Re: Suggestion: SSHD pseudo/fake mode. Source available.
This is a discussion on Re: Suggestion: SSHD pseudo/fake mode. Source available. within the OpenSSH Development forums, part of the Networking and Network Related category; Hi again, it's once more about this SSH trap thing. I have received some answers which proposed to use ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-26-2005
|
|||
|
|||
Re: Suggestion: SSHD pseudo/fake mode. Source available.
Hi again,
it's once more about this SSH trap thing. I have received some answers which proposed to use configuration options like "DenyUsers *" to deny all logins. That approach sounds more promising, especially from the developer's perspective, because it wouldn't need tweaks in the code itself. I must admit I hadn't tried this! And, in fact, it does work: all credentials are rejected, even if they're correct. The effort is in fact a lot lower than with my circumstantial tweaks in the source code itself. However, the daemon behaves slightly different when the "DenyUsers *" option is used. By default, sshd disconnects when the third wrong set of credentials has been provided. With "DenyUsers *", this always happens after the first attempt. In some - admittedly: very rare - cases, that _might_ alert an attacker. (And as stated earlier, the intention was to have a trap that behaves essentially like an unmodified daemon does.) But in most cases this difference _should_ remain unnoticed, since brute force attackers usually disconnect after the first failed attempt anyway and reconnect. Regards Daniel _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 10:00 AM.
