By Jake Edge
October 21, 2009
Brute force password-guessing attacks against ssh are all too common these
days. But, various countermeasures can be used to blunt their impact. A
recent discussion
on the freebsd-hackers mailing list looks at the problem and some solutions.
Ssh is generally the tool of choice for connecting to remote servers and it
is rare that it is disabled on any true multi-user, network-connected
machine. Typically, it is configured such that users need to log in with
their normal username/password pair. But, since users often use
poorly-chosen passwords—and usernames are relatively easily
guessed—trying a large number of combinations of credentials will
often gain unauthorized access.
In addition, most Linux (or UNIX, for that matter) machines have several known usernames
that can be tried ("root", "news", "mail", etc.), which can reduce the
search space significantly. Of course, gaining access to the root account
compromises the entire system, so many ssh installations do not allow root
to log in via ssh. In fact, disabling root logins (using "PermitRootLogin
no" in /etc/ssh/sshd_config) is generally one of the first
suggestions for making ssh more secure.
Another countermeasure against these kinds of attacks is turning off
password authentication entirely, which can be done using
"PasswordAuthentication no" in the configuration file. In that case, only
users who have installed public keys for the hosts and accounts they wish
to use to log in will be allowed. That completely eliminates the possibility
of password guessing attacks, but does require that users protect the
corresponding private keys. An attacker who gains access to the private
key can immediately log in as the user.
A brute force attempt on a server generally leaves an audit trail in a
server's log files, which can be used by an administrator to block the
offending IP address. Of course, attackers quickly recognized that repeatedly
trying passwords from a single address was likely to result in either being
blocked or being caught by the authorities. So, distributed brute force
attacks were born.
In a distributed attack, multiple hosts—quite possibly members of a
botnet of some kind—attack multiple victim machines so that there are
many more addresses to block. In addition, those addresses change
frequently, so an administrator needs some kind of automated tool to keep
up. Enter DenyHosts and other,
similar tools, such as Fail2ban.
The basic idea behind these tools is that they scan various log files for
evidence of a brute force attack. Once they find an offending IP
address—based on various criteria—they update firewall or other
access-control configurations to
deny access from those addresses. Essentially, they automatically ban the
addresses of hosts participating in these distributed brute force attacks.
There is a balance to be struck in terms of the criteria used to determine
"bad" hosts. Denying access to legitimate users—who forget their
password or try to log in from a host without the right private
key—needs to be avoided. Typically, hosts that do not misbehave for
some period of time will age off the bad host list, but legitimate users
are unlikely to be willing to wait that long.
On the other hand, setting the criteria too high will still allow too many
attempts from attack hosts before they get stopped. In addition, with the
size of today's botnets, there may be no reason for a particular address to
make more than one attempt per hour, or day, which will generally fly under
the radar of most configurations. But, DenyHosts turns the tables on
distributed attacks, by collecting distributed data itself—from many different hosts in what is
called "synchronization
mode".
Basically, a central server collects information from DenyHosts's users on
which IP addresses they have determined to be bad. That information can
then be used by other DenyHosts installations to effectively ban
addresses that have not yet attacked them, but are currently attacking
other DenyHosts users.
There are dangers to this approach, of course, and it still may not catch
the largest botnets where individual IP addresses never quite reach the
thresholds required to ban them, but it can help. The standard problems
with blacklists and false positives certainly apply, and one could imagine
all kinds of havoc that could come from malicious DenyHosts installations,
but it is one way to leverage the data from multiple victims. A further
refinement might be to provide the raw failure data, rather than just the
bad IP addresses filtered by each site's failure criteria, to the central
server. That server could then correlate single attack attempts on
multiple hosts to
more easily catch the larger botnets.
Much like the spam problem, brute force ssh attacks are a kind of arms
race. Administrators will need to change tactics periodically as the types
of attacks change. Turning off password authentication is not possible for
all installations—and still doesn't get rid of the log file mess that
brute force attacks leave behind—so techniques like DenyHosts's
synchronization mode will, unfortunately, be needed for the foreseeable future.
Comments (34 posted)
New vulnerabilities
camlimages: integer overflows
| Package(s): | camlimages |
CVE #(s): | CVE-2009-3296
|
| Created: | October 16, 2009 |
Updated: | June 1, 2010 |
| Description: |
From the Debian advisory:
It was discovered that CamlImages, an open source image processing
library, suffers from several integer overflows, which may lead to a
potentially exploitable heap overflow and result in arbitrary code
execution. This advisory addresses issues with the reading of TIFF
files. It also expands the patch for CVE-2009-2660 to cover another
potential overflow in the processing of JPEG images.
|
| Alerts: |
|
Comments (none posted)
django: denial of service
| Package(s): | django |
CVE #(s): | |
| Created: | October 16, 2009 |
Updated: | October 21, 2009 |
| Description: |
From the Django
project advisory: Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2009-3546
|
| Created: | October 20, 2009 |
Updated: | July 2, 2012 |
| Description: |
From the CVE entry:
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2009-2908
CVE-2009-2909
CVE-2009-2910
|
| Created: | October 16, 2009 |
Updated: | February 15, 2010 |
| Description: |
From the Red Hat bugzilla: A flaw was found in ecryptfs which can result in a NULL pointer dereference. Quoting the commit message:
When calling vfs_unlink() on the lower dentry, d_delete() turns the
dentry into a negative dentry when the d_count is 1. This eventually
caused a NULL pointer deref when a read() or write() was done and the
negative dentry's d_inode was dereferenced in
ecryptfs_read_update_atime() or ecryptfs_getxattr(). (CVE-2009-2908)
From the Red Hat bugzilla: The ax25 code tried to use
if (optlen < sizeof(int))
return -EINVAL;
as a security check against optlen being negative (or zero) in the set socket option. Unfortunately, "sizeof(int)" is an unsigned property, with the result that the whole comparison is done in unsigned, letting negative values slip through. (CVE-2009-2909)
From the Red Hat bugzilla: An information leak was discovered in the kernel where a 32-bit process running
in 64-bit mode could possibly read certain 64 bit registers. (CVE-2009-2910)
|
| Alerts: |
|
Comments (none posted)
mysql-ocaml: missing escape function
| Package(s): | mysql-ocaml |
CVE #(s): | CVE-2009-2942
|
| Created: | October 15, 2009 |
Updated: | November 10, 2009 |
| Description: |
From the Debian advisory:
It was discovered that mysql-ocaml, OCaml bindings for MySql, was
missing a function to call mysql_real_escape_string(). This is needed,
because mysql_real_escape_string() honours the charset of the connection
and prevents insufficient escaping, when certain multibyte character
encodings are used. The added function is called real_escape() and
takes the established database connection as a first argument. The old
escape_string() was kept for backwards compatibility.
|
| Alerts: |
|
Comments (none posted)
perl-net-oauth: session fixation vulnerability
| Package(s): | perl-net-oauth |
CVE #(s): | |
| Created: | October 16, 2009 |
Updated: | October 21, 2009 |
| Description: |
From the Fedora advisory:
A session fixation vulnerability was discovered in OAuth protocol 1.0. Perl
OAuth bindings were updated to support the new version of the OAauth
protocol that was issued to address the vulnerability. All OAuth users
are strongly advised to update to this updated package and protocol version
1.0a which fixes the vulnerability. See the OAuth security advisory for
more information. |
| Alerts: |
|
Comments (none posted)
pidgin: denial of service
| Package(s): | pidgin |
CVE #(s): | CVE-2009-3615
|
| Created: | October 19, 2009 |
Updated: | April 29, 2010 |
| Description: |
From the VUPEN advisory:
A vulnerability has been identified in Pidgin, which could be exploited by attackers to attackers to cause a denial of service. This issue is caused by an error in the Oscar protocol plugin when processing malformed ICQ or AIM contacts sent by the SIM IM client, which could cause an invalid memory access leading to a crash. |
| Alerts: |
|
Comments (none posted)
poppler: integer overflow
| Package(s): | poppler |
CVE #(s): | CVE-2009-3607
|
| Created: | October 21, 2009 |
Updated: | March 5, 2010 |
| Description: |
From the Red Hat bugzilla entry:
Ludwig Nussel reported an integer overflow in poppler's
create_surface_from_thumbnail_data() function. |
| Alerts: |
|
Comments (none posted)
postgresql-ocaml: missing escape function
| Package(s): | postgresql-ocaml |
CVE #(s): | CVE-2009-2943
|
| Created: | October 15, 2009 |
Updated: | November 10, 2009 |
| Description: |
From the Debian advisory:
It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's
libpq, was missing a function to call PQescapeStringConn(). This is
needed, because PQescapeStringConn() honours the charset of the
connection and prevents insufficient escaping, when certain multibyte
character encodings are used. The added function is called
escape_string_conn() and takes the established database connection as a
first argument. The old escape_string() was kept for backwards
compatibility.
|
| Alerts: |
|
Comments (none posted)
pygresql: missing escape function
| Package(s): | pygresql |
CVE #(s): | CVE-2009-2940
|
| Created: | October 15, 2009 |
Updated: | December 11, 2009 |
| Description: |
From the Debian advisory:
It was discovered that pygresql, a PostgreSQL module for Python, was
missing a function to call PQescapeStringConn(). This is needed, because
PQescapeStringConn() honours the charset of the connection and prevents
insufficient escaping, when certain multibyte character encodings are
used. The new function is called pg_escape_string(), which takes the
database connection as a first argument. The old function
escape_string() has been preserved as well for backwards compatibility.
|
| Alerts: |
|
Comments (none posted)
xpdf: integer overflows
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
