From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 17:41:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 683EE106566C for ; Tue, 1 Dec 2009 17:41:06 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id D64228FC13 for ; Tue, 1 Dec 2009 17:41:05 +0000 (UTC) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id KAA10851 for ; Tue, 1 Dec 2009 10:24:34 -0700 (MST) Message-Id: <200912011724.KAA10851@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 01 Dec 2009 10:23:00 -0700 To: freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <200912010522.WAA03022@lariat.net> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:41:06 -0000 Everyone: I don't know if it's a coincidence, but I doubt it is: Since the announcement of the rtld bug, we've seen a precipitous increase in the number of SSH password guessing attacks on our systems. Apparently, the folks who are mounting the attacks (usually via botnets) have realized that if they get into user shell account on an unpatched system, they have effectively broken root. It would be wise for all FreeBSD system administrators to set AllowUsers as restrictively as possible in sshd_config, and also (because the attacks can take a great toll on servers in terms of CPU and other resources) consider other changes to "armor" their systems against SSH attacks. It may be time, in fact, to consider implementing single packet authentication as the default in SSH servers and as a built-in feature in SSH clients. (Does anyone know of a good SSH client that integrates a single packet authentication system -- e.g. fwknop? I'm already seeking sources and a toolchain so that I can try my hand at doing this for TeraTerm.) --Brett Glass