lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1164977062.39297.49.camel@aspirateur.sygroup-int.ch>
Date: Fri, 01 Dec 2006 13:44:22 +0100
From: Tonnerre Lombard <tonnerre.lombard@...roup.ch>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: SSH brute force blocking tool

Salut,

On Fri, 2006-12-01 at 07:26 -0500, J. Oquendo wrote:
> So again... Some of you guys need to go back and read before you post....

In this case, the NF wasn't in your original posting, so I could hardly
have seen it. Still, there are problems with it, but not security
wise...

> awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}'
> 
> Once you try a moronic name insertion it makes the columns more than 10 
> rows invalidating it.

In that case, your script isn't going to work in most cases. For
example, on our router we get:

Dec  1 13:35:24 rtsyg01 sshd[12178]: Failed password for invalid user
asdf from 10.1.5.166 port 51558 ssh2

-> more than 10 columns.

Also, one of our customers uses user names which consist of two parts
which are separated by spaces. This is due to his use of Windows. The
users are called e.g. "John Doe", so you do an ssh "John
Doe@...vername.asdf.ch". In this case, your script fails entirely.

Probably a top-down parser isn't really suitable for this. If at all,
you should make an attempt to parse from the end of the string. sed can
help you there.

> Perhaps I should re-write TCP into the script to ensure no one ever
> spoofs again.

That wouldn't be very useful since the L4Addr doesn't matter much here,
as we're dealing with L3addrs...

				Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33    Roeschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard@...roup.ch

Download attachment "signature.asc" of type "application/pgp-signature" (826 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ