Re: SSH bruteforce on its way...

From: Russell Fulton (r.fulton_at_auckland.ac.nz)
Date: 10/24/05

  • Next message: Javier Fernandez-Sanguino: "Re: SSH bruteforce on its way..." 
    Date: Tue, 25 Oct 2005 09:17:07 +1300
To: incidents@securityfocus.com

    Justin wrote:
    > Jouser,
    >
    > Nah, there were some exploits a while back that took advanteage in
    > some timing flaws in the SSHd that let attackers determin valid
    > usernames.
    Would you please provide some supporting references. I can not find any
    evidence of existing timing attacks against openssh. In fact Openssh
    goes to some trouble to defeat such attacks.

    While on this thread, one effective counter measure against brute force
    password attacks is to use decent passwords which everyone should be
    doing anyway. We have lost about 3 systems here to ssh brute force
    attacks and in all cases the systems were in serious breach of our
    policies (which are not particularly draconian).

    In one case I did feel a bit sorry for the victims, they had installed a
    third party package that created an account with an insecure password
    and they never noticed. A good case for simple monitoring script like
    the one that is run nightly on OBSD system that warns you about changes
    in critical files.

    Russell.

    >
    > peace,
    > --Justin
    >
    > On 21 Oct 2005 18:05:27 -0000, jouser@gmail.com <jouser@gmail.com> wrote:
    >
    >>I didn't think it was possible to determine valid usernames by themselves? You either have a valid username AND password or not.
    >>

  • Next message: Javier Fernandez-Sanguino: "Re: SSH bruteforce on its way..."

    Relevant Pages

    • Re: How fast computers have made ciphers unbreakable
      ... type of brute force, not even the NSA. ... attacks (and attacks requiring 2^64 bytes of chosen plaintext are not ... Backdoors might help, but even backdoors are hard to include in ... computers become faster and faster and practical attacks move further ...
      (sci.crypt)
    • Re: passw0rd trial limit
      ... he/she can only login for aboout 2 hours later ... configuration)--then brute force the logins. ... As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. ... You have an option to go with a managed service or an enterprise software. ...
      (Pen-Test)
    • RE: Windows Systems Defaced/destroyed, plus Port 3389 attacks
      ... Thor was writing TSGrinder to basically brute force the way in. ... >therefore makes it difficult to observe or detect brute force attacks with ... The new tool will be able to bypass the logon banner via calls we could not ...
      (Incidents)
    • RE: xp professional - local administrator password
      ... Brute force attacks take too long. ... Linux boot disk to boot the computer and then you can change the password. ... Captus Networks ...
      (Security-Basics)
    • Re: Query string variables security risk
      ... this can be a security risk subject to "brute force" attacks. ... and, if so, what is the proper way to handle it? ...
      (microsoft.public.dotnet.framework.aspnet)