Date: Thu, 13 May 1999 19:54:56 +0200
From: Patrick Oonk <[email protected]>
To: [email protected]Subject: - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking
Found this at http://www.jjf.org/advisory/SshdJJFen.txt
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: 05/09/1999
Release: 05/14/1999
Author: Zhodiac <[email protected]>
URL: http://www.jjf.org
Application: sshd2 up to 2.0.11
OS: Unix
Risk: Risky :), long term could gain system access.
-=-=-=-=-=-=-=-=
Introduction
-=-=-=-=-=-=-=-=
In the default instalation of sshd2 (up to 2.0.11) there is an
open way to bruteforce a login/password, without any kind of ip
logging
by the sshd. Version 2.0.12 and newers seems to be not vulnerable to
this attack, because it logs the ip at connection time.
-=-=-=-=-=-=-=-=
Details
-=-=-=-=-=-=-=-=
When a ssh client connects to the daemon, it has a number
(default is three) of attempts to guess the correct password before
disconnecting. If we shutdown the connection before using up the
number
of attempts, the daemon will not log neither the connection, the
password guesses nor the ip of the client.
One cristal clear example:
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password:
Disconnected; authentication error.
[zhodiac@piscis zhodiac]$
In /var/log/messages:
May 9 12:42:53 piscis sshd2[1391]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1344', requested service 'ssh-connection')'
Now we try the bug:
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$
Those "FATAL: Received signal2." are the response of
interrupting the program with a ^C.
Lets see what syslog did:
May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected:
Connection
closed.
May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected:
Connection
closed.
May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected:
Connection
closed.
No ip, no password guesses attempts on the logs!
So a bruteforce can be done without any kind of logging... Sorry
script-kiddies, no program available!
-=-=-=-=-=-=-=-=
Quick Fix
-=-=-=-=-=-=-=-=
Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1. With this each time a password is tried it
will log it in the following way:
May 9 12:46:07 piscis sshd[1308]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1527', requested service 'ssh-connection')'
It is also recommended to set the value of "ListenAddress" so we
will have more control of which ips can use our ssh service.
A better solution is to upgrade to 2.0.12 version or newer , with
them at connection it will log via syslog in the following way:
May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[email protected]http://www.jjf.org
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--
Patrick Oonk - PO1-6BONE - [email protected] - www.pine.nl/~patrick
Pine Internet B.V. Consultancy, installatie en beheer
Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
-- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
Excuse of the day: Feature was not beta tested
