Not sure if others have seen this yet ------------------ https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ "OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default). With this vulnerability an attacker is able to request as many password prompts limited by the ?login graced time? setting, that is set to two minutes by default." -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote:> Not sure if others have seen this yet > > ------------------ > > > https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ > > "OpenSSH has a default value of six authentication tries before it will > close the connection (the ssh client allows only three password entries > per default). > > With this vulnerability an attacker is able to request as many password > prompts limited by the ?login graced time? setting, that is set to two > minutes by default." > >Does it produce multiple entries in the server logs? I'm curious if sshguard etc would detect this. If I understand what's going on, this might appear as if it's a single "session" and be able to bypass pf overload rules. I'll have to play around with it and see what it does.
Because a potential intruder can establish multiple or "tag-teamed" TCP sessions (possibly from different IPs) to the SSH server, a per-session limit is barely useful and will not slow a determined attacker. A global limit might, but would enable DoS attacks. --Brett Glass At 01:19 PM 7/17/2015, Mike Tancsa wrote:>Not sure if others have seen this yet > >------------------ > > >https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ > >"OpenSSH has a default value of six authentication tries before it will >close the connection (the ssh client allows only three password entries >per default). > >With this vulnerability an attacker is able to request as many password >prompts limited by the ???login graced time??? setting, that is set to two >minutes by default." > > >-- >------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike at sentex.net >Providing Internet services since 1994 www.sentex.net >Cambridge, Ontario Canada http://www.tancsa.com/ >_______________________________________________ >freebsd-security at freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
On 7/17/2015 3:19 PM, Mike Tancsa wrote:> ------------------ > https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ > With this vulnerability an attacker is able to request as many password > prompts limited by the ?login graced time? setting, that is set to two > minutes by default." > >There is a patch in the OpenSSH tree to mitigate this. Any chance on bringing this in before 10.2R ships ? https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/