Security
Distributed brute force ssh attacks
Brute force password-guessing attacks against ssh are all too common these days. But, various countermeasures can be used to blunt their impact. A recent discussion on the freebsd-hackers mailing list looks at the problem and some solutions.
Ssh is generally the tool of choice for connecting to remote servers and it is rare that it is disabled on any true multi-user, network-connected machine. Typically, it is configured such that users need to log in with their normal username/password pair. But, since users often use poorly-chosen passwords—and usernames are relatively easily guessed—trying a large number of combinations of credentials will often gain unauthorized access.
In addition, most Linux (or UNIX, for that matter) machines have several known usernames that can be tried ("root", "news", "mail", etc.), which can reduce the search space significantly. Of course, gaining access to the root account compromises the entire system, so many ssh installations do not allow root to log in via ssh. In fact, disabling root logins (using "PermitRootLogin no" in /etc/ssh/sshd_config) is generally one of the first suggestions for making ssh more secure.
Another countermeasure against these kinds of attacks is turning off password authentication entirely, which can be done using "PasswordAuthentication no" in the configuration file. In that case, only users who have installed public keys for the hosts and accounts they wish to use to log in will be allowed. That completely eliminates the possibility of password guessing attacks, but does require that users protect the corresponding private keys. An attacker who gains access to the private key can immediately log in as the user.
A brute force attempt on a server generally leaves an audit trail in a server's log files, which can be used by an administrator to block the offending IP address. Of course, attackers quickly recognized that repeatedly trying passwords from a single address was likely to result in either being blocked or being caught by the authorities. So, distributed brute force attacks were born.
In a distributed attack, multiple hosts—quite possibly members of a botnet of some kind—attack multiple victim machines so that there are many more addresses to block. In addition, those addresses change frequently, so an administrator needs some kind of automated tool to keep up. Enter DenyHosts and other, similar tools, such as Fail2ban.
The basic idea behind these tools is that they scan various log files for evidence of a brute force attack. Once they find an offending IP address—based on various criteria—they update firewall or other access-control configurations to deny access from those addresses. Essentially, they automatically ban the addresses of hosts participating in these distributed brute force attacks.
There is a balance to be struck in terms of the criteria used to determine "bad" hosts. Denying access to legitimate users—who forget their password or try to log in from a host without the right private key—needs to be avoided. Typically, hosts that do not misbehave for some period of time will age off the bad host list, but legitimate users are unlikely to be willing to wait that long.
On the other hand, setting the criteria too high will still allow too many attempts from attack hosts before they get stopped. In addition, with the size of today's botnets, there may be no reason for a particular address to make more than one attempt per hour, or day, which will generally fly under the radar of most configurations. But, DenyHosts turns the tables on distributed attacks, by collecting distributed data itself—from many different hosts in what is called "synchronization mode".
Basically, a central server collects information from DenyHosts's users on which IP addresses they have determined to be bad. That information can then be used by other DenyHosts installations to effectively ban addresses that have not yet attacked them, but are currently attacking other DenyHosts users.
There are dangers to this approach, of course, and it still may not catch the largest botnets where individual IP addresses never quite reach the thresholds required to ban them, but it can help. The standard problems with blacklists and false positives certainly apply, and one could imagine all kinds of havoc that could come from malicious DenyHosts installations, but it is one way to leverage the data from multiple victims. A further refinement might be to provide the raw failure data, rather than just the bad IP addresses filtered by each site's failure criteria, to the central server. That server could then correlate single attack attempts on multiple hosts to more easily catch the larger botnets.
Much like the spam problem, brute force ssh attacks are a kind of arms race. Administrators will need to change tactics periodically as the types of attacks change. Turning off password authentication is not possible for all installations—and still doesn't get rid of the log file mess that brute force attacks leave behind—so techniques like DenyHosts's synchronization mode will, unfortunately, be needed for the foreseeable future.
New vulnerabilities
camlimages: integer overflows
| Package(s): | camlimages | CVE #(s): | CVE-2009-3296 | ||||||||||||||||||||||||
| Created: | October 16, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||||||
| Description: | From the Debian advisory: It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
django: denial of service
| Package(s): | django | CVE #(s): | |||||||||
| Created: | October 16, 2009 | Updated: | October 21, 2009 | ||||||||
| Description: | From the Django project advisory: Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack. | ||||||||||
| Alerts: |
| ||||||||||
gd: buffer overflow
| Package(s): | gd | CVE #(s): | CVE-2009-3546 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 20, 2009 | Updated: | July 2, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2009-2908 CVE-2009-2909 CVE-2009-2910 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 16, 2009 | Updated: | February 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla: A flaw was found in ecryptfs which can result in a NULL pointer dereference. Quoting the commit message:
When calling vfs_unlink() on the lower dentry, d_delete() turns the
dentry into a negative dentry when the d_count is 1. This eventually
caused a NULL pointer deref when a read() or write() was done and the
negative dentry's d_inode was dereferenced in
ecryptfs_read_update_atime() or ecryptfs_getxattr(). (CVE-2009-2908)
From the Red Hat bugzilla: The ax25 code tried to use
if (optlen < sizeof(int))
return -EINVAL;
as a security check against optlen being negative (or zero) in the set socket option. Unfortunately, "sizeof(int)" is an unsigned property, with the result that the whole comparison is done in unsigned, letting negative values slip through. (CVE-2009-2909)
From the Red Hat bugzilla: An information leak was discovered in the kernel where a 32-bit process running in 64-bit mode could possibly read certain 64 bit registers. (CVE-2009-2910) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mysql-ocaml: missing escape function
| Package(s): | mysql-ocaml | CVE #(s): | CVE-2009-2942 | ||||||||||||||||
| Created: | October 15, 2009 | Updated: | November 10, 2009 | ||||||||||||||||
| Description: | From the Debian advisory: It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
perl-net-oauth: session fixation vulnerability
| Package(s): | perl-net-oauth | CVE #(s): | |||||||||
| Created: | October 16, 2009 | Updated: | October 21, 2009 | ||||||||
| Description: | From the Fedora advisory: A session fixation vulnerability was discovered in OAuth protocol 1.0. Perl OAuth bindings were updated to support the new version of the OAauth protocol that was issued to address the vulnerability. All OAuth users are strongly advised to update to this updated package and protocol version 1.0a which fixes the vulnerability. See the OAuth security advisory for more information. | ||||||||||
| Alerts: |
| ||||||||||
pidgin: denial of service
| Package(s): | pidgin | CVE #(s): | CVE-2009-3615 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 19, 2009 | Updated: | April 29, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the VUPEN advisory: A vulnerability has been identified in Pidgin, which could be exploited by attackers to attackers to cause a denial of service. This issue is caused by an error in the Oscar protocol plugin when processing malformed ICQ or AIM contacts sent by the SIM IM client, which could cause an invalid memory access leading to a crash. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
poppler: integer overflow
| Package(s): | poppler | CVE #(s): | CVE-2009-3607 | ||||||||||||||||||||||||||||||||
| Created: | October 21, 2009 | Updated: | March 5, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
postgresql-ocaml: missing escape function
| Package(s): | postgresql-ocaml | CVE #(s): | CVE-2009-2943 | ||||||||||||
| Created: | October 15, 2009 | Updated: | November 10, 2009 | ||||||||||||
| Description: | From the Debian advisory: It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. | ||||||||||||||
| Alerts: |
| ||||||||||||||
pygresql: missing escape function
| Package(s): | pygresql | CVE #(s): | CVE-2009-2940 | ||||||||
| Created: | October 15, 2009 | Updated: | December 11, 2009 | ||||||||
| Description: | From the Debian advisory: It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility. | ||||||||||
| Alerts: |
| ||||||||||
xpdf: integer overflows
| Package(s): | xpdf | CVE #(s): | CVE-2009-0791 CVE-2009-3603 CVE-2009-3604 CVE-2009-3606 CVE-2009-3608 CVE-2009-3609 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 15, 2009 | Updated: | October 11, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple integer overflow flaws were found in Xpdf. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>