Re: SSH brute force blocking tool

[<daylasoul () hush com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 28 Nov 2006 10:59:43 -0600 "J. Oquendo"
<sil () infiltrated net> wrote:
> Tavis Ormandy wrote:
> > On Tue, Nov 28, 2006 at 04:02:36PM +0000, Tavis Ormandy wrote:
> > I notice you also havnt solved the local privilege escalation,
> this can
> > be abused by local users to gain root by attempting to login
> with the
> > username set to a valid passwd entry and then winning the race
> condition
> > by creating a symlink to the system passwd file (of course,
> there are
> > dozens of other attacks).
> >
> > Thanks, Tavis.
>
> And just what on God's earth does "SOMEONE LOGGING IN WITH
> USERNAME SET
> TO A VALID PASSWORD ENTRY" have to do with this script. Let me
> take my
> script out of the equation for a minute. "SOMEONE LOGS IN WITH A
> USERNAME SET TO A VALID PASSWORD ENTRY" don't you think this is a
> problem with the system they're on? Please explain to me how
> because I'm
> seriously curious to know how you envision this happening with
> this
> script of mine.
>
> Nov 27 16:31:21 local sshd[67010]: Illegal user dd from
> 213.134.128.227
> awk '($5=="Illegal"||$6=="Illegal")&&$9=="from"{print $10}'
>
> Would stop the insertion attack and only print out the tench field
> if
> fields 5, 6 and 9 match Illegal user from.
>
> So that would pretty much minimize the attack on name insertion.
> If I
> wanted to I could also make sure that if someone came after field
> 10,
> then ignore the entire line:
> Nov 27 16:31:21 local sshd[67010]: Illegal user dd from
> 213.134.128.227
>
> But before you shoot back let me send your response for you:
>
> Tavis Ormandy will write:
> >  "Someone could log in using: "Illegal User foo from
> $OWNIPADDRESS"@host which would make an entry:
> >  Nov 27 16:31:21 local sshd[67010]: Illegal user  dd from
> Illegal User
> foo from $OWNIPADDRESS 213.134.128.227"
>
> SO let me restate. I could modify it to look at lines 5, 6, and 9
> ...
> Take a look at the tenth column and if anything comes after
> that...Ignore that entire line... Should I have done so, maybe...
> Will I
> do so... Maybe...
>
> But wait there's more... Before you respond back Tavis, I will do
> so for
> you:
>
> Tavis Ormandy will write:
> > "Someone could cause a race condition in awk that will allow
> peanut
> butter to seep into my colo"
>
> Sorry can't help you there.
>
> As to a fix to someone injecting ranDumb addresses. That same awk
> statement above will work but if they're doing some netcat voodoo,
> then
> feel free to shoot off another email on how my script broke TCP/IP
> entirely.
>
>
>
> --
> ====================================================
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> sil . infiltrated @ net http://www.infiltrated.net
>
> The happiness of society is the end of government.
> John Adams
please take disagreements off list and make sure quoting does not
exceed that which is necessary to convey context.  Thanks.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkVsgAsACgkQ3AEcWsxdEQ4qeQP+M4H5IfprYdHqysEMl9frCqXsfh9T
3z8XL6MD44oBRr657t3ren6Dl/mhUxuWsIJ2dIApxSJYK51J8RShFL+KuW/7VKnUqZEQ
ln93svmpEt3A1hsB8/TPsJePKSP5avRUh9X5WxfxZRmi5WVM3uOcpDr1//EsgnUd7tyI
dvwNGRY=
=TtP4
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/