/u/immibis on OpenSSH keyboard-interactive authentication brute force...
Looks like an interesting bug - it's not just your standard buffer overflow or missed access check.
View Article/u/xouba on OpenSSH keyboard-interactive authentication brute force...
For the record, Debian and Ubuntu do the same. From the man page of sshd_config: Note that the Debian openssh-server package sets several options as standard in /etc/ssh/sshd_config which are not the...
View Article/u/gordonmessmer on OpenSSH keyboard-interactive authentication brute force...
Red Hat and CentOS (5, 6, 7) systems don't seem to be affected. sshd_config explicitly sets ChallengeResponseAuthentication=no, and KbdInteractiveAuthentication defaults to the value specified for the...
View Article/u/picklednull on OpenSSH keyboard-interactive authentication brute force...
not a benefit to the owner of the server.Detecting attacks against you (and reacting to them) is important.
View Article/u/flickerfly on OpenSSH keyboard-interactive authentication brute force...
Did this ever yet a CVE Number?
View Article/u/dRiek on OpenSSH keyboard-interactive authentication brute force...
Tried an OSX target, worked. Not sure what the defaults for sshd_config are on OSX though, don't run it myself. What's problematic for OSX is that there is almost no timeout between failed password...
View Article/u/dittoalex on OpenSSH keyboard-interactive authentication brute force...
This has been around for >4 years. Kept getting scanned by it en masse and could tell it was an OpenSSH loophole but didn't know what.
View Article/u/T-Rax on OpenSSH keyboard-interactive authentication brute force...
whoa, been a while since kingcope released something.
View Article/u/Basket_Case on OpenSSH keyboard-interactive authentication brute force...
Crap, you are right. I thought I had UsePAM enabled on the system I tested with but it was disabled. With PAM enabled PasswordAuthentication can happen via KbdInteractiveAuthentication.
View Article/u/highspeedstrawberry on OpenSSH keyboard-interactive authentication brute...
Oh, now I get it. It's uncommented and disabled in my config, so I must have known that at some point and forgotten about it. Strikes me as odd that it's not in this guide even though...
View Article/u/peshor on OpenSSH keyboard-interactive authentication brute force...
You are right! In FreeBSD there isn't a PAM - delay - between - failure - authentication when using keyboard-interactive authentication. In i.e. RedHat there is 1-2 second delay. So with freebsd it's...
View Article/u/mioelnir on OpenSSH keyboard-interactive authentication brute force...
From http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_configKbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. The argument...
View Article/u/RPMiSO on OpenSSH keyboard-interactive authentication brute force...
Does anyone know much about kingcope? He seems to be one of the few people that find pretty serious vulns and publish them with a weaponised exploit.
View Article/u/gsuberland on OpenSSH keyboard-interactive authentication brute force...
This will save a lot of time and space in comparison to my manual method...
View Article/u/interfect on OpenSSH keyboard-interactive authentication brute force...
Is this vulnerability just telling the server that you have ten thousand keyboards? Because I like it.
View Article/u/Bilbo_Fraggins on OpenSSH keyboard-interactive authentication brute force...
Yes and no. The vul lets you make thousands of authentication requests per connection, limited only by the "login graced time" setting, which is 2 minutes by default.fail2ban will limit you to a small...
View Article/u/n17ikh on OpenSSH keyboard-interactive authentication brute force...
I just block SSH over ipv6 and use denyhosts for the ipv4 accesses.
View Article/u/3l3s3 on OpenSSH keyboard-interactive authentication brute force...
this is especially annoying as denyhosts is deprecated and does not do anything for ipv6 as well.
View Article/u/csirac2 on OpenSSH keyboard-interactive authentication brute force...
Why? Because of privacy extensions? Block the /64 and be done with it.No, because it simply doesn't even know how to IPv6. At all. So if you're trying to protect something that has an IPv6 address,...
View Article/u/mikemol on OpenSSH keyboard-interactive authentication brute force...
fail2ban is completely and utterly useless if you are reachable via an IPv6 address as well.Why? Because of privacy extensions? Block the /64 and be done with it.
View Article/u/BloodyIron on OpenSSH keyboard-interactive authentication brute force...
fail2ban isn't just about SSH
View Article/u/sneakatdatavibe on OpenSSH keyboard-interactive authentication brute force...
if you're using fail2ban in 2015, you're doing it wrong. turn off password authentication already ffs.
View Article/u/rya_nc on OpenSSH keyboard-interactive authentication brute force...
I'm a fan of pam_sheild.
View Article/u/noop__ on OpenSSH keyboard-interactive authentication brute force...
This does me pretty well:-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state...
View Article/u/callekabo on OpenSSH keyboard-interactive authentication brute force...
Would using fail2ban protect you from this vulnerability? I'm not certain how it's implemented.
View Article
