Re: [Full-disclosure] Distributed SSH username/password brute forceattack

From: Vincent Archer <varcher@xxxxxxxxxxx>
Date: Wed, 24 Oct 2007 10:03:50 +0200

On Mon, 2007-10-22 at 22:34 +0200, A.L.M.Buxey@xxxxxxxxxxx wrote:

Hi,

Oct 22 20:36:13 nms sshd[90657]: Failed password for invalid user gopher
from 77.46.152.2 port 55120 ssh2

user/password authentication for SSH? one way of cleaning up your
logs and killing this type of attack is to reconfigure your OpenSSH
to only allow key based logins. stopped my 10M+ logfiles straight away
(then the apache attacks were easier to see too ;-) )

Be careful about that. Although key-based logins are easier on your
logs, they also generate the problem of transitive access to the server.
Years ago, one of the boxes I was managing was hacked from the inside:
the hacker got an unsecured linux box thru a script-kiddie level hack,
and used the key of a local user to get in.

Although you can control how the SSH server on your side works, you have
no control on people's private keys and thus cannot enforce passphrases
on those keys. You can unknowingly lower your security by moving to a
key-based login, because some people who would type a password to log-in
will not bother securing their passphrases if they are forced to use a
private key.

--
Vincent ARCHER
varcher@xxxxxxxxxxx

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Distributed SSH username/password brute force attack
  - From: Philipp
- Re: [Full-disclosure] Distributed SSH username/password brute forceattack
  - From: Valery Marchuk
- Re: [Full-disclosure] Distributed SSH username/password brute forceattack
  - From: A . L . M . Buxey

Prev by Date: Re: [Full-disclosure] DHS need to get on top of this right now
Next by Date: Re: [Full-disclosure] DHS need to get on top of this right now
Previous by thread: Re: [Full-disclosure] Distributed SSH username/password brute forceattack
Next by thread: [Full-disclosure] ifnet.it WEBIF XSS Vulnerability
Index(es):
- Date
- Thread

Relevant Pages

Analysis of SSH crc32 compensation attack detector exploit
... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ...
(Incidents)
RE: Trace of 139 attack?
... Subject: Trace of 139 attack? ... The Administrator account can be locked out if too many ... deleting the logs he cannot do it. ...
(Focus-Microsoft)
Patching 4.4-RELEASE against SSHv1 exploit
... an SSH exploit has been specifically tuned to attack machines running ... FreeBSD 4.x and certain versions of SSH. ... >detector vulnerability to remotely compromise a Red Hat Linux ... >used against systems running OpenSSH 2.1.1 servers which suffer from ...
(FreeBSD-Security)
RE: Trace of 139 attack?
... Subject: Trace of 139 attack? ... > deleting the logs he cannot do it. ... > If this box of yours is a web server to the world, ... > use it as file server with NetBIOS shares 'n stuff. ...
(Focus-Microsoft)
Re: SSH compiled with backdoor
... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
(Incidents)