[Freedombox-discuss] Block brute force login attacks?
Lorenzo
lorenzo at usucapio.net
Mon Jun 23 21:23:23 UTC 2014
On 15. 06. 14 17:18, Sandy Harris wrote:
> " Bcrypt is the default for NetBSD. It is available in the
> " Ubuntu repositories, so I presume also in Debian. I'd
> " say it should be the default for the box, and we could
> " ask the Debian folks to look at whether it might
> " become the default for Debian.
>
Using bcrypt to block bruteforce password logins should be done in a
careful way. If the box has to compute the hash then the attacker has an
easy way launch a DoS: It just has to initiate a lot of connection
attempts and the box would use all the CPU time computing bcrypt hashes.
If it would be possible to make the client compute the bcrypt hash of a
challenge then that would be nice, but I don't think support for this is
widely available.
One could also keep the benefit of bcrypt, namely the delay, but avoid
the computation overhead:
pam_faildelay (8) could be for instance a simple yet effective option.
This pam module introduces a delay between the moment the authentication
fails and the moment in which the client performing the authentication
is notified of the failure. Using this tool one can divide by orders of
magnitude the number of attempts per second that an attacker can do.
Clearly a smart attacker can kill the connection before receiving the
failure message when it notices that it is taking too long but doing so
it risks to kill too early the attempt with the correct password. To
really prevent this type of attack one should insert a delay also in
successful connections (say 60 seconds), but this would probably be a
pain to use and I don't think pam_faildelay would support this use case.
And even then an attacker could try to initiate many connections...
Well it's a complex problem, just wanted to contribute my 2 cts :)
More information about the Freedombox-discuss
mailing list