SSH hacked?

Kent Borg kentborg at borg.org
Wed Jan 14 15:43:01 UTC 2009 

NoOp wrote:
> why don't you try as I suggested? Put a machine w/ssh on an open
> DSL/Cable modem and watch your logs for a few days?

I don't need to put up such a test, I already have such a thing.
Checking the log file is quite easy...

[check, check. check]

As always, there have been break in attempts. These attempts came from
different IP addresses, and you suggested I will attract attacks like
flies to honey--but for the moment let's assume you are wrong on that
point and assume that these attacks are really just a single coordinated
attacker.

Some of the attacks are against randomly chosen user names, but most are
against root and that matters most, so let's look at the root attacks:
Based on the number of attempts in this sample and the entropy in my
root password, at minimum it will take over 2,500 years for a single
coordinated attacker to have a 50-50 chance of getting in. Further, if
the attacker doesn't know the format ("recipe") of my root password, the
effective entropy soars to a much higher figure--to estimate
conservatively it would take many octillion years of attempts to get to
the 50-50 point.

Conclusion: No attacker is going to get root on this machine via a brute
force attack. NEVER, EVER, EVER, not in any time span that I (nor my
machine) will live to see.

I am NOT saying that a break in is impossible, only that it will have to
come via some other vulnerability. Being distracted from the other
vulnerabilities is then a serious problem.

If I am worried about security, I should worry about other
vulnerabilities. Because I have a good root password, fretting over
moving sshd as a way to slow down a brute force attack is a distraction.
It is like arguing over what color car gets better mileage (do more
photons bounce off or get absorbed and do they impart momentum, slowing
or speeding the car???). Different cars get different mileage and
mileage certainly matters, but color doesn't make any real difference
difference.

*DO* worry about the quality of your passwords--worry a lot about that.
Worry about whether they are truly secret. But once you have carefully
covered that concern (do the math...), quit your worrying on that point!
You say you have a good password, and I believe you. Now worry about
other issues.

For example: Do you let any web site you visit execute on your computer
whatever Javascript it pleases? If so, that is a *serious* security
hole. Be productive in your fretting. Fret over that for awhile.

Addressing brute force is easy. Address it with password entropy and
password secrecy. Done. Now move on.


-kb

More information about the ubuntu-users mailing list