[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

Michael H. Warfield mhw at WittsEnd.com
Thu Dec 23 23:57:15 EST 2010 

Michael,

No offense but I'm totally at a loss to see who or what you were
responding to with this.  Can you reply in-thread with some quoting?  I
see what you're saying and not understanding your point.  I'm presuming
that the "Not sure what is reply is going to be" may be referring to me.
My access is a little erratic right now during the holiday season so
you'll have to forgive me a bit.

Regards,
Mike

On Thu, 2010-12-23 at 18:48 -0500, Michael Trausch wrote:
> Not sure what his reply is going to be, but I can say that if there is a
> delay, it should be inherent to the method of key generation.  For example,
> if using a strong password as input to a KDF that runs a million rounds,
> there will be a noticable delay to the key generation.  Sadly, there is no
> way to pick a universally applicable number of rounds, though; very old
> systems won't be able to reasonably generate keys if there are more than
> several tens of thousands of iterations, while very new systems may not
> delay at all.
> 
> I have one system-in-progress that is setup to generate keys with 10,000,000
> rounds, making the delay on my system around three seconds to generate the
> key.  In the target environment it takes ~10 seconds.  The only purpose is
> to reduce the feasibility of brute forcing by increasing the time it takes
> to generate a key.
> 
> It seems that 1,000 to 10,000 iterations is the common value, but on my
> systems this provides nearly no delay whatsoever.  Certainly not one which
> is perceptable to me.  Given a 3 second delay to generate a key that would
> mean that it my system can only brute 120 keys per minute, if those keys all
> pass through the algorithm.  It also means that invalid passwords will take
> some time, even locally, to find that they are invalid, which is the point
> with something like this where there may not be a client/server interaction.
> 
> --
> Sent from my G2 running CyanogenMod!
> That is, a phone. :)
> On Dec 23, 2010 6:34 PM, "Matty" <matty91 at gmail.com> wrote:
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20101223/143876e0/attachment.bin

More information about the Ale mailing list