Re: Keyboard Interactive Attack?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Jul 22, 2015, at 4:54 PM, Bostjan Skufca <bostjan@xxxxxx> wrote:
> Thanks for clarification.
> 
> One question though:
> As far as I have tested openssh, it logs every unsuccessful
> authentication attempt on the very moment it becomes unsuccessful, not
> after the connection is closed (after timeout or when reaching max
> auth attempts). Is this true or not even for this attack or not?
> 
> Because if it is true, if there is a IDS system that bans IP after X
> failed logins, there should not be any problem. But if logging is
> deferred for any reason, then IDS can not detect the attack in timely
> manner.

I would expect the attempts to each be logged immediately in most cases, so it’s true that something scanning the logs should be able to add new IDS rules without waiting for the connection to close. I’m not all that familiar with the scripts that do that, though. It’s possible in some cases that established connections might not be subject to the new rules, even if they are added quickly. It’s quite common to have an “early” rule in the list that allows established connections to speed up the processing, for instance. If that’s the case, additional password attempts on that already open connection could still be let through.

In the example presented, this could allow 30,000 password attempts before the connection is closed unless some other timeout kicked in before that. As Damien said, though, anything in PAM itself which adds failure delays would still apply, though, as would any kind of account lockout on too many bad attempts.
-- 
Ron Frederick
ronf@xxxxxxxxxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux