DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd July 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Bug exposes OpenSSH servers to brute-force password guessing attacks

From http://www.itworld.com/article/29514...g-attacks.html

Quote:
A bug in OpenSSH, the most popular software for secure remote access to UNIX-based systems, could allow attackers to bypass authentication retry restrictions and execute many password guesses.

A security researcher who uses the online alias Kingcope disclosed the issue on his blog last week, but he only requested a public vulnerability ID to be assigned Tuesday.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 22nd July 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

This is really not that serious. First off one should not allow password authentication to the Internet facing ports to begin with, only PermitRootLogin without-password. Some BSD systems like DragonFly BSD ship with such default. Even if one would allow password login the first problem is guessing username as nobody normal (Linux people are not normal) allows root login with password anyway.

Besides one should use the combination of PF built in ssh brute force attack prevention and sshguard, possibly even adding fail2ban for more complex setups.
Reply With Quote
  #3   (View Single Post)  
Old 22nd July 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

http://marc.info/?l=openbsd-cvs&m=143720625406078&w=2
Reply With Quote
  #4   (View Single Post)  
Old 23rd July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Plus, here is the (more grounded) discussion on misc@:

http://marc.info/?t=143766048000005&r=1&w=2
Reply With Quote
  #5   (View Single Post)  
Old 25th July 2015
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

Quote:
Originally Posted by Oko View Post
This is really not that serious. First off one should not allow password authentication to the Internet facing ports to begin with, only PermitRootLogin without-password. Some BSD systems like DragonFly BSD ship with such default. Even if one would allow password login the first problem is guessing username as nobody normal (Linux people are not normal) allows root login with password anyway.

Besides one should use the combination of PF built in ssh brute force attack prevention and sshguard, possibly even adding fail2ban for more complex setups.
Some services might need password authentication though, e.g. a free shell service. I use public key authentication connecting to these but only after uploading my public key using password authentication. The person running the sshd up there can't turn off PasswordAuthentication unless he's willing to gather and deploy keys in some way I'm unfamiliar with.

But this problem affects Challenge Response in combination with KbdInteractiveAuthentication, and PAM must be involved it seems. I suspect you're referring to "password authentication" in a generic sense not the specific subsystems here, but the article implies that systems with sshd_config having PasswordAuthentication still have the desired login attempt limits. You need to be using this other subsystem, which I'd never heard of before and don't really understand but was disappointed to find enabled by default on my Slackware system. But Slackware doesn't use PAM so it's supposed not to be vulnerable (thank you Pat for not enabling PAM yet).
Reply With Quote
  #6   (View Single Post)  
Old 25th July 2015
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

After reading about this I looked in my sshd_configs and found I'd done this long ago:

Code:
# Don't think we're using this, so why allow it:
ChallengeResponseAuthentication no
A good habit I'm sure picked up due to joining this forum. Although, my firewall doesn't expose ssh to the whole Internet.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent Brute Force Attack on Root Account Peter_APIIT OpenBSD Security 8 20th June 2015 02:22 AM
Brute force attacks Dr-D OpenBSD Security 1 18th July 2011 04:06 PM
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
pf.conf and some questions about brute attacks Daffy OpenBSD Security 10 27th March 2011 08:38 AM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM


All times are GMT. The time now is 12:00 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick