back to article OpenSSH server open to almost unlimited password-guessing bug

A flaw in OpenSSH lets attackers bypass simple limits on the number of password login attempts that can be made per connection. By default, the encrypted service accepts six tries within a grace period of two minutes before breaking off a connection, which hampers brute-force attacks, but this mechanism can be easily …

  1. Paul 129

    Good Stuff

    Find it and fix it!

  2. Ole Juul

    PermitRootLogin no

    As the article suggests, key authentication is probably the safer choice here. I'd say the best. But I do think that not a lot of people permit root login any more. I certainly don't. That means that an attacker still has to guess the user name for logging in. With a hypothetical name like K2fRln4b it could take them a while to even get to use their exploit - especially since fail2ban will have locked them out for a day after the third try.

    1. Justin Pasher

      Re: PermitRootLogin no

      Although I wouldn't necessarily say that "not a lot of people permit root login any more" (at least intentionally), in Debian Jessie they finally made the default config option "PermitRootLogin without-password" to help with people that just run out-of-the-box setups.

  3. Ben Tasker

    Using fail2ban won't necessarily protect you.

    A lot of iptables tutorials (and so by extension, sysadmins) will add something like the following at the top of their INPUT chain

    -m state --state related,established -j accept

    The nature of this bug means the attacker has 10,000 attempts without being disconnected.

    Fail2ban will pick up on the log entries and add the source IP to its chain, but if the jump to that isn't until after the above their existing connection won't get cut off

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      I was under the impression that fail2ban inserted it's blocking rules at the top of the chain? It certainly has on my boxes.

      target prot opt source destination

      f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh

      ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED



  4. Binnacle

    no problem for "not stupid"

    For the "not stupid" crowd who disable SSH password authentication and rely on certificates, is a non-issue.

    Tried the provided command and got exactly one (not 10000)

    Permission denied (publickey).

    1. Roo

      Re: no problem for "not stupid"

      I found the exploit didn't work against my ancient Lucid Lynx boxes, but that could be dumb luck because I haven't tweaked the sshd & PAM setup.

    2. Rule of Thumb

      Re: no problem for "not stupid"

      Back in the GOD, they used to tell us how dangerous .rhosts files were because once crackers owns one box, they can easily access others. I understand that ssh is encrypted and that ssh prevents MITM attacks but it still seems wildly unsecure to me to allow passwordless access. I would call you (@Binnacle) stupid for doing so... Am I missing something?

    3. Michael Wojcik Silver badge

      Re: no problem for "not stupid"

      10K attempts isn't an issue for password authentication unless the attacker has a dictionary weighted against the victim - such as one based on personal information, or one based on commonly-used passwords if the victim uses a weak password.

      Aspell's English dictionary has more than an order of magnitude more entries, so even a password chosen from common English words isn't likely to be found in 10K attempts.

      This attack is certainly notable, and not a negligible threat if your threat model includes users with weak passwords, but it's not equivalent to, say, a good offline attack. Certainly it's a very weak justification for certificate authentication. (Which is not to say anything about other arguments for or against certificate authentication - just that this isn't a persuasive one.)

  5. Anonymous Coward
    Anonymous Coward


    But I don't like pam!

    1. Frumious Bandersnatch

      Re: pam,pam,pam,pam,pam,pam,pam,pam,...

      Nice to see that some people can still read Perl code. I was going to make a similar post but you beat me to it. Have an upvote.

      1. Michael Wojcik Silver badge

        Re: pam,pam,pam,pam,pam,pam,pam,pam,...

        Nice to see that some people can still read Perl code

        That's never been an issue. The problem is that some people still write it.

  6. Groaning Ninny

    Other fail2ban issue...

    I do use fail2ban, and I've seen a slightly worrying set of login attempts from ever-changing IPs. Okay, so each IP is blocked after the five attempts allowed, but there are some farms out there with lots of IPs available...

    1. Anonymous Coward
      Anonymous Coward

      Re: Other fail2ban issue...

      > I do use fail2ban, and I've seen a slightly worrying set of login attempts from ever-changing IPs.

      Welcome to the internet...

      One very simple trick is to move the ssh port above 1024. By default many port scanners don't bother checking anything other than the privileged ports so you see a dramatic drop off in the number of attempts.

      Turning off root login is a must and using only keys is highly recommended.

      I know many people cannot do this for various reasons but I also use the geoip filters in iptables to block China, Taiwan, Russia and the Ukraine which seems to stop the bulk of the attempts at the first hurdle.

      I almost never see a fail2ban email these days...

    2. Gene Cash Silver badge

      Re: Other fail2ban issue...

      > there are some farms out there with lots of IPs available

      I deal with that by blocking the /16


      # iptables -L -n | grep DROP | wc -l


      That's a serious assload of attacks.

      > One very simple trick is to move the ssh port above 1024

      Not really. My experience is they keep scanning ports for a while if you let 'em

      1. This post has been deleted by its author

        1. jackandhishat

          Re: Other fail2ban issue...

          I always loved the idea of port knocking. Proper secret squirrel kinda stuff.

  7. Anonymous Coward
    Anonymous Coward


    They'll have to crack my VPN in order to bypass the firewall before they can even attempt to connect to my SSH servers (and then get blocked by fail2ban)

    Why would anyone leave an SSH server open to the wild internet these days, other than as a honeypot?

    1. This post has been deleted by its author

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Because that's what a VPN actually is?

      "Hey Dawg, we heard you like VPNs, so we put a VPN into your VPN so you can tunnel while you tunnel"

    3. Anonymous Coward
      Anonymous Coward

      Re: But...

      > Why?!??

      Because SSH actually works.

  8. Roo

    Seems a bit quiet in here today.

    There's usually >0 fanbois lecturing folks on how crap Open Source is every time there is a major vuln, where are they today ?

    Can't help but wonder if it's a coincidence that two firms I called up today couldn't actually do anything because their Windows boxes were all down, one tried calling their (major) courier - their systems were down too, and the ASP ridden internet banking website I use is also down as well.

    Anyone else noticed a slightly higher than average level of brokeness out there ?

  9. Morpheus1973

    Blackhole the bastards

    I wrote a script a couple years ago that monitors secure log and blackholes any IP address that isn't whitelisted. Miscreants are given a nice welcome message that they have 5 mins max to authenticate. Now I have a database of tens of thousands of IP blocks and individual addresses and it keeps growing every day.

    It has saved my connection from getting hosed by botnets many many times.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like