In our experiments, it takes ~10,000 tries on average to win this race condition; i.e., with 10 connections (MaxStartups) accepted per 600 seconds (LoginGraceTime), it takes ~1 week on average to obtain a remote root shell.
That was also on i386, which they say is easier to exploit this way than amd64.
SSHGuard with the default settings would make this nearly impossible without a large swarm of machines to launch attempts from.
More importantly, none of this was disclosed to the public until after the fixes were released and my servers patched themselves before any of the malware writers even heard about this.
> In our experiments, it takes ~10,000 tries on average to win this race condition; i.e., with 10 connections (MaxStartups) accepted per 600 seconds (LoginGraceTime), it takes ~1 week on average to obtain a remote root shell.
That was also on i386, which they say is easier to exploit this way than amd64.
SSHGuard with the default settings would make this nearly impossible without a large swarm of machines to launch attempts from.
More importantly, none of this was disclosed to the public until *after* the fixes were released and my servers patched themselves before any of the malware writers even heard about this.
(post is archived)