Package: ssh Version: 1:3.8.1p1-8.sarge.4 Severity: critical File: /usr/sbin/sshd Tags: security Justification: root security hole
Due to the delay that is caused by password checking, once ssh determines that the login attempt is for a valid account, attackers can statistically prove the existence of accounts on a ssh-accessible server remotely. This cuts down greatly on the difficulty of a brute-force password-guessing attack. Since user accounts often use worse patterns than (hopefully) root does, it doesn't take much to pick user accounts that are other than standard accounts and attempt to break in. I'd strongly suggest either a randomized delay on responses for login attempts on non-existent accounts, or a consistent delay between existing and non-existent accounts, or some other method of hiding this information. This attack is already in the wild, as shown in logs: Jun 16 08:30:14 localhost sshd[30986]: Illegal user jacob from 211.196.3.60 Jun 16 08:30:16 localhost sshd[30988]: Illegal user michael from 211.196.3.60 Jun 16 08:30:18 localhost sshd[30990]: Illegal user joshua from 211.196.3.60 Jun 16 08:30:20 localhost sshd[30992]: Illegal user matthew from 211.196.3.60 Jun 16 08:30:22 localhost sshd[30994]: Illegal user andrew from 211.196.3.60 Jun 16 08:30:22 localhost sshd[30996]: Illegal user jacob from 211.196.3.60 Jun 16 08:30:24 localhost sshd[30998]: Illegal user joseph from 211.196.3.60 Jun 16 08:30:24 localhost sshd[31000]: Illegal user michael from 211.196.3.60 Jun 16 08:30:26 localhost sshd[31002]: Illegal user ethan from 211.196.3.60 Jun 16 08:30:26 localhost sshd[31004]: Illegal user joshua from 211.196.3.60 Jun 16 08:30:28 localhost sshd[31006]: Illegal user daniel from 211.196.3.60 Jun 16 08:30:28 localhost sshd[31008]: Illegal user matthew from 211.196.3.60 Jun 16 08:30:30 localhost sshd[31010]: Illegal user christopher from 211.196.3.60 -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (650, 'testing'), (600, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-20041103 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ssh depends on: ii adduser 3.63 Add and remove users and groups ii debconf 1.4.51 Debian configuration management sy ii dpkg 1.10.28 Package maintenance system for Deb ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libpam-modules 0.76-22 Pluggable Authentication Modules f ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7g-1 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.2.2-4 compression library - runtime -- debconf information: ssh/insecure_rshd: ssh/privsep_ask: true ssh/user_environment_tell: * ssh/forward_warning: * ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true ssh/SUID_client: true ssh/disable_cr_auth: false * ssh/privsep_tell: ssh/ssh2_keys_merged: ssh/protocol2_only: true ssh/encrypted_host_key_but_no_keygen: ssh/run_sshd: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
