[2948] in bugtraq
Re: brute force
daemon@ATHENA.MIT.EDU (Buckaroo Banzai)
Tue Jul 16 19:15:43 1996
Date: Tue, 16 Jul 1996 17:33:17 -0400
From: Buckaroo Banzai <buckaroo@2600.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199607110542.BAA02142@gateway.esisys.com>
>>>>> On Thu, 11 Jul 1996 02:54:52 (-0400) Jacob Langseth
>>>>> <jacob@esisys.com> said:
} Interestingly,
} o It is the ssh client that disconnects after the first failure.
} o Sshd (v1.2.13, atleast) will allow unlimited password attempts
} and does not produce logs regarding the failure(s).
Ok, here's a fix: (against 1.2.14)
--- sshd.c.~1~ Thu Jun 6 04:39:34 1996
+++ sshd.c Tue Jul 16 11:41:04 1996
@@ -1247,6 +1247,7 @@
char *client_user;
unsigned int client_host_key_bits;
MP_INT client_host_key_e, client_host_key_n;
+ int chances = 3;
/* Verify that the user is a valid user. We disallow usernames
starting
with any characters that are commonly used to start NIS
entries. */
@@ -1463,6 +1464,11 @@
break;
}
debug("Password authentication for %.100s failed.", user);
+ if (--chances < 0) {
+ debug("Too many password attempts for %.100s.", user);
+ packet_disconnect("Too many password attempts.");
+ /* NOTREACHED */
+ }
memset(password, 0, strlen(password));
xfree(password);
break;
} o Ssh is often allowed through otherwise restrictive filters or firewalls.
Not where I'm currently working. I've had to set up a tight-binding
proxy for the service on a telnet port.
} This makes ssh a bit more appealing for brute-force cracks than one might
} first suspect...
Agreed.
I should actually extend this to notify the shadow library of a failed
login attempt, and get it to log it in faillog. That way at least the
user is made aware that someone has been trying to get in...
Buckaroo.
--
If I had something funny to say down here, you'd know it.
