Re: Keyboard Interactive Attack?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 23 July 2015 at 04:33, Ron Frederick <ronf@xxxxxxxxxxxxx> wrote:

> On Jul 22, 2015, at 4:54 PM, Bostjan Skufca <bostjan@xxxxxx> wrote:
> > Thanks for clarification.
> >
> > One question though:
> > As far as I have tested openssh, it logs every unsuccessful
> > authentication attempt on the very moment it becomes unsuccessful, not
> > after the connection is closed (after timeout or when reaching max
> > auth attempts). Is this true or not even for this attack or not?
> >
> > Because if it is true, if there is a IDS system that bans IP after X
> > failed logins, there should not be any problem. But if logging is
> > deferred for any reason, then IDS can not detect the attack in timely
> > manner.
>
> I would expect the attempts to each be logged immediately in most cases,
> so it’s true that something scanning the logs should be able to add new IDS
> rules without waiting for the connection to close. I’m not all that
> familiar with the scripts that do that, though. It’s possible in some cases
> that established connections might not be subject to the new rules, even if
> they are added quickly. It’s quite common to have an “early” rule in the
> list that allows established connections to speed up the processing, for
> instance. If that’s the case, additional password attempts on that already
> open connection could still be let through.
>

I don't think adding new rules is necessary, if this behaviour produces
average log messages about failed logins.


In the example presented, this could allow 30,000 password attempts before
> the connection is closed unless some other timeout kicked in before that.
> As Damien said, though, anything in PAM itself which adds failure delays
> would still apply, though, as would any kind of account lockout on too many
> bad attempts.
>

Trying 30.000 passwords takes time, even over 1Gbps lan connection. It is
true there is some time buffer and usually, if attacker is really fast,
s/he might get more attempts before IDS kicks in, but usually we are
talking about sub-second delays here.

BTW does anyone know a decent ssh scanner that is fast, so I can test my
OSSEC HIDS installation for what is described in paragraph above? Tnx.

b.



> --
> Ron Frederick
> ronf@xxxxxxxxxxxxx
>
>
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux