Spike in SSH attacks

Bill Sconce sconce at in-spec-inc.com
Mon Jun 21 10:51:38 EDT 2010


On Mon, 21 Jun 2010 10:04:59 -0400
Ted Roche <tedroche at gmail.com> wrote:

> On Mon, Jun 21, 2010 at 9:28 AM, Benjamin Scott <dragonhawk at gmail.com> wrote:
> >
> >  Apparently attackers are going after "keyboard interactive"
> > authentication, which is separate from "password authentication".
> >
> 
> So, even if I have set PasswordAuthentication no in my sshd_config,
> there's still a way to ssh into the server without a key pair? That's
> confusing.
> 
> Time to break out the dog-eared snail book and get a refresh...

I had to do the same.  "Challenge/Response" ??   "S/Key" ????
>From Barret & Silverman, "SSH...The Definitive Guide", 1st ed., p 175:
  "S/Key is a one-time password system, created by Bellcore [...]
  'One-time' means that each time you authenticate, you provide a
  different password" ...
The remote sshd service provides you with an integer and a string,
which you enter into a magic calculator on your local machine,
along with a secret passphrase [never transmitted], and the
"calculator" produces your one-time password.

My reading is that Yes, there's a way to ssh in without a key pair;
but No, the bad guys don't get in that way (unless the one-time key
framework was very poorly set up somehow); and What You Care About
is that a machine which OFFERS the S/Key method will get lots of
attention from the world of botnets.

START WITH NEVER EXPOSING SSHD ON PORT 22.

-Bill
who just went and looked, and found one of his servers with S/Key
still defaulted (on), but with not a peep in the logs because of
not being on port 22.



More information about the gnhlug-discuss mailing list