[unisog] step up in SSH scanning starting today?

Elliot Kendall ekendall at brandeis.edu
Tue May 13 17:52:16 GMT 2008


On 2008-05-13 12:28:24 -0500, Christopher A Bongaarts wrote:
> Most of the rate-limiting/lockout workarounds (DenyHosts happens to
> be my preference) should also help protect against brute-forcing
> private keys.

It's true that rate limiting will help against private key brute
forcing, but but as much as for passwords. You're only allowed to try a
single password per connection, but (at least against OpenSSH) you're
allowed to try seven private keys. Combine that the distributed attacks
we've been seeing, and bad guys can try a lot of keys even against
systems with rate limiting.

Also, depending on how your specific rate limiting solution works, it
might be looking for "Failed password" in the logs. If the attacker
never offers a password, that message will never show up in the logs.

$ ssh-add -l
2048 6b:5c:00:44:a0:9f:90:70:1a:10:33:a5:4b:43:81:57 id_a (RSA)
2048 ae:da:37:06:93:f0:fb:2f:e9:c4:5c:fe:18:36:79:c3 id_b (RSA)
2048 c4:e3:5b:8d:f9:d0:25:98:73:72:47:e4:1f:8c:df:d6 id_c (RSA)
2048 7f:bf:73:5c:fb:e0:ad:80:9f:e0:2d:c6:ee:41:1c:12 id_d (RSA)
2048 d7:59:c9:fc:66:37:3d:22:2c:55:3f:c7:a0:eb:b2:61 id_e (RSA)
2048 c1:87:0e:ce:5c:3b:09:b2:58:80:93:0e:32:85:28:68 id_f (RSA)
2048 57:42:43:a3:09:51:e0:73:ef:41:92:19:1d:bb:e3:5b id_g (RSA)
2048 b4:98:59:56:07:ed:f9:a6:e8:2f:35:8b:41:85:89:b7 id_h (RSA)

$ ssh -v root at localhost
...
debug1: Offering public key: id_a
debug1: Authentications that can continue: publickey
debug1: Offering public key: id_b
debug1: Authentications that can continue: publickey
debug1: Offering public key: id_c
debug1: Authentications that can continue: publickey
debug1: Offering public key: id_d
debug1: Authentications that can continue: publickey
debug1: Offering public key: id_e
debug1: Authentications that can continue: publickey
debug1: Offering public key: id_f
debug1: Authentications that can continue: publickey
debug1: Offering public key: id_g
Received disconnect from 127.0.0.1: 2: Too many authentication failures for root

-- 
Elliot Kendall <ekendall at brandeis.edu>
Network Security Architect
Brandeis University

Trouble replying? See http://people.brandeis.edu/~ekendall/sign/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2232 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20080513/3d1daa39/attachment.bin 


More information about the unisog mailing list