[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: SSH and Telnet ports

On Sun, Dec 14, 2008 at 10:36:13AM -0800, Christopher Davis wrote:
> How practical is SSH password cracking over Tor? Wouldn't the latency
> deter attackers?

SSH password attacks from single sources can be deterred with watcher programs 
such as Fail2Ban which modify the firewall to discard connections from an offending ip address 
after a chosen number of login failures for a chosen period of time (e.g. 1 hour).
Some have suggested rate limiting new connections using iptables rules as well.
To counter this, SSH crackers devised distributed attack schemes
which try login only a few times from each of many different ip addresses.
However there are now also distributed versions of the watcher software
( http://denyhosts.sourceforge.net/ )
which pool the information about attackers and victims.

The latency from Tor wouldnt bother either sort of attacker,
but concentration of attack ip addresses via exit nodes might counter the distributed aspect
(until such time as we reach a much larger population of exit nodes).
It might be interesting to see how many ip addresses listed at DenyHosts are Tor exits.