Subject: Re: security/2075
To: Steven M. Bellovin <email@example.com>
From: Jeroen Massar <firstname.lastname@example.org>
Date: 08/14/2005 20:35:19
On Sun, 2005-08-14 at 14:24 -0400, Steven M. Bellovin wrote:
> In message <42FF84D9.6050209@NetBSD.org>, Elad Efrat writes:
> >4. An attacker trying to brute-force an account password (with or
> > without a master.passwd), let alone the root password, is very
> > uncommon; I believe the majority, if not all, of inexperienced
> > attackers today will attempt to run their arsenal of exploits on a
> > target system.
> > Experienced attackers will attempt their *private* arsenal of
> > exploits on a target system. :)
> [gnats-bugs deleted]
> This is not correct. There are exploits in the wild that try=20
> password-guessing attacks via ssh. In fact, the attack is quite common.
Which is indeed why quite some people on this planet have a ratelimitter
on their port 22, or moved SSH to another, not so obvious, port...
Not much one can do against brute-force unfortunately...
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
-----END PGP SIGNATURE-----