From owner-freebsd-security@freebsd.org Sun Jul 19 00:57:04 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A189B9993B1 for ; Sun, 19 Jul 2015 00:57:04 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 642F518AB for ; Sun, 19 Jul 2015 00:57:04 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by iebmu5 with SMTP id mu5so97914347ieb.1 for ; Sat, 18 Jul 2015 17:57:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=E050F9nFNXPxsXM0V2sgNaOh073OXWq2Bb3j38zIs+0=; b=YAM88QLueqeCX88zRxBgb4ggJY1HR1Jg1lIGGRcDeR0l1lRwrFVHQL//QphkAzdojl 4IzCNUdP2upxe9Mb9jljHEZp+fac7nsMnl4P8SEbqGff2apmyVN1XNkWugd9APx3QKWQ itcYOl8UdZdLL2AdB3rJuLxF8z3ELnrdPxDmo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=E050F9nFNXPxsXM0V2sgNaOh073OXWq2Bb3j38zIs+0=; b=d3gQCmfmNm9L3OnQVab2zOM76N1LQ371zwZIe8qw8pbbNIfaEdJV+on0LTj8R3QJG2 qgw+60RlLJg49x6mcPvKBJ25uaTZrK1LBhIH2yGZVAU3K/lIxsxHSz4xQjhY4zb+FnlP qhxINafllsXa4d3VcylhK2BtYHRqH24GR/TDgRsLc2KfjF2HAv3G0g5zfem6iy+4tCpC t/ks4Nsc730NEeHPiCbz4jnMP89idwGJb/0g2avaPuEaYn4szUN2Soj8Ky7onkfVCBl5 cAajgb2qbCkn8282CfbygAf14bqlVzf/VR31WAuaAlV/XUQbzdPPP162TM1vX76yEElL CIFA== X-Gm-Message-State: ALoCoQlqZKFZ1nP8psoOkuJRfhYvkvRREtXQK3ABv74Ch2yzKfRi33yJN4ndkVGqV3m2/rV2jQMl X-Received: by 10.107.164.168 with SMTP id d40mr27002099ioj.130.1437267423498; Sat, 18 Jul 2015 17:57:03 -0700 (PDT) Received: from [192.168.0.4] (cpe-65-26-235-118.wi.res.rr.com. [65.26.235.118]) by smtp.gmail.com with ESMTPSA id ji7sm2202166igb.2.2015.07.18.17.57.02 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 18 Jul 2015 17:57:03 -0700 (PDT) Subject: Re: OpenSSH max auth tries issue Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Content-Type: text/plain; charset="utf8"; X-Pgp-Agent: GPGMail 2.5 From: Jason Hellenthal In-Reply-To: <1437261017.3368395.327186961.64104619@webmail.messagingengine.com> Date: Sat, 18 Jul 2015 19:57:00 -0500 Cc: Mike Tancsa , "freebsd-security@freebsd.org" Content-Transfer-Encoding: 8bit Message-Id: <3BF9481E-5C31-4D74-944D-78C31C88A7C6@dataix.net> References: <55A95526.3070509@sentex.net> <1437261017.3368395.327186961.64104619@webmail.messagingengine.com> To: Mark Felder X-Mailer: Apple Mail (2.2102) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jul 2015 00:57:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It wouldn't pass the pf overload rules if set correctly, that's just obvious. ipfw on the other hand I'm either not that conversed on and with the lack of named tables I would think it isn't going to catch it like pf would. It's trivial to just adjust the defaults for the server to 3 login attempts and from my perspective there should not be any negative community impact of such. I've been changing it from the default of 5-6 to 3 for years as a higher value just doesn't make logical sense. Personally I would like to also see some defaults set of the MaxStartups which is not on by default. 10:30:100 seems to be the default but id rather see something more along the likes of 5:15:30 which has worked out quite well for my instances that accept inward connections for shell access along with the pf overload rules that I will not live without and along with the MaxAuthTries 3. Sorry for the top-post, some clients just don’t work that way ;) - -- Jason Hellenthal JJH48-ARIN On Jul 18, 2015, at 18:10, Mark Felder wrote: On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote: Not sure if others have seen this yet - ------------------ https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentication-brute-force-vulnerability-maxauthtries-bypass/ "OpenSSH has a default value of six authentication tries before it will close the connection (the ssh client allows only three password entries per default). With this vulnerability an attacker is able to request as many password prompts limited by the “login graced time” setting, that is set to two minutes by default." Does it produce multiple entries in the server logs? I'm curious if sshguard etc would detect this. If I understand what's going on, this might appear as if it's a single "session" and be able to bypass pf overload rules. I'll have to play around with it and see what it does. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVqvXcAAoJEDLu+wRc4KcIiJsH+gNOOUAf/qqOHkMI8Xkmn0nA 9eqGYBqdY7y5/R4GUnQrFwuMo5va8EnYJwJqqlMceePImgRNegw8qnuNkX/TZYvs xBIhIhQOTsRhYG8TSQpeWAsnwwdtsVbw+s8vbj7X6HM+hs2SCF4yRy0DHpm/Ld5H z+ITNLjGpaO2T+YvroY0lCPbfa/7TwbhqEuYHT6PnFUY5MedvzgMKU9OW+1OJMhr WGDCfYlpOdu7ZXxmJMcPkhQiK65bqQVMDhkdCYggSYXTb+i5nmBHkZzpaCqHBk/U dq2KNGzYsudYdBA2+1vsuFIx4Yr6OwZc09rOVtAXcw0sITBWBrycjo7Q7J74W/Y= =gRYp -----END PGP SIGNATURE-----