[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] targetted SSH bruteforce attacks
- Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
- From: bugs@xxxxxxxxxxx
- Date: Mon, 21 Jun 2010 22:06:03 -0400 (EDT)
If you guys are interested I have a list of login/password combos they use:
http://vapid.dhs.org/ssh-attack-passwd.txt
> On 6/17/2010 3:21 PM, Paul Schmehl wrote:
>> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij@xxxxxxxxx>
>> wrote:
>>>
>>> Of course it's wise to disable password authentication and just use
>>> public key authentication.
>>
>> Why? Ssh is encrypted, so you're not exposing a password when you
>> login. How
>> does public key authentication make you more secure (in a practical
>> sense)?
>
> In the case of SSH password auth you are handing the plaintext password
> directly to any server you log in to. For many of us, this is basically
> any time we're expecting to contact that server for the first time from
> that client machine. For users who are willing to bypass a server key
> mismatch warning, they may be giving away their password every time.
>
> I know there's somebody out there who always verifies server
> fingerprints through an independent trusted channel before accepting
> them. I would like to meet this person.
>
> Often the same password is used on multiple systems (e.g.
> kerberos/active directory).
>
> However, if the client is configured to only use public key auth,
> accidentally connecting to a malicious server does not automatically
> give the bad guy your plaintext password.
>
> - Marsh
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/