|
Based on an analysis of the logs for my SSH honeypot, it appears that this latest spate of SSH brute force attacks are using keyboard-interactive authentication, rather than the standard password authentication. |
Tom 160 Posts Jun 18th 2010 |
| Thread locked Subscribe |
Jun 18th 2010 1 decade ago |
|
Fortunately, it looks like a lot of Linux distros have ChallengeResponseAuthentication disabled by default, but you should double check anyway.
|
jtanium 3 Posts |
| Quote |
Jun 18th 2010 1 decade ago |
|
Thanks for the high-quality analysis! I am actually using S/Key (OPIE) on one of my servers, so I have ChallengeResponseAuthentication. I have other layers of protection that should keep them at bay.
But my question is: Do you know any more about the vulnerability? Are the attackers just trying to identify systems with S/Key enabled, and brute-force the S/Key response? Or are they exploiting an actual bug in OpenSSH or OPIE, which will get them in on the first try without having to do a dictionary attack? |
jtanium 3 Posts |
| Quote |
Jun 18th 2010 1 decade ago |
|
@bjnord: I don't think they are exploiting any OPIE authentication. We too have noticed a change in scanning/BF'ing behavior the last couple days (with a massive new rash of attacks that started Wednesday). It appears that the SSH BF'ing engine in the bots has been overhauled. As Tom said, there are hosts that have PasswordAuthentication disabled. It appears the new engine has now taken that into consideration, being rewritten to supply a "keyboard interactive" password instead.
Another indicator of the SSH BF'ing engine rewrite is the ower amount of LibSSH occurrences in the sessions. In addition, the distributed nature scanning has been adjusted to be really stealth, running quite a bit under previous thresholds. Anyone using Snort signatures with thresholds on SSH attacks is advised to re-evaluate those threshold levels. Having SSH honeypots will certainly assist in spotting the attacks. |
Frank 24 Posts |
| Quote |
Jun 18th 2010 1 decade ago |
|
We have been using Fail2Ban in place (for SSH, POP3/IMAP4, et al) ... would this attack be impervious to this as well?
|
Frank 1 Posts |
| Quote |
Jun 18th 2010 1 decade ago |
|
@CSI: No. Fail2Ban triggers on host-based logs. As long as the failure message logged is recognized as a failure (which it should), Fail2Ban will still function fine.
|
Frank 24 Posts |
| Quote |
Jun 18th 2010 1 decade ago |
|
If this option is manageable, use TCP Wrappers to limit which IPs should have access to the server. It will also log the authentication failures. I have seen the same activity as well on my gate for a while now.
Jun 16 19:56:51 blocker sshd[2263]: refused connect from 119.147.xxx.xx (119.147.xxx.xx) Jun 16 20:50:57 blocker sshd[2389]: refused connect from 109.169.xxx.xx (109.169.xxx.xx) Jun 17 06:29:58 blocker sshd[3828]: refused connect from 220.231.xxx.xx (220.231.xxx.xx) |
Guy 522 Posts ISC Handler |
| Quote |
Jun 18th 2010 1 decade ago |
|
I'm stunned. Thank you for writing about this setting, as I wasn't aware of it, and I actually had left it accidentally enabled on a machine with weak login passwords. Thankfully I didn't get compromised before reading this and fixing the problem.
|
Anonymous |
| Quote |
Jun 19th 2010 1 decade ago |
|
RTFM.
ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. All authentication styles from login.conf(5) are supported. The default is “yes”. ----------- On debian lenny - with PasswordAuthentication no the output is debug1: Next authentication method: publickey |
Anonymous |
| Quote |
Jun 19th 2010 1 decade ago |
|
I note that the default in debian lenny is -->
ChallengeResponseAuthentication no |
Anonymous |
| Quote |
Jun 19th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
