- J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 05/09/1999 Release: 05/14/1999 Author: Zhodiac URL: http://www.jjf.org Application: sshd2 up to 2.0.11 OS: Unix Risk: Risky :), long term could gain system access. -=-=-=-=-=-=-=-= Introduction -=-=-=-=-=-=-=-= In the default instalation of sshd2 (up to 2.0.11) there is an open way to bruteforce a login/password, without any kind of ip logging by the sshd. Version 2.0.12 and newers seems to be not vulnerable to this attack, because it logs the ip at connection time. -=-=-=-=-=-=-=-= Details -=-=-=-=-=-=-=-= When a ssh client connects to the daemon, it has a number (default is three) of attempts to guess the correct password before disconnecting. If we shutdown the connection before using up the number of attempts, the daemon will not log neither the connection, the password guesses nor the ip of the client. One cristal clear example: [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: Disconnected; authentication error. [zhodiac@piscis zhodiac]$ In /var/log/messages: May 9 12:42:53 piscis sshd2[1391]: User authentication failed: 'Authentication method disabled. (user 'zhodiac', client address '192.168.1.1:1344', requested service 'ssh-connection')' Now we try the bug: [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis zhodiac's password: zhodiac's password: zhodiac's password: FATAL: Received signal 2. [zhodiac@piscis zhodiac]$ Those "FATAL: Received signal2." are the response of interrupting the program with a ^C. Lets see what syslog did: May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected: Connection closed. May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected: Connection closed. May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected: Connection closed. No ip, no password guesses attempts on the logs! So a bruteforce can be done without any kind of logging... Sorry script-kiddies, no program available! -=-=-=-=-=-=-=-= Quick Fix -=-=-=-=-=-=-=-= Edit the file sshd2_config (usually at /etc/ssh2), set the value of "PasswordGuesses" to 1. With this each time a password is tried it will log it in the following way: May 9 12:46:07 piscis sshd[1308]: User authentication failed: 'Authentication method disabled. (user 'zhodiac', client address '192.168.1.1:1527', requested service 'ssh-connection')' It is also recommended to set the value of "ListenAddress" so we will have more control of which ips can use our ssh service. A better solution is to upgrade to 2.0.12 version or newer , with them at connection it will log via syslog in the following way: May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- zhodiac@jjf.org http://www.jjf.org - J.J.F. / Hackers Team - Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=