sshguard-users

Re: [Sshguard-users] Username Blacklisting

[Laurence P. (OE) <lpe...@op...>]

Attempting two birds with one message...

>Date: Fri, 8 May 2015 11:46:15 -0600
>From: Richard Johnson <rjt...@sa...>
>Subject: Re: [Sshguard-users] Username Blacklisting
>To: ssh...@li...
>Message-ID: <201...@ri...>
>Content-Type: text/plain; charset=us-ascii>>

>On Fri, May 08, 2015 at 12:20:46PM -0500, Kevin Zheng wrote:
>> On 05/08/2015 11:51, Laurence Perkins (OE) wrote:
>> > While we're discussing potential new features, I've noticed that nearly
>> > all attackers hit the same list of default usernames (root, pi, ubuntu,
>> > etc.)

>> Sounds interesting, especially with the use case you describe (running
>> on a Raspberry Pi). Have you taken a look at OpenSSH settings like
>> AllowUsers or DenyUsers? Do those incur the same CPU penalty?

The CPU penalty comes primarily from doing all the calculations to set up the 
encrypted channel and secondarily from hashing the password for verification.  
(The order of those two subject to change depending on encryption settings)
Setting SSH to block certain usernames eliminates the latter, but you still have 
the first one.  On my old C3 machine (roughly equivalent power to a Raspberry Pi) 
setting up the encrypted channel took it about 2-3 seconds. (I like large keys)  
I started using SSHguard because the rapid-fire login attempts were redlining my 
CPU and making the machine more-or-less useless (except, maybe, as a toaster...)

>> 
>> This sounds useful; I'll start poking around soon.


>Having the option of scoring certain usernames as high danger attempts,
>or perhaps as danger 1+fractional multipliers, could be a clean way to
>implement such a feature.

I hadn't thought of doing it that way, but that would likely be more useful as you could
use it to set up multiple, different levels of paranoia for different users.  Especially
if you can use a fractional multiplier to effectively raise the threshold for guest accounts
and the like.



LMP

Re: [Sshguard-users] Username Blacklisting

[Kevin Z. <kev...@gm...>]

On 05/11/2015 12:06, Laurence Perkins (OE) wrote:
> The CPU penalty comes primarily from doing all the calculations to set up the 
> encrypted channel and secondarily from hashing the password for verification.  
> (The order of those two subject to change depending on encryption settings)
> Setting SSH to block certain usernames eliminates the latter, but you still have 
> the first one.  On my old C3 machine (roughly equivalent power to a Raspberry Pi) 
> setting up the encrypted channel took it about 2-3 seconds. (I like large keys)  
> I started using SSHguard because the rapid-fire login attempts were redlining my 
> CPU and making the machine more-or-less useless (except, maybe, as a toaster...)

Makes sense; this is one of the things SSHGuard was designed to prevent.

>> Having the option of scoring certain usernames as high danger attempts,
>> or perhaps as danger 1+fractional multipliers, could be a clean way to
>> implement such a feature.
> 
> I hadn't thought of doing it that way, but that would likely be more useful as you could
> use it to set up multiple, different levels of paranoia for different users.  Especially
> if you can use a fractional multiplier to effectively raise the threshold for guest accounts
> and the like.

How would this work? Raise the danger of the attack so that two
attempted logins with 'root' or similar usernames would be blocked? How
would SSHGuard know which usernames to do this for? Would it be built
into the binary, or added as a configuration at run-time?

(With your use case, why not just lower the blocking threshold?)

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090