User: Password:
|
|
Subscribe / Log in / New account

Security

Distributed brute force ssh attacks

By Jake Edge
October 21, 2009

Brute force password-guessing attacks against ssh are all too common these days. But, various countermeasures can be used to blunt their impact. A recent discussion on the freebsd-hackers mailing list looks at the problem and some solutions.

Ssh is generally the tool of choice for connecting to remote servers and it is rare that it is disabled on any true multi-user, network-connected machine. Typically, it is configured such that users need to log in with their normal username/password pair. But, since users often use poorly-chosen passwords—and usernames are relatively easily guessed—trying a large number of combinations of credentials will often gain unauthorized access.

In addition, most Linux (or UNIX, for that matter) machines have several known usernames that can be tried ("root", "news", "mail", etc.), which can reduce the search space significantly. Of course, gaining access to the root account compromises the entire system, so many ssh installations do not allow root to log in via ssh. In fact, disabling root logins (using "PermitRootLogin no" in /etc/ssh/sshd_config) is generally one of the first suggestions for making ssh more secure.

Another countermeasure against these kinds of attacks is turning off password authentication entirely, which can be done using "PasswordAuthentication no" in the configuration file. In that case, only users who have installed public keys for the hosts and accounts they wish to use to log in will be allowed. That completely eliminates the possibility of password guessing attacks, but does require that users protect the corresponding private keys. An attacker who gains access to the private key can immediately log in as the user.

A brute force attempt on a server generally leaves an audit trail in a server's log files, which can be used by an administrator to block the offending IP address. Of course, attackers quickly recognized that repeatedly trying passwords from a single address was likely to result in either being blocked or being caught by the authorities. So, distributed brute force attacks were born.

In a distributed attack, multiple hosts—quite possibly members of a botnet of some kind—attack multiple victim machines so that there are many more addresses to block. In addition, those addresses change frequently, so an administrator needs some kind of automated tool to keep up. Enter DenyHosts and other, similar tools, such as Fail2ban.

The basic idea behind these tools is that they scan various log files for evidence of a brute force attack. Once they find an offending IP address—based on various criteria—they update firewall or other access-control configurations to deny access from those addresses. Essentially, they automatically ban the addresses of hosts participating in these distributed brute force attacks.

There is a balance to be struck in terms of the criteria used to determine "bad" hosts. Denying access to legitimate users—who forget their password or try to log in from a host without the right private key—needs to be avoided. Typically, hosts that do not misbehave for some period of time will age off the bad host list, but legitimate users are unlikely to be willing to wait that long.

On the other hand, setting the criteria too high will still allow too many attempts from attack hosts before they get stopped. In addition, with the size of today's botnets, there may be no reason for a particular address to make more than one attempt per hour, or day, which will generally fly under the radar of most configurations. But, DenyHosts turns the tables on distributed attacks, by collecting distributed data itself—from many different hosts in what is called "synchronization mode".

Basically, a central server collects information from DenyHosts's users on which IP addresses they have determined to be bad. That information can then be used by other DenyHosts installations to effectively ban addresses that have not yet attacked them, but are currently attacking other DenyHosts users.

There are dangers to this approach, of course, and it still may not catch the largest botnets where individual IP addresses never quite reach the thresholds required to ban them, but it can help. The standard problems with blacklists and false positives certainly apply, and one could imagine all kinds of havoc that could come from malicious DenyHosts installations, but it is one way to leverage the data from multiple victims. A further refinement might be to provide the raw failure data, rather than just the bad IP addresses filtered by each site's failure criteria, to the central server. That server could then correlate single attack attempts on multiple hosts to more easily catch the larger botnets.

Much like the spam problem, brute force ssh attacks are a kind of arms race. Administrators will need to change tactics periodically as the types of attacks change. Turning off password authentication is not possible for all installations—and still doesn't get rid of the log file mess that brute force attacks leave behind—so techniques like DenyHosts's synchronization mode will, unfortunately, be needed for the foreseeable future.

Comments (34 posted)

New vulnerabilities

camlimages: integer overflows

Package(s):camlimages CVE #(s):CVE-2009-3296
Created:October 16, 2009 Updated:June 1, 2010
Description: From the Debian advisory: It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images.
Alerts:
Gentoo 201006-02 camlimages 2010-06-01
Fedora FEDORA-2009-10594 ocaml-camlimages 2009-10-21
Fedora FEDORA-2009-10568 ocaml-camlimages 2009-10-21
Debian DSA-1912-2 advi 2009-10-23
Mandriva MDVSA-2009:286 ocaml-camlimages 2009-10-21
Debian DSA-1912-1 camlimages 2009-10-16

Comments (none posted)

django: denial of service

Package(s):django CVE #(s):
Created:October 16, 2009 Updated:October 21, 2009
Description: From the Django project advisory: Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.
Alerts:
Fedora FEDORA-2009-10390 Django 2009-10-14
Fedora FEDORA-2009-10432 Django 2009-10-14

Comments (none posted)

gd: buffer overflow

Package(s):gd CVE #(s):CVE-2009-3546
Created:October 20, 2009 Updated:July 2, 2012
Description: From the CVE entry: The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
Alerts:
Fedora FEDORA-2012-9314 gd 2012-06-30
Fedora FEDORA-2012-9298 gd 2012-06-30
CentOS CESA-2010:0040 php 2010-01-15
Red Hat RHSA-2010:0040-01 php 2010-01-13
CentOS CESA-2010:0040 php 2010-01-13
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
Gentoo 201001-03 php 2010-01-05
CentOS CESA-2010:0003 gd 2010-01-05
CentOS CESA-2010:0003 gd 2010-01-05
Red Hat RHSA-2010:0003-01 gd 2010-01-04
Fedora FEDORA-2010-0495 maniadrive 2010-01-14
Fedora FEDORA-2010-0495 php 2010-01-14
Mandriva MDVSA-2009:324 php 2009-12-07
Mandriva MDVSA-2009:284-1 gd 2009-12-05
Fedora FEDORA-2009-12017 php 2009-11-24
Fedora FEDORA-2009-12017 maniadrive 2009-11-24
Gentoo 201006-16 gd 2010-06-03
Ubuntu USN-854-1 libgd2 2009-11-05
Mandriva MDVSA-2009:284 gd 2009-10-20
Debian DSA-1936-1 libgd2 2009-11-17
Mandriva MDVSA-2009:285 php 2009-10-20
Arch Linux ASA-201701-1 libwmf 2017-01-01

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2009-2908 CVE-2009-2909 CVE-2009-2910
Created:October 16, 2009 Updated:February 15, 2010
Description: From the Red Hat bugzilla: A flaw was found in ecryptfs which can result in a NULL pointer dereference. Quoting the commit message: When calling vfs_unlink() on the lower dentry, d_delete() turns the dentry into a negative dentry when the d_count is 1. This eventually caused a NULL pointer deref when a read() or write() was done and the negative dentry's d_inode was dereferenced in ecryptfs_read_update_atime() or ecryptfs_getxattr(). (CVE-2009-2908)

From the Red Hat bugzilla: The ax25 code tried to use

        if (optlen < sizeof(int))
                return -EINVAL;
as a security check against optlen being negative (or zero) in the set socket option. Unfortunately, "sizeof(int)" is an unsigned property, with the result that the whole comparison is done in unsigned, letting negative values slip through. (CVE-2009-2909)

From the Red Hat bugzilla: An information leak was discovered in the kernel where a 32-bit process running in 64-bit mode could possibly read certain 64 bit registers. (CVE-2009-2910)

Alerts:
CentOS CESA-2010:0046 kernel 2010-01-20
Red Hat RHSA-2010:0046-01 kernel 2010-01-19
SuSE SUSE-SA:2010:012 kernel 2010-02-15
CentOS CESA-2009:1671 kernel 2009-12-18
Red Hat RHSA-2009:1671-01 kernel 2009-12-15
Ubuntu USN-864-1 linux, linux-source-2.6.15 2009-12-05
SuSE SUSE-SA:2009:060 kernel 2009-12-02
SuSE SUSE-SA:2009:055 kernel 2009-11-12
Debian DSA-1928-1 linux-2.6.24 2009-11-05
Red Hat RHSA-2009:1540-01 kernel-rt 2009-11-03
Red Hat RHSA-2009:1548-01 kernel 2009-11-03
SuSE SUSE-SA:2009:051 kernel 2009-11-02
Ubuntu USN-852-1 linux, linux-source-2.6.15 2009-10-22
CentOS CESA-2009:1548 kernel 2009-11-04
SuSE SUSE-SA:2009:056 kernel 2009-11-16
SuSE SUSE-SA:2009:054 kernel 2009-11-11
Debian DSA-1929-1 linux-2.6 2009-11-05
Fedora FEDORA-2009-10639 kernel 2009-10-21
Mandriva MDVSA-2009:289 kernel 2009-10-27
Debian DSA-1915-1 linux-2.6 2009-10-22
Fedora FEDORA-2009-10525 kernel 2009-10-15

Comments (none posted)

mysql-ocaml: missing escape function

Package(s):mysql-ocaml CVE #(s):CVE-2009-2942
Created:October 15, 2009 Updated:November 10, 2009
Description: From the Debian advisory: It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql_real_escape_string(). This is needed, because mysql_real_escape_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real_escape() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility.
Alerts:
Fedora FEDORA-2009-10701 ocaml-mysql 2009-10-21
Mandriva MDVSA-2009:279 ocaml-mysql 2009-10-15
Debian DSA-1910-1 mysql-ocaml 2009-10-14
Fedora FEDORA-2009-10582 ocaml-mysql 2009-10-21

Comments (none posted)

perl-net-oauth: session fixation vulnerability

Package(s):perl-net-oauth CVE #(s):
Created:October 16, 2009 Updated:October 21, 2009
Description: From the Fedora advisory: A session fixation vulnerability was discovered in OAuth protocol 1.0. Perl OAuth bindings were updated to support the new version of the OAauth protocol that was issued to address the vulnerability. All OAuth users are strongly advised to update to this updated package and protocol version 1.0a which fixes the vulnerability. See the OAuth security advisory for more information.
Alerts:
Fedora FEDORA-2009-10539 perl-Net-OAuth 2009-10-15
Fedora FEDORA-2009-10520 perl-Net-OAuth 2009-10-15

Comments (none posted)

pidgin: denial of service

Package(s):pidgin CVE #(s):CVE-2009-3615
Created:October 19, 2009 Updated:April 29, 2010
Description:

From the VUPEN advisory:

A vulnerability has been identified in Pidgin, which could be exploited by attackers to attackers to cause a denial of service. This issue is caused by an error in the Oscar protocol plugin when processing malformed ICQ or AIM contacts sent by the SIM IM client, which could cause an invalid memory access leading to a crash.

Alerts:
Mandriva MDVSA-2010:085 pidgin 2010-04-28
Ubuntu USN-886-1 pidgin 2010-01-18
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Mandriva MDVSA-2010:001 pidgin 2010-01-11
CentOS CESA-2009:1535 pidgin 2009-10-29
Slackware SSA:2009-290-02 pidgin 2009-10-19
CentOS CESA-2009:1536 pidgin 2009-10-30
Red Hat RHSA-2009:1535-01 pidgin 2009-10-29
Red Hat RHSA-2009:1536-01 pidgin 2009-10-29
CentOS CESA-2009:1536 pidgin 2009-10-30
Debian DSA-1932-1 pidgin 2009-11-08
Fedora FEDORA-2009-10662 pidgin 2009-10-21
Fedora FEDORA-2009-10702 pidgin 2009-10-21

Comments (none posted)

poppler: integer overflow

Package(s):poppler CVE #(s):CVE-2009-3607
Created:October 21, 2009 Updated:March 5, 2010
Description: From the Red Hat bugzilla entry:

Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function.

Alerts:
Gentoo 201310-03 poppler 2013-10-06
Mandriva MDVSA-2011:175 poppler 2011-11-15
Mandriva MDVSA-2010:055 poppler 2010-03-04
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Ubuntu USN-850-3 poppler 2009-11-02
Fedora FEDORA-2009-10845 poppler 2009-10-27
Fedora FEDORA-2009-10823 poppler 2009-10-27
Ubuntu USN-850-1 poppler 2009-10-21

Comments (none posted)

postgresql-ocaml: missing escape function

Package(s):postgresql-ocaml CVE #(s):CVE-2009-2943
Created:October 15, 2009 Updated:November 10, 2009
Description: From the Debian advisory: It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility.
Alerts:
Fedora FEDORA-2009-10633 ocaml-postgresql 2009-10-21
Fedora FEDORA-2009-10595 ocaml-postgresql 2009-10-21
Debian DSA-1909-1 postgresql-ocaml 2009-10-14

Comments (none posted)

pygresql: missing escape function

Package(s):pygresql CVE #(s):CVE-2009-2940
Created:October 15, 2009 Updated:December 11, 2009
Description: From the Debian advisory: It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility.
Alerts:
Ubuntu USN-870-1 pygresql 2009-12-11
Debian DSA-1911-1 pygresql 2009-10-14

Comments (none posted)

xpdf: integer overflows

Package(s):xpdf CVE #(s):CVE-2009-0791 CVE-2009-3603 CVE-2009-3604 CVE-2009-3606 CVE-2009-3608 CVE-2009-3609
Created:October 15, 2009 Updated:October 11, 2010
Description: From the Red Hat advisory: Multiple integer overflow flaws were found in Xpdf. An attacker could create a malicious PDF file that would cause Xpdf to crash or, potentially, execute arbitrary code when opened.
Alerts:
Gentoo 201310-03 poppler 2013-10-06
Mandriva MDVSA-2011:175 poppler 2011-11-15
Red Hat RHSA-2010:0755-01 cups 2010-10-07
Ubuntu USN-973-1 koffice 2010-08-17
CentOS CESA-2010:0755 cups 2010-10-10
CentOS CESA-2010:0400 tetex 2010-05-28
Debian DSA-2050-1 kdegraphics 2010-05-24
Mandriva MDVSA-2010:096 tetex 2010-05-17
Mandriva MDVSA-2010:094 tetex 2010-05-12
CentOS CESA-2010:0399 tetex 2010-05-08
CentOS CESA-2010:0401 tetex 2010-05-08
Red Hat RHSA-2010:0401-01 tetex 2010-05-06
Red Hat RHSA-2010:0400-01 tetex 2010-05-06
Red Hat RHSA-2010:0399-01 tetex 2010-05-06
Mandriva MDVSA-2010:087 poppler 2010-04-29
Mandriva MDVSA-2010:086 kdegraphics 2010-04-29
Debian DSA-2028-1 xpdf 2010-04-05
Mandriva MDVSA-2010:055 poppler 2010-03-04
Fedora FEDORA-2010-1377 pdfedit 2010-02-19
Fedora FEDORA-2010-1805 pdfedit 2010-02-19
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Mandriva MDVSA-2009:346 kde 2009-12-29
Mandriva MDVSA-2009:336 koffice 2009-12-17
Mandriva MDVSA-2009:334 poppler 2009-12-17
Mandriva MDVSA-2009:331 kdegraphics 2009-12-10
Mandriva MDVSA-2009:282-1 cups 2009-12-07
Mandriva MDVSA-2009:287-1 xpdf 2009-12-04
Fedora FEDORA-2010-1842 pdfedit 2010-02-19
Fedora FEDORA-2009-10648 xpdf 2009-10-21
Mandriva MDVSA-2009:283 cups 2009-10-19
Red Hat RHSA-2009:1512-01 kdegraphics 2009-10-15
Mandriva MDVSA-2009:287 xpdf 2009-10-22
Fedora FEDORA-2009-10694 xpdf 2009-10-21
CentOS CESA-2009:1501 xpdf 2009-10-16
Red Hat RHSA-2009:1502-01 kdegraphics 2009-10-15
CentOS CESA-2009:1513 cups 2009-10-30
Mandriva MDVSA-2009:281 cups 2009-10-19
CentOS CESA-2009:1512 kdegraphics 2009-10-16
CentOS CESA-2009:1503 gpdf 2009-10-16
Mandriva MDVSA-2009:280 cups 2009-10-19
CentOS CESA-2009:1502 kdegraphics 2009-10-30
Fedora FEDORA-2009-10845 poppler 2009-10-27
Fedora FEDORA-2009-10823 poppler 2009-10-27
CentOS CESA-2009:1500 xpdf 2009-10-15
Red Hat RHSA-2009:1501-01 xpdf 2009-10-15
Red Hat RHSA-2009:1500-01 xpdf 2009-10-15
CentOS CESA-2009:1504 poppler 2009-10-30
Slackware SSA:2009-302-02 poppler 2009-10-29
Slackware SSA:2009-302-01 xpdf 2009-10-29
Red Hat RHSA-2009:1513-01 cups 2009-10-15
Ubuntu USN-850-1 poppler 2009-10-21
Red Hat RHSA-2009:1504-01 poppler 2009-10-15
SuSE SUSE-SR:2009:019 cups, jetty5, libqt4/dbus-1-qt, opera, puretls/jessie, kdegraphics3-pdf, qemu 2009-11-24
SuSE SUSE-SR:2009:018 cyrus-imapd, neon/libneon, freeradius, strongswan, openldap2, apache2-mod_jk, expat, xpdf, mozilla-nspr 2009-11-10
Ubuntu USN-850-3 poppler 2009-11-02
Mandriva MDVSA-2009:282 cups 2009-10-19
Red Hat RHSA-2009:1503-01 gpdf 2009-10-15

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds