Subject: sshd password guessing attacks on the rise
To: None <tech-security@netbsd.org>
From: Wolfgang S. Rupprecht <wolfgang+gnus20041007T084355@dailyplanet.dontspam.wsrcc.com>
List: tech-security
Date: 10/07/2004 09:07:34
I'm starting to see rampant sshd password-guessing attacks here.  In
the last 4 days alone there were 8469 attempts to log in as root using
password authentication from 218.18.107.38.  There were another ~700
from 3 other sources.

Well, I haven't allowed password authentication (or the ssh1 protocol
for that matter) in years, so its not a big security problem for me.

The sheer size of the dictionary attack is almost certainly going to
net them quite a few compromised systems.  Back when telnet was all we
had I used to test password files against small dictionaries like that
all the time.  On average 10% of the passwords were easily guessable.
I don't doubt that whoever is doing this is finding lots of lightly
secured machines.

While this isn't a NetBSD problem per se, it may not be a bad idea to
be a bit pro-active and publicize the problem and the fix.

The Netbsd security folks might want to think about putting out an
advisory suggesting that all sshd admins move to allowing only
public-key logins for remote users.  (eg. the ill-named
"PasswordAuthentication no" in the openssh /etc/ssh/sshd_config file.)
While in that file folks should probably also turn off ssh1 by putting
a "Protocol 2" in there and removing any other "Protocol" line.

Public key logins require you carry a second "disposable" key on a usb
eeprom "keyfrob", cdrom, or floppy or have somehow created a new one
on the remote system and added the public key part to your
~/.ssh/authorized_keys .  It is a bit of a pain, but anyone without
your secret key will need to guess the secret key (usually 1k bits),
which is much harder than guessing passwords.

-wolfgang
-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/