Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers
On Fri, Jun 17, 2005 at 10:33:49AM -0700, Greg Webster wrote:
> On Fri, 2005-06-17 at 13:13 -0400, Justin Pryzby wrote:
> > > Definitely would be a good test...I'd like to see someone validate what
> > > I've been seeing.
> > I see lots of the same logfile entries; but I have doubts that it is
> > looking for a valid account, and not just looking for an *opened*
> > account.
>
> The problem is, I've seen that valid accounts (like my own 'greg') get
> tested a lot more often than the others.
> Here's a sample:
> 1 alfred
> 1 bob
> 1 greg
> 1 jim
> 1 juliab
> 1 michelle
> 1 sarah
> 1 tim
> 2 alexander
> 2 ian
> 2 joseph
> 2 mark
> 2 stephanie
> 2 sys
> 3 bin
> 3 bruce
> 3 dave
> 3 james
> 3 lp
> 3 miniato
> 3 postfix
> 3 postgres
> 6 games
> 6 robert
> 6 sshd
> 8 steven
> 9 backup
> 9 www-data
> 10 adam
> 10 irc
> 11 john
> 11 news
> 11 operator
> 12 mail
> 12 nobody
> 12 richard
> 16 michael
> 23 mysql
> 352 root
>
> Created with: zgrep 'Failed password' auth.log*gz |awk '{print $9}' |
> sort| uniq -c |sort -k1 -n|less
Makes sense.
> Now, none of the people with 1 attempt are valid, but all of those above
> 10 are. None of the users have a valid shell to access the server via
> ssh, yet certain accounts get many more attempts (ignoring 'root'
> entirely, since it'd be a known target).
This is admittedly good evidence. I don't think I have access to any
machines with sane-looking usernames, so I can't check for myself.
What about greg, above, which has 1 attempt?
Justin
Reply to: