On Fri, Jun 17, 2005 at 09:14:04AM -0700, Greg Webster wrote: > Package: ssh > Version: 1:3.8.1p1-8.sarge.4 > Severity: critical > File: /usr/sbin/sshd > Tags: security > Justification: root security hole > > Due to the delay that is caused by password checking, once ssh > determines that the login attempt is for a valid account, attackers can > statistically prove the existence of accounts on a ssh-accessible server > remotely. This cuts down greatly on the difficulty of a brute-force > password-guessing attack. Since user accounts often use worse patterns > than (hopefully) root does, it doesn't take much to pick user accounts > that are other than standard accounts and attempt to break in. You're talking about microsecond delays, right?
> I'd strongly suggest either a randomized delay on responses for login > attempts on non-existent accounts, or a consistent delay between > existing and non-existent accounts, or some other method of hiding this > information. Didn't this get implemented? I recall hearing about this some time ago (~18 months?), probably on one of the Debian lists. > This attack is already in the wild, as shown in logs: This doesn't seem to indicate any particular attack. I don't know if there's any evidence that its doing anything other than sshing to $user:[EMAIL PROTECTED] (Though there is no evidence to support my claim, either. It would be interesting to force the use of password authentication, rather than challenge-response, to see what password is being used. Takers?). > Jun 16 08:30:14 localhost sshd[30986]: Illegal user jacob from > 211.196.3.60 > Jun 16 08:30:16 localhost sshd[30988]: Illegal user michael from > 211.196.3.60 ... Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
