Spike in SSH attacks
Bill Sconce
sconce at in-spec-inc.com
Mon Jun 21 10:51:38 EDT 2010
On Mon, 21 Jun 2010 10:04:59 -0400
Ted Roche <tedroche at gmail.com> wrote:
> On Mon, Jun 21, 2010 at 9:28 AM, Benjamin Scott <dragonhawk at gmail.com> wrote:
> >
> > Apparently attackers are going after "keyboard interactive"
> > authentication, which is separate from "password authentication".
> >
>
> So, even if I have set PasswordAuthentication no in my sshd_config,
> there's still a way to ssh into the server without a key pair? That's
> confusing.
>
> Time to break out the dog-eared snail book and get a refresh...
I had to do the same. "Challenge/Response" ?? "S/Key" ????
>From Barret & Silverman, "SSH...The Definitive Guide", 1st ed., p 175:
"S/Key is a one-time password system, created by Bellcore [...]
'One-time' means that each time you authenticate, you provide a
different password" ...
The remote sshd service provides you with an integer and a string,
which you enter into a magic calculator on your local machine,
along with a secret passphrase [never transmitted], and the
"calculator" produces your one-time password.
My reading is that Yes, there's a way to ssh in without a key pair;
but No, the bad guys don't get in that way (unless the one-time key
framework was very poorly set up somehow); and What You Care About
is that a machine which OFFERS the S/Key method will get lots of
attention from the world of botnets.
START WITH NEVER EXPOSING SSHD ON PORT 22.
-Bill
who just went and looked, and found one of his servers with S/Key
still defaulted (on), but with not a peep in the logs because of
not being on port 22.
More information about the gnhlug-discuss
mailing list