- J.J.F. / Hackers Team warns for SSHD 2.x brute force password

[patrick () pine nl (Patrick Oonk)]

Found this at http://www.jjf.org/advisory/SshdJJFen.txt

        - J.J.F. / Hackers Team - Security Advisory
        =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

  Date: 05/09/1999
  Release: 05/14/1999
  Author: Zhodiac <zhodiac () jjf org>
  URL: http://www.jjf.org
  Application: sshd2 up to 2.0.11
  OS: Unix
  Risk: Risky :), long term could gain system access.

  -=-=-=-=-=-=-=-=
   Introduction
  -=-=-=-=-=-=-=-=

        In the default instalation of sshd2 (up to 2.0.11) there is an
  open way to bruteforce a login/password, without any kind of ip
logging
  by the sshd. Version 2.0.12 and newers seems to be not vulnerable to
  this attack, because it logs the ip at connection time.

  -=-=-=-=-=-=-=-=
   Details
  -=-=-=-=-=-=-=-=

        When a ssh client connects to the daemon, it has a number
  (default is three) of attempts to guess the correct password before
  disconnecting. If we shutdown the connection before using up the
number
  of attempts, the daemon will not log neither the connection, the
  password guesses nor the ip of the client.

        One cristal clear example:

  [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
  zhodiac's password:
  zhodiac's password:
  zhodiac's password:

  Disconnected; authentication error.
  [zhodiac@piscis zhodiac]$

  In /var/log/messages:

     May  9 12:42:53 piscis sshd2[1391]: User authentication failed:
     'Authentication method disabled. (user 'zhodiac', client address
     '192.168.1.1:1344', requested service 'ssh-connection')'
        
        Now we try the bug:

  [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
  zhodiac's password:
  zhodiac's password:
  zhodiac's password: FATAL: Received signal 2.
  [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
  zhodiac's password:
  zhodiac's password:
  zhodiac's password: FATAL: Received signal 2.
  [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
  zhodiac's password:
  zhodiac's password:
  zhodiac's password: FATAL: Received signal 2.
  [zhodiac@piscis zhodiac]$

        Those  "FATAL: Received signal2." are the response of
  interrupting the program with a ^C.

        Lets see what syslog did:

  May  9 12:44:41 piscis sshd2[1403]: Remote host disconnected:
Connection
  closed.
  May  9 12:44:44 piscis sshd2[1405]: Remote host disconnected:
Connection
  closed.
  May  9 12:44:47 piscis sshd2[1407]: Remote host disconnected:
Connection
  closed.

        No ip, no password guesses attempts on the logs!
  So a bruteforce can be done without any kind of logging... Sorry
  script-kiddies, no program available!

  -=-=-=-=-=-=-=-=
   Quick Fix
  -=-=-=-=-=-=-=-=

        Edit the file sshd2_config (usually at /etc/ssh2), set the value
  of "PasswordGuesses" to 1. With this each time a password is tried it
  will log it in the following way:

         May  9 12:46:07 piscis sshd[1308]: User authentication failed:
  'Authentication method disabled. (user 'zhodiac', client address
  '192.168.1.1:1527', requested service 'ssh-connection')'

         It is also recommended to set the value of "ListenAddress" so we
  will have more control of which ips can use our ssh service.

        A better solution is to upgrade to 2.0.12 version or newer , with
  them at connection it will log via syslog in the following way:

     May  9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"

  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  zhodiac () jjf org

  http://www.jjf.org
  - J.J.F. / Hackers Team - Security Advisory
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

--
 Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick
 Pine Internet B.V.           Consultancy, installatie en beheer
 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
 -- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
 Excuse of the day: Feature was not beta tested