[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers

On Fri, 2005-06-17 at 13:13 -0400, Justin Pryzby wrote:
> > Definitely would be a good test...I'd like to see someone validate what
> > I've been seeing.
> I see lots of the same logfile entries; but I have doubts that it is
> looking for a valid account, and not just looking for an *opened*
> account.

The problem is, I've seen that valid accounts (like my own 'greg') get
tested a lot more often than the others.

May 31 09:14:52 herring sshd[14612]: Failed password for www-data from
65.254.38.138 port 59932 ssh2
May 31 09:14:57 herring sshd[14630]: Failed password for nobody from
65.254.38.138 port 60209 ssh2
May 31 09:15:00 herring sshd[14638]: Failed password for root from
65.254.38.138 port 60357 ssh2
May 31 09:15:02 herring sshd[14648]: Failed password for backup from
65.254.38.138 port 60542 ssh2
May 31 09:15:10 herring sshd[14713]: Failed password for adam from
65.254.38.138 port 60993 ssh2
May 31 09:15:13 herring sshd[14724]: Failed password for richard from
65.254.38.138 port 32972 ssh2
May 31 09:15:17 herring sshd[14734]: Failed password for michael from
65.254.38.138 port 33226 ssh2
May 31 09:15:19 herring sshd[14741]: Failed password for john from
65.254.38.138 port 33392 ssh2
May 31 09:15:24 herring sshd[14772]: Failed password for news from
65.254.38.138 port 33652 ssh2
May 31 09:15:27 herring sshd[14796]: Failed password for games from
65.254.38.138 port 33895 ssh2
May 31 09:15:32 herring sshd[14811]: Failed password for mail from
65.254.38.138 port 34172 ssh2
May 31 09:15:43 herring sshd[14846]: Failed password for root from
65.254.38.138 port 34879 ssh2
May 31 09:15:46 herring sshd[14864]: Failed password for steven from
65.254.38.138 port 35133 ssh2
May 31 09:15:51 herring sshd[14890]: Failed password for robert from
65.254.38.138 port 35470 ssh2
May 31 09:15:55 herring sshd[14901]: Failed password for richard from
65.254.38.138 port 35653 ssh2
May 31 09:15:59 herring sshd[14910]: Failed password for michael from
65.254.38.138 port 36019 ssh2
May 31 09:16:03 herring sshd[14920]: Failed password for mysql from
65.254.38.138 port 36276 ssh2
May 31 09:16:07 herring sshd[14942]: Failed password for operator from
65.254.38.138 port 36531 ssh2
May 31 09:16:14 herring sshd[14978]: Failed password for sshd from
65.254.38.138 port 37063 ssh2
May 31 09:16:20 herring sshd[14999]: Failed password for root from
65.254.38.138 port 37419 ssh2
May 31 09:16:25 herring sshd[15011]: Failed password for michael from
65.254.38.138 port 37737 ssh2
May 31 09:16:30 herring sshd[15043]: Failed password for irc from
65.254.38.138 port 38102 ssh2
May 31 09:17:15 herring sshd[15251]: Failed password for news from
65.254.38.138 port 41293 ssh2
May 31 09:17:17 herring sshd[15263]: Failed password for lp from
65.254.38.138 port 41500 ssh2
May 31 09:17:20 herring sshd[15267]: Failed password for mail from
65.254.38.138 port 41714 ssh2
May 31 09:17:23 herring sshd[15289]: Failed password for bin from
65.254.38.138 port 41961 ssh2
May 31 09:18:02 herring sshd[15470]: Failed password for root from
65.254.38.138 port 44776 ssh2
May 31 09:48:21 herring sshd[19583]: Failed password for root from
72.29.78.199 port 35131 ssh2
May 31 09:48:24 herring sshd[19586]: Failed password for root from
72.29.78.199 port 35306 ssh2
May 31 09:48:27 herring sshd[19597]: Failed password for root from
72.29.78.199 port 35512 ssh2

Here's a sample:
      1 alfred
      1 bob
      1 greg
      1 jim
      1 juliab
      1 michelle
      1 sarah
      1 tim
      2 alexander
      2 ian
      2 joseph
      2 mark
      2 stephanie
      2 sys
      3 bin
      3 bruce
      3 dave
      3 james
      3 lp
      3 miniato
      3 postfix
      3 postgres
      6 games
      6 robert
      6 sshd
      8 steven
      9 backup
      9 www-data
     10 adam
     10 irc
     11 john
     11 news
     11 operator
     12 mail
     12 nobody
     12 richard
     16 michael
     23 mysql
    352 root

Created with:  zgrep 'Failed password' auth.log*gz |awk '{print $9}' |
sort| uniq -c |sort -k1 -n|less

Now, none of the people with 1 attempt are valid, but all of those above
10 are. None of the users have a valid shell to access the server via
ssh, yet certain accounts get many more attempts (ignoring 'root'
entirely, since it'd be a known target).

Cheers,

Greg

-- 
Greg Webster  -  System Administrator
-------------------------------------
intouch.ca gastips.com epredictor.net
Reply to: