--=-vpw2YQicDN2XUnYGkPgF
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2005-08-14 at 14:24 -0400, Steven M. Bellovin wrote:
> In message <42FF84D9.6050209@NetBSD.org>, Elad Efrat writes:
>=20
> >
> >4. An attacker trying to brute-force an account password (with or
> >   without a master.passwd), let alone the root password, is very
> >   uncommon; I believe the majority, if not all, of inexperienced
> >   attackers today will attempt to run their arsenal of exploits on a
> >   target system.
> >
> >   Experienced attackers will attempt their *private* arsenal of
> >   exploits on a target system. :)
>=20
> [gnats-bugs deleted]
>=20
> This is not correct.  There are exploits in the wild that try=20
> password-guessing attacks via ssh.  In fact, the attack is quite common.

Which is indeed why quite some people on this planet have a ratelimitter
on their port 22, or moved SSH to another, not so obvious, port...

Not much one can do against brute-force unfortunately...

Greets,
 Jeroen


--=-vpw2YQicDN2XUnYGkPgF
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/

iD8DBQBC/47nKaooUjM+fCMRAoChAKCOTiIIVmvdboOuXhu8Uk5wsuvd7ACgj3L4
7pLzEXvZjmxil0iviw/yHmI=
=n/AP
-----END PGP SIGNATURE-----

--=-vpw2YQicDN2XUnYGkPgF--