Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers

[Justin Pryzby <justinpryzby@users.sourceforge.net>]

On Fri, Jun 17, 2005 at 10:33:49AM -0700, Greg Webster wrote:
> On Fri, 2005-06-17 at 13:13 -0400, Justin Pryzby wrote:
> > > Definitely would be a good test...I'd like to see someone validate what
> > > I've been seeing.
> > I see lots of the same logfile entries; but I have doubts that it is
> > looking for a valid account, and not just looking for an *opened*
> > account.
> 
> The problem is, I've seen that valid accounts (like my own 'greg') get
> tested a lot more often than the others.

> Here's a sample:
>       1 alfred
>       1 bob
>       1 greg
>       1 jim
>       1 juliab
>       1 michelle
>       1 sarah
>       1 tim
>       2 alexander
>       2 ian
>       2 joseph
>       2 mark
>       2 stephanie
>       2 sys
>       3 bin
>       3 bruce
>       3 dave
>       3 james
>       3 lp
>       3 miniato
>       3 postfix
>       3 postgres
>       6 games
>       6 robert
>       6 sshd
>       8 steven
>       9 backup
>       9 www-data
>      10 adam
>      10 irc
>      11 john
>      11 news
>      11 operator
>      12 mail
>      12 nobody
>      12 richard
>      16 michael
>      23 mysql
>     352 root
> 
> Created with:  zgrep 'Failed password' auth.log*gz |awk '{print $9}' |
> sort| uniq -c |sort -k1 -n|less
Makes sense.

> Now, none of the people with 1 attempt are valid, but all of those above
> 10 are. None of the users have a valid shell to access the server via
> ssh, yet certain accounts get many more attempts (ignoring 'root'
> entirely, since it'd be a known target).
This is admittedly good evidence.  I don't think I have access to any
machines with sane-looking usernames, so I can't check for myself.
What about greg, above, which has 1 attempt?

Justin