Subject: Re: security/2075
To: Steven M. Bellovin <>
From: Jeroen Massar <>
List: tech-security
Date: 08/14/2005 20:35:19
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2005-08-14 at 14:24 -0400, Steven M. Bellovin wrote:
> In message <>, Elad Efrat writes:
> >
> >4. An attacker trying to brute-force an account password (with or
> >   without a master.passwd), let alone the root password, is very
> >   uncommon; I believe the majority, if not all, of inexperienced
> >   attackers today will attempt to run their arsenal of exploits on a
> >   target system.
> >
> >   Experienced attackers will attempt their *private* arsenal of
> >   exploits on a target system. :)
> [gnats-bugs deleted]
> This is not correct.  There are exploits in the wild that try=20
> password-guessing attacks via ssh.  In fact, the attack is quite common.

Which is indeed why quite some people on this planet have a ratelimitter
on their port 22, or moved SSH to another, not so obvious, port...

Not much one can do against brute-force unfortunately...


Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Jeroen Massar /