
If I had something funny to say down here, you'd know it.