Bad news for the world of OpenSSH users. A researcher that goes by kingcope has found and published the method of exploiting a pretty wicked bug. Yes, this does most certainly qualify as a 0-day. As published at Kingcope’s Blag you can run roughly 10,000 password attempts remotely. Only passwords though right? Right. If you have your SSH locked down to key only logins then you’re safe this time. For the rest of the world, you better have a pretty sweet password.
Let’s break this bug down. Kincope’s findings rely on a few things. First, as mentioned above, is that the target is using keyboard-interactive logins. Second, is that the login grace period is two minutes. That timeframe is the default set by OpenSSH. Finally, there is an assumption made that the good ol’ girl PAM isn’t going to stop this effort.
Now, let’s break down how to secure ourselves. If you can get away from a keyboard-interactive login by using cryptographic keys, now’s the time to do it. However, you need to take one more step after that. Users will need to make a modification in their SSH configuration file to set ChallengeResponseAuthentication and KbdInteractiveAuthentication to ‘no’. This effectively zeroes out all ability of this attack from functioning.
Secondly, two minutes for a login is a long time. Typically, it takes about 10 seconds to log in with a password. It takes even less time if you’re using a key. Drop that grace period down to 30 seconds or so and you’ll have quartered the number of password attempts this attack can make. If you aren’t using a key then you need to make sure your password isn’t a common one. If you’ve quartered the number of attempts possible and you’re password isn’t in the dictionary used for the attack then you’re golden.
Lastly, there are security measures to be taken here people! PAM or Pluggable Authentication Modules can limit and lock out users after a certain number of attempts. This takes the power to lock users out of OpenSSH’s hands and gives it to PAM. She’s more trustworthy.
A bonus idea is to leverage iptables to only allow SSH logins from the machines that should be accessing the server. This isn’t always possible due to changing clients. However, if it is an option then you should go for it anyway.
Protect yourselves out there!