Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers
On Fri, 2005-06-17 at 13:46 -0400, Justin Pryzby wrote:
> On Fri, Jun 17, 2005 at 10:33:49AM -0700, Greg Webster wrote:
> > On Fri, 2005-06-17 at 13:13 -0400, Justin Pryzby wrote:
> > > > Definitely would be a good test...I'd like to see someone validate what
> > > > I've been seeing.
> > > I see lots of the same logfile entries; but I have doubts that it is
> > > looking for a valid account, and not just looking for an *opened*
> > > account.
> >
> > The problem is, I've seen that valid accounts (like my own 'greg') get
> > tested a lot more often than the others.
>
> > Here's a sample:
> > 1 alfred
> > 1 bob
> > 1 greg
> > 1 jim
> > 1 juliab
> > 1 michelle
> > 1 sarah
> > 1 tim
> > 2 alexander
> > 2 ian
> > 2 joseph
> > 2 mark
> > 2 stephanie
> > 2 sys
> > 3 bin
> > 3 bruce
> > 3 dave
> > 3 james
> > 3 lp
> > 3 miniato
> > 3 postfix
> > 3 postgres
> > 6 games
> > 6 robert
> > 6 sshd
> > 8 steven
> > 9 backup
> > 9 www-data
> > 10 adam
> > 10 irc
> > 11 john
> > 11 news
> > 11 operator
> > 12 mail
> > 12 nobody
> > 12 richard
> > 16 michael
> > 23 mysql
> > 352 root
> >
> > Created with: zgrep 'Failed password' auth.log*gz |awk '{print $9}' |
> > sort| uniq -c |sort -k1 -n|less
> Makes sense.
>
> > Now, none of the people with 1 attempt are valid, but all of those above
> > 10 are. None of the users have a valid shell to access the server via
> > ssh, yet certain accounts get many more attempts (ignoring 'root'
> > entirely, since it'd be a known target).
> This is admittedly good evidence. I don't think I have access to any
> machines with sane-looking usernames, so I can't check for myself.
> What about greg, above, which has 1 attempt?
On that server, my username isn't 'greg', it's 'gwebster' :) None of the
first-initial, lant-name accounts appear to be targeted like this.
Cheers,
Greg
--
Greg Webster - System Administrator
-------------------------------------
intouch.ca gastips.com epredictor.net
Reply to: