Educause Security Discussion mailing list archives

Re: SSH dictionary attack dictionary

From: Patrick P Murphy <pmurphy () NRAO EDU>
Date: Tue, 11 Aug 2009 09:18:17 -0400

On Tue, 11 Aug 2009 00:35:14 -0400, Brad Edmondson
   <brad.edmondson () gmail com> said:

Interesting project - how did you filter out off-by-one typos so that
you couldn't deduce your legitimate users' passwords?


Our situation is somewhat different from a University; we have far fewer
users (staff and a very few students and visiting observers), most of
the staff are reasonably well trained in security, and the case in point
was a sustained distributed dictionary-type attack against one or two of
our servers.  The "noise" in this case were the (very) few overnight ssh
logins that were legitimate, and the "signal" was the large number of
ssh attempts from a wide swath (hundreds) of IP addresses, mostly
offhore.  There wasn't much noise.

 - Pat

--
 Patrick P. Murphy, Ph.D.   Webmaster (East), Computing Security Manager
 http://www.nrao.edu/~pmurphy/          http://chien-noir.com/maze.shtml
 "Inventions then cannot, in nature, be a subject of property."
                                    -- Thomas Jefferson, August 13, 1813

Current thread:

SSH dictionary attack dictionary Andrew Daviel (Aug 10)
- <Possible follow-ups>
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 10)
- Re: SSH dictionary attack dictionary Brad Edmondson (Aug 10)
- Re: SSH dictionary attack dictionary Patrick P Murphy (Aug 11)
- Re: SSH dictionary attack dictionary John Kristoff (Aug 11)
- Re: SSH dictionary attack dictionary Bob Bayn (Aug 11)
- Re: SSH dictionary attack dictionary Chris Schenk (Aug 11)
- Re: SSH dictionary attack dictionary Louis Anthony Arminio (Aug 11)
- Re: SSH dictionary attack dictionary Di Fabio, Andrea (Aug 11)
- Re: SSH dictionary attack dictionary Bruce Curtis (Aug 11)
- Re: SSH dictionary attack dictionary Plesco, Todd (Aug 11)
- Re: SSH dictionary attack dictionary Andrew Daviel (Aug 11)