From owner-freebsd-security@freebsd.org Sat Jul 18 23:10:18 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE5E49A4BBE for ; Sat, 18 Jul 2015 23:10:18 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8490F10E4 for ; Sat, 18 Jul 2015 23:10:18 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 920AE204C8 for ; Sat, 18 Jul 2015 19:10:17 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Sat, 18 Jul 2015 19:10:17 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=DytQP69kAj/kZFm BFEwojM2650M=; b=Gh/EURJc1Ar0WtiXriseajIMr/W8OH3UlJH1sTna2zCcVxA OIkd2cNGdkD6hmjovmAhDwRxWVko4U2oMbsIeOv2IqJp8VnKzj0hABrDUF/vmy6/ HGMubQO6/wOJQh/+a1mpzd8v+1U3z7IRKdxGGy/gNF1tbd57UdwnpMCz/3/M= Received: by web3.nyi.internal (Postfix, from userid 99) id 671FF1031EB; Sat, 18 Jul 2015 19:10:17 -0400 (EDT) Message-Id: <1437261017.3368395.327186961.64104619@webmail.messagingengine.com> X-Sasl-Enc: 20JZeBDu/c+0u+GSGuoHsjR9E78fTUXIBCBdzd7lcndM 1437261017 From: Mark Felder To: Mike Tancsa , freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-63a5d8c6 Subject: Re: OpenSSH max auth tries issue Date: Sat, 18 Jul 2015 18:10:17 -0500 In-Reply-To: <55A95526.3070509@sentex.net> References: <55A95526.3070509@sentex.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2015 23:10:18 -0000 On Fri, Jul 17, 2015, at 14:19, Mike Tancsa wrote: > Not sure if others have seen this yet >=20 > ------------------ >=20 >=20 > https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-au= thentication-brute-force-vulnerability-maxauthtries-bypass/ >=20 > "OpenSSH has a default value of six authentication tries before it will > close the connection (the ssh client allows only three password entries > per default). >=20 > With this vulnerability an attacker is able to request as many password > prompts limited by the =E2=80=9Clogin graced time=E2=80=9D setting, that = is set to two > minutes by default." >=20 >=20 Does it produce multiple entries in the server logs? I'm curious if sshguard etc would detect this. If I understand what's going on, this might appear as if it's a single "session" and be able to bypass pf overload rules. I'll have to play around with it and see what it does.