lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 Jun 2010 22:06:03 -0400 (EDT)
From: bugs@....dhs.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

If you guys are interested I have a list of login/password combos they use:

http://vapid.dhs.org/ssh-attack-passwd.txt


> On 6/17/2010 3:21 PM, Paul Schmehl wrote:
>> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij@...il.com>
>> wrote:
>>>
>>> Of course it's wise to disable password authentication and just use
>>> public key authentication.
>>
>> Why?  Ssh is encrypted, so you're not exposing a password when you
>> login.  How
>> does public key authentication make you more secure (in a practical
>> sense)?
>
> In the case of SSH password auth you are handing the plaintext password
> directly to any server you log in to. For many of us, this is basically
> any time we're expecting to contact that server for the first time from
> that client machine. For users who are willing to bypass a server key
> mismatch warning, they may be giving away their password every time.
>
> I know there's somebody out there who always verifies server
> fingerprints through an independent trusted channel before accepting
> them. I would like to meet this person.
>
> Often the same password is used on multiple systems (e.g.
> kerberos/active directory).
>
> However, if the client is configured to only use public key auth,
> accidentally connecting to a malicious server does not automatically
> give the bad guy your plaintext password.
>
> - Marsh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ