
Good Stuff
Find it and fix it!
A flaw in OpenSSH lets attackers bypass simple limits on the number of password login attempts that can be made per connection. By default, the encrypted service accepts six tries within a grace period of two minutes before breaking off a connection, which hampers brute-force attacks, but this mechanism can be easily …
As the article suggests, key authentication is probably the safer choice here. I'd say the best. But I do think that not a lot of people permit root login any more. I certainly don't. That means that an attacker still has to guess the user name for logging in. With a hypothetical name like K2fRln4b it could take them a while to even get to use their exploit - especially since fail2ban will have locked them out for a day after the third try.
Although I wouldn't necessarily say that "not a lot of people permit root login any more" (at least intentionally), in Debian Jessie they finally made the default config option "PermitRootLogin without-password" to help with people that just run out-of-the-box setups.
Using fail2ban won't necessarily protect you.
A lot of iptables tutorials (and so by extension, sysadmins) will add something like the following at the top of their INPUT chain
-m state --state related,established -j accept
The nature of this bug means the attacker has 10,000 attempts without being disconnected.
Fail2ban will pick up on the log entries and add the source IP to its chain, but if the jump to that isn't until after the above their existing connection won't get cut off
This post has been deleted by its author
Back in the GOD, they used to tell us how dangerous .rhosts files were because once crackers owns one box, they can easily access others. I understand that ssh is encrypted and that ssh prevents MITM attacks but it still seems wildly unsecure to me to allow passwordless access. I would call you (@Binnacle) stupid for doing so... Am I missing something?
10K attempts isn't an issue for password authentication unless the attacker has a dictionary weighted against the victim - such as one based on personal information, or one based on commonly-used passwords if the victim uses a weak password.
Aspell's English dictionary has more than an order of magnitude more entries, so even a password chosen from common English words isn't likely to be found in 10K attempts.
This attack is certainly notable, and not a negligible threat if your threat model includes users with weak passwords, but it's not equivalent to, say, a good offline attack. Certainly it's a very weak justification for certificate authentication. (Which is not to say anything about other arguments for or against certificate authentication - just that this isn't a persuasive one.)
> I do use fail2ban, and I've seen a slightly worrying set of login attempts from ever-changing IPs.
Welcome to the internet...
One very simple trick is to move the ssh port above 1024. By default many port scanners don't bother checking anything other than the privileged ports so you see a dramatic drop off in the number of attempts.
Turning off root login is a must and using only keys is highly recommended.
I know many people cannot do this for various reasons but I also use the geoip filters in iptables to block China, Taiwan, Russia and the Ukraine which seems to stop the bulk of the attempts at the first hurdle.
I almost never see a fail2ban email these days...
> there are some farms out there with lots of IPs available
I deal with that by blocking the /16
Still...
# iptables -L -n | grep DROP | wc -l
576
That's a serious assload of attacks.
> One very simple trick is to move the ssh port above 1024
Not really. My experience is they keep scanning ports for a while if you let 'em
This post has been deleted by its author
This post has been deleted by its author
There's usually >0 fanbois lecturing folks on how crap Open Source is every time there is a major vuln, where are they today ?
Can't help but wonder if it's a coincidence that two firms I called up today couldn't actually do anything because their Windows boxes were all down, one tried calling their (major) courier - their systems were down too, and the ASP ridden internet banking website I use is also down as well.
Anyone else noticed a slightly higher than average level of brokeness out there ?
I wrote a script a couple years ago that monitors secure log and blackholes any IP address that isn't whitelisted. Miscreants are given a nice welcome message that they have 5 mins max to authenticate. Now I have a database of tens of thousands of IP blocks and individual addresses and it keeps growing every day.
It has saved my connection from getting hosed by botnets many many times.