With botnets the pam_unix 2 second delay is meaningless. That's two seconds per IP and depending on the size of the botnet it could be longer than 2 seconds before the same IP attacks due to not wanting to DOS your system. Even banning IPs after wrong passwords is useless, as I was never seeing the same IP attempt to attack within 5 minutes or more.
They have near limitless IPs. They have near limitless computing power. They also get bored very, very quickly. The key is to appear uninteresting. Public key auth does that.
Cheers,
Steven Black
On Jul 21, 2011 3:23 PM, "Brian Wheeler" <bdwheele@indiana.edu> wrote:
> On Thu, 2011-07-21 at 18:23 +0000, Mark Krenz wrote:
>
>> Here is a summary to give you an idea of how large of numbers we are
>> talking about:
>>
>> simple 5 character password combinations (a-z)
>> 26^5 = 11881376 (0.01 seconds)
>>
>> full alphanumeric 5 character password (a-zA-Z0-9):
>> 62^5 = 916132832 (0.9 seconds)
>>
>> complex alphanumeric 5 character password (above + all symbols)
>> 94^5 = 7339040224 (7.3 seconds)
>>
>> 3 word passphrase drawing from 2000 word vocabulary
>> 2000^3 = 8000000000 (8 seconds)
>>
>> simple 8 character password combinations (a-z)
>> 26^8 = 208827064576 (208 seconds)
>>
>> 4 word passphrase drawing from 2000 word vocabulary
>> 2000^4 = 16000000000000 (4.4 hours)
>>
>> full alphanumeric 8 character password (a-zA-Z0-9):
>> 62^8 = 218340105584896 (2.5 days)
>>
>> complex alphanumeric 8 character password (above + all symbols)
>> 94^8 = 6095689385410816 (70 days)
>>
>> 5 word passphrase drawing from 2000 word vocabulary
>> 2000^5 = 32000000000000000 (1 year, 5 days)
>>
>> 5 word passphrase drawing from 5000 word vocabulary
>> 5000^5 = 3125000000000000000 (99 years)
>>
>> The time shown in parens is the maximum time that it would take for a
>> system capable of encrypting 1 billion passwords per second would take.
>> Apparently, home desktop systems with high end GPUs have been built that
>> can do this.
>>
>> Lesson learned from all this? Sentence based passphrases are much much
>> stronger. The downside is that they are easier to accidently say in your
>> sleep.
>>
>
> The time needed to generate the encrypted keys is only important if you
> already have the encrypted key and you want to reverse the password.
>
> For scanning SSH hosts that isn't important. What is important is the
> number of combinations for the password character set and the amount of
> time that each wrong answer takes. If the SSH server (and basically
> anything that uses pam_unix.so) waits 2 seconds after each wrong
> attempt, the amount of time needed to guess the correct password becomes
> huge.
>
> For the worst case example above [a-z]{5} it would take 275 days to try
> every combination. The [A-Za-z0-9]{5} one takes 58.1 years. The
> shortest reasonable set/size (all symbols, 6 characters) would take 1801
> years
>
> How many threads would an attacker have to use to make it worth it?
>
> The biggest problem is social engineering, not password complexity. Too
> many people share or write down their passwords. Or they use really
> obviously bad passwords (the account name, 1234, "password", etc). The
> bots hitting the ssh servers, at least from what I've seen, aren't doing
> a brute force attack: they're trying to pick up low hanging fruit where
> passwords of well known accounts were chosen stupidly.
>
> Brian
>
>
>
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
> On Thu, 2011-07-21 at 18:23 +0000, Mark Krenz wrote:
>
>> Here is a summary to give you an idea of how large of numbers we are
>> talking about:
>>
>> simple 5 character password combinations (a-z)
>> 26^5 = 11881376 (0.01 seconds)
>>
>> full alphanumeric 5 character password (a-zA-Z0-9):
>> 62^5 = 916132832 (0.9 seconds)
>>
>> complex alphanumeric 5 character password (above + all symbols)
>> 94^5 = 7339040224 (7.3 seconds)
>>
>> 3 word passphrase drawing from 2000 word vocabulary
>> 2000^3 = 8000000000 (8 seconds)
>>
>> simple 8 character password combinations (a-z)
>> 26^8 = 208827064576 (208 seconds)
>>
>> 4 word passphrase drawing from 2000 word vocabulary
>> 2000^4 = 16000000000000 (4.4 hours)
>>
>> full alphanumeric 8 character password (a-zA-Z0-9):
>> 62^8 = 218340105584896 (2.5 days)
>>
>> complex alphanumeric 8 character password (above + all symbols)
>> 94^8 = 6095689385410816 (70 days)
>>
>> 5 word passphrase drawing from 2000 word vocabulary
>> 2000^5 = 32000000000000000 (1 year, 5 days)
>>
>> 5 word passphrase drawing from 5000 word vocabulary
>> 5000^5 = 3125000000000000000 (99 years)
>>
>> The time shown in parens is the maximum time that it would take for a
>> system capable of encrypting 1 billion passwords per second would take.
>> Apparently, home desktop systems with high end GPUs have been built that
>> can do this.
>>
>> Lesson learned from all this? Sentence based passphrases are much much
>> stronger. The downside is that they are easier to accidently say in your
>> sleep.
>>
>
> The time needed to generate the encrypted keys is only important if you
> already have the encrypted key and you want to reverse the password.
>
> For scanning SSH hosts that isn't important. What is important is the
> number of combinations for the password character set and the amount of
> time that each wrong answer takes. If the SSH server (and basically
> anything that uses pam_unix.so) waits 2 seconds after each wrong
> attempt, the amount of time needed to guess the correct password becomes
> huge.
>
> For the worst case example above [a-z]{5} it would take 275 days to try
> every combination. The [A-Za-z0-9]{5} one takes 58.1 years. The
> shortest reasonable set/size (all symbols, 6 characters) would take 1801
> years
>
> How many threads would an attacker have to use to make it worth it?
>
> The biggest problem is social engineering, not password complexity. Too
> many people share or write down their passwords. Or they use really
> obviously bad passwords (the account name, 1234, "password", etc). The
> bots hitting the ssh servers, at least from what I've seen, aren't doing
> a brute force attack: they're trying to pick up low hanging fruit where
> passwords of well known accounts were chosen stupidly.
>
> Brian
>
>
>
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment