[ILUG] SSH dictionary attacks.
Aine Douglas
aine.douglas at gmail.com
Thu Aug 24 14:48:41 IST 2006
On 8/24/06, kevin lyda <kevin at ie.suberic.net> wrote:
> On Wed, Aug 23, 2006 at 03:59:56PM +0100, paul at clubi.ie wrote:
> > However the ssh server has:
> >
> > - no control over whether the remote user does or does not protect
> > their key with a pass phrase
>
> ok, yes, but there's a major difference: in general the user's ssh key
> is not accessible directly via the net; the ssh login password is.
>
> if i want to use paul's key to break into server target.com.ie i have to
> go find paul's key. where is that? and once i figure out that it's on
> laptop x that is usually behind a firewall, how do i get to it?
>
> in my mind that's a big win.
Does anyone else remember a story from around 1998 where some guys
setup a linux server exposing only two services, ssh on port 22 and
apache on port 80, and then proceeded with a project to portscan the
entire internet?
If I remember rightly, they pi$$3d off a lot of admins and then
eventually the webserver got hacked.
Upon analysis, it was discovered that someone had traced the client
machine that they connected from, and hacked it, and retrieved the SSH
key file to access the server. I don't recall if the client was
windows / linux.
The moral of the story is, if your going to use certificate access,
you better be sure that it is protected by means other than the
filesystem. And yes, if they do retrieve it, its possibly only a
matter of time before they crack the password on it unless you have an
enforced password policy, as Paul has pointed out, but clearly there
are extra layers of complexity involved in the attack making it less
and less feasable through enchanced security.
Aine.
More information about the ILUG
mailing list