Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Brute-Force SSH Server Attacks Surge (InformationWeek)Brute-Force SSH Server Attacks Surge (InformationWeek)Posted May 14, 2008 18:49 UTC (Wed) by tialaramex (subscriber, #21167)Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek)
Fedora installs SSH and opens a hole for it in the default firewall. So far as I know this is still true in Fedora 9. This is a frustrating type of vulnerability because it involves the user doing something stupid (using a really easy password for 'root' or having a really obvious username AND using a really easy password). The phrase "brute-force" in the write-up really over-states what they're trying, SSH isn't vulnerable to being brute-forced, each connection incurs a small but deliberate delay which, combined with the deliberately slow PAM authentication step means that attackers can't hope to try more than a thousand or so passwords in an hour. As a brute force technique that would be hopeless. Even with the ability to connect to say 100 machines at a time (much more and you run into problems with port re-use that screw you up) they couldn't make much headway. Instead they're relying on small dictionaries, of variable quality. Some might have 500 very common passwords and try them all against the 'root' account, others have username + password pairs, or try just a few usernames of old Unix daemons and other system accounts (the latter attack certainly won't work on any vaguely modern Linux distro since these accounts have no login privileges). Unfortunately, we can't actually rely on users not to pick 'password' as the root password of their machine. So we need to create a situation where ordinary users (since they're the only ones who'll benefit) can switch off remote password authentication and disable login to the root account. It seems like Ubuntu and similar distros have decided instead to throw their hands in the air and disable remote administation out of the box. In reality I'd guess that a large number of machines get the remote auth turned back on (with appropriate holes in the firewall) when the user realises how inconvenient this is. So it doesn't achieve our goal of making the user safer (though it does mean Ubuntu supporters can say Ubuntu isn't vulnerable to this problem, which gets them some cheerleading points) I'd suggest that we need • User friendly SSH key sharing. People who can play Solitaire and write a document in OpenOffice.org also need to be able to create and use SSH keys to authenticate between their laptop and desktop computer, between the desktop computer and the Linux storage/ AV server under the stairs maintained by their spouse/ sibling/ neighbor and so on. This isn't so that they can get a bash prompt but so that they can use SFTP and similar user authenticated remote services. • Documentation which concentrates on the "login as yourself, obtain root privileges only when necessary" model, maybe through sudo and the existing privilege escalation dialogs in GUI environments. We're 90% of the way there on this, and as a result should turn off root logins altogether by default. If you can't log in as root, then attackers can't either. But to some extent I think we have to "suck it up" on these unwanted log messages. Attackers are trying to break into your machine, and being reminded of that is no bad thing.
(Log in to post comments)
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 14, 2008 20:21 UTC (Wed) by eru (subscriber, #2753) [Link] "throw their hands up" I disagree. For any distro that is likely to be installed by 'laymen' for desktop use, disabling sshd and other forms of remote login is the only responsible default. These users are unlikely to need it, and those that do are more sophisticated and know how to turn it on (or at least know how to find that out).
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 0:29 UTC (Thu) by tialaramex (subscriber, #21167) [Link] There's no reason it needs to be so dangerous that you'd want to disable it. If you don't have root logins, and you require a key for access (where the search time is controlled by a computer algorithm rather than by a human's ability to remember complicated strings of letters and digits) you can make SSH an uninteresting target. If the script kiddies had a dozen boxes chewing away for weeks at a time and didn't get a single hit they'd stop doing it. That they're currently still doing it suggests that it probably still works. Which means there are still machines where you can ssh in with username 'root' password 'sesame' and get a root bash prompt. I think we should fix /this/ part rather than just disabling SSH by default.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 4:34 UTC (Thu) by bronson (subscriber, #4806) [Link] > There's no reason it needs to be so dangerous that you'd want to disable it. Sure there is. A closed port is infinitely more safe than a listening port. Well, maybe not infinitely. But it's a huge number. The difference is so big that running listening servers that the user isn't actually using is downright irresponsible. > If you don't have root logins, and you require a key for access ... you can make SSH an uninteresting target. Not if you were running Debian or Ubuntu. :(
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 9:19 UTC (Thu) by ekj (subscriber, #1524) [Link] True, but you exxagerate somewhat. Not only the *relative* risk, but also the *absolute* risk is relevant. It may be true that a non-listening port is one million times safer from network-exploits than a listening-port. (number grasped out of thin air) But if the risk that a certain service causes problems is miniscule enough, then that reduction in risk is still ignorable. If, for example, there's a 1:100 chance that a certain setup will be compromised in a year, and a 1:1000000 chance that a given service will be compromised, then turning off that service while in principle good, in practice makes no detectable difference to the overall security of the host.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 15:33 UTC (Thu) by bronson (subscriber, #4806) [Link] Hm, are you saying that worrying about running services is silly because there are so many more reliable ways of rooting a box? If so, I have two replies: - Running services have always been most effective way of remoting a box. They are the 1:100 number you quoted. - Disregarding a 1:100000 chance event might make sense on some level. The problem is that Linux deployments are immense and the downside of having your box rooted is so enormous. If 36,000 Linux boxes will be compromised this year, and a particular running service is responsible for only 60 of those breakins, it sounds like you're saying that the service is statistically insignificant and can be ignored. That might keep the statisticians happy but I think it is clearly wrong. At least, I hope that the distros I use don't feel that way!
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 16, 2008 6:00 UTC (Fri) by ekj (subscriber, #1524) [Link] Nah. We don't really disagree. I'm just nitpicking. Specifically, I'm nitpicking the claim that a large relative reduction in risk by ITSELF is a reason to do something. Cutting a risk by 99% sounds great, my point was merely that if the risk is miniscule already, it may be that it's not worthwhile. Arguably, the safest default is to install no servers, unless the user specifically requests the install (default: not installed), but some services are probably still better left installed. Indeed, the safest default is to install NOTHING whatsoever, but this is hardly reasonable, despite improvements to security. Similarily, the safest default if the user DOES explicitly install a service is to not run it -- requiring the user to explicitly enable it if he wants it. But this is unreasonable; most people who install say "openssh-server" also wants to run it, so defaulting to off is unfriendly, even though sligthly more secure. Further, the safest default config would be something like disable-root-login disable-password-authenthication allow-login-only-from-whitelisted-hosts, but again, this would be unfriendly because it would mean extra work for most people. So this is probably not worth it -- despite being more secure.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 5:48 UTC (Thu) by MattPerry (subscriber, #46341) [Link] > There's no reason it needs to be so dangerous that you'd want to disable it. Then disable it because it's not needed. It's trivial to enable for those who need it. For others who don't, it's just using system resources unnecessarily.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 2:51 UTC (Thu) by gdt (subscriber, #6284) [Link] Fedora could improve, a lot. Firstly, it could ask on the installer screen if a ssh server for remote administration is needed. And if it is it could insist on a non-root user name and a reasonable password. It could offer the alternative for public-key only access. It should not be possible to SSH to a Fedora machine as root. Secondly, it could restrict ssh usage to just the users which need it. Create a group sshusers and require incoming ssh to be a member of that group. Thirdly, it could add GUI tools to make public keys simpler to use. Fourthly, it could issue a banner upon ssh connection. This will increase traffic bills for scanning machines, making their owners on ADSL billing plans pay attention. Fifthly, it could ask the user the address range of their local trusted network upon installation and set /etc/hosts.allow (which sshd obeys) accordingly. OpenSSH could also help. Stacking authentication (such as requiring public key and login password) would be very useful. I've found on the well-known servers which we run that moving the ssh port only works for a day at the most.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 5:36 UTC (Thu) by njs (subscriber, #40338) [Link] > We're 90% of the way there on this, and as a result should turn off root logins altogether by default. *cough* This is exactly what Ubuntu does.
PermitRootLogin without-password Posted May 15, 2008 10:02 UTC (Thu) by gvy (guest, #11981) [Link] Recent OpenSSH 4.x support restricting root to key-only auth; that's how it's set up by default in ALT Linux 4.0. Previous ALT releases used to "PermitRootLogin no" and recommend sudo/su -- preferably with separate user in wheel group since one of control(8)-ed settings for /bin/su and /usr/bin/sudo file permissions is "suid, executable by wheel group, no world perms at all". I think I've heard of 1 (one) case when unsuspecting ALT Linux user would get his root account bruteforced -- due to offline system with easy password and manually enabled remote root login being brought online. Still AllowUsers/AllowGroups is basically a must on multiuser systems where not literally everyone must have remote access; as mentioned, IP filtering and weird port are also worthy things to consider doing, depending on one's situation. Port knocking techniques sometimes come handy too.
|
|||||||||||