I don't know, judging by my SSH logs it seems a lot of the automated malicious login attempts are looking for common software used to deploy code. Knowing that a target machine has a username used by some popular software might be valuable information in an attack.
But on the subject of passwords, best practice for SSH for a long time has been to disable password based login entirely and rely on keys.
Exactly - it also works for non-SSH accounts, thus allowing software enumeration by testing for default/common/known default service users.
For instance, an OpenBSD box running Tor may have a user "_tor", a Debian-based box (e.g. Ubuntu) may have a user "debian-tor", and so on (depending on how Tor was installed, in my case via pkg_add & apt-get; usernames might vary for different OS/repo versions). I have tested this using the PoC against some of my own systems (the ones that have PasswordAuthentication still enabled) and it works for those.
...and apparently the same issue exists in Dropbear up until current version (2018.76 / Feb 2018), which has an entirely different code base. A comment on /r/blackhat [0] led a colleague and me to look at Dropbear's sources, and it happens to have logic that is sufficiently similar [1] for the same PoC to work; tests against v2018.76 and a couple of earlier versions (e.g. v2013.58) are successful.
Shodan shows some 66k services identifying as SSH-2.0-dropbear [2], as opposed to some 15k identifying as SSH-2.0-OpenSSH [3].
How much of a difference does this really make? Most attacks which I’ve seen simply launched the attack immediately so if you have enterprise software using the vendor’s configuration you’re screwed anyway, and both options are quickly blocked by fail2ban after splatting off the public key-only setup of any security conscious server.
Perhaps but it’s a limited change from what’s already possible. Spending time on basic best practice stuff securing those accounts will pay a lot more dividends in more scenarios than adding a minor impediment to finding them.
Fwiw I mostly agree - reading /etc/passwd shouldn't be able to help compromise your system. But it's also an error for sshd or any daemon to allow the enumeration of your list of users. I mean when we get to read /etc/passwd via httpd we call it an exploit... (even if we don't get shadow too).
You can also use https://tinyssh.org instead of the sshd from OpenSSH. It only implements key based authentication and newer encryption algorithms. It's available on Ubuntu:
but it's not widely used, which makes using it risky. To my knowledge there hasn't been a formal audit. Also it doesn't implement the scp protocol, but you can use rscync over ssh
+1. But just to be sure: that does not prevent testing for usernames and hence enumerating software by testing for known/common service account usernames (e.g. "_tor" on OpenBSD and "debian-tor" on Debian-based OSs). (No claim was made to the contrary; just mentioning this to prevent anyone from thinking otherwise.)
openssh (1:4.1p1-1) experimental; urgency=low
[…]
* Disable ChallengeResponseAuthentication in new installations, returning
to PasswordAuthentication by default, since it now supports PAM and
apparently works better with a non-threaded sshd (closes: #247521).
[…]
-- Colin Watson <cjwatson@debian.org> Tue, 31 May 2005 01:33:33 +0100
Does anyone still use password authentication on servers that actually matter? I mean, I'm just a hobbyist, and I switched to keys several years ago. Basically, I just use root and user, because anything else unnecessarily adds information.
I had a server that used password authentication for the root user (on the standard port). After a few months of uptime it was hacked.
I suppose even minimal extra security would've helped (no root user, only allow x login attempts in y time, changing the port for ssh), but I was still surprised someone got in so soon by simply guessing a 20+ string of gibberish (I still wonder if maybe something else happened).
All that said, I've had servers running for years without any successful hack, and in all those cases using ssh keys instead of password logins probably made all the difference.
It was something else. Nothing or no one brute-forced a 20+ random string pass. More likely some service (Wordpress, phpbb etc) got owned. I’ve had multiple servers running for years with < 15 char non random root pass (stupid as it is to do so) with no problems.
I'd be inclined to think the same, if not for the fact that this server wasn't running anything particularly 'ownable' that I can think of.
The only alternative that I can think of is that one of the two other users' machines was compromised, but AFAIK I didn't give them root access. Plus, the logs show an extreme number of login attempts (tens of thousands of entries in auth.log) with an eventually successful root login.
Any other ideas of what might've been an alternative cause?
From the logs it sounds like maybe the password was in some lookup file or something. i.e. somehow that password was leaked and added to some list somehow.
it's maddening that I can't tell for sure, but I'll agree that I find it still somewhat hard to believe that a 20-character random root password was brute-forced.
EDIT: to be clear, I am pretty sure was the only person who used the root password to log in, and the single other user used a similarly long and random password with a different username. if I'd been compromised my problems would be quite a bit bigger. All I know is that right before the 'fatal' root login, there are 40.000+ lines of login attempts from ip's that originated from shady places (at least based on entering them in various GeoIP sites).
Yes. Large corporate networks often still have (some) production systems that allow password-based authentication. I don't know how widespread it still is, but I still encounter it frequently at clients (which may be a skewed sample).
Just to be sure: PasswordAuthentication does not need to be enabled for the PoC to work, and username testing can also be used for software enumeration by testing for common/default non-SSH users, .g. "_tor", "debian-tor", etc. (I apologize for repeating here what I also stated in other comments in this thread, but this aspect should not be overlooked.)
Can somebody please explain to me why exactly using good passwords and allowing root login is bad security? Every SSH security tutorial mentions those but they never mention the reasons.
If somebody hacked into my password manager and managed to steal the root user's password then they could do the same with my private key. Where is the difference?
Also, if somebody hacked into a non-root administrative account, they can just use sudo to elevate. What makes disabling root login more secure?
Mistakes: if it’s a server used by a small number of security conscious admins, it’s moot. If it’s used by a lot of people, however, the odds go up dramatically that someone will have a weak password, one which is on a common list, or reused on a site which you’re just about to learn was breached.
Keys can be leaked but since it involves copying files and users aren’t penalized for using strong ones it’s much less common.
1. A "good" key safe for the forseeable future would have around 256 effective security bits. To get a key that strong, your password would have to be (speaking VERY generously here) 40 characters long and truly random.
2. When using real password authentication, connecting to a compromised server results in a disclosure of your password. When using challenge-response authentication, it does not. Note that correctly-configured OpenSSH uses challenge-response even for password-based methods. Incorrectly configured SSH will send passwords over the wire.
With real password when you type your password into the ssh password prompt it then sends that password to the server.
Challenge response is a method in which you usually encrypt or hash random server provided data. You send the hash. The server knows your password and can hash the data with it too. The hashes are compared not the password. In this method the password never leaves your machine. Replay attacks are prevented due to the server sending different data for you to hash on different login attempts.
Note also that requiring a password for sudo might have some issues, as the password is sent over the ssh connection as you type. I'm not sure what the state of the art is wrt counting and guessing characters - or if mossh makes the problem worse - or helps. For the general idea, see:
Does anyone know of recent work on passively attacking interactive ssh in order to guess what's being typed? I could see machine learning helping here, given the ability to observe enough sessions to form a training set...
Just to add to @borealid's comment: a password that encodes 96+bits of entropy is effectively a shared symmetric key (OK, technically a secret).
Point being - it needs to be managed like a key: it's inconvenient to type, hard to remember, should be stored encrypted at rest, preferably in an hsm.
Gnupg agent/ssh agent and the various key agents for desktops all do this, and generally support hsm as well.
There's also a small difference in the complexity of enumerating the keyspace of rsa/ed2259 vs trying random passwords. With key stretching I'm not sure if there's implicit differences in rate of attempting login.
As for no direct root login via ssh - I think it depends a bit on the server. On a shared system login via regular user +sudo leaves an easier audit trail (who ran "sudo apt-get dist-upgrade" on Friday evening and took the weekend off without checking that production systems didn't crash... Was it "root" or "bob "?).
Then there's the nudge towards only doing what needs root as root (eg: curl/wget stuff as regular user, verify signatures, content - then run as root).
Is it more secure to locally dump and asymmetrically encrypt backups on disk as root - locally, and have a dedicated backup-user that gets the archives? Probably.
In general ssh keys (and certs more so) makes it feasible to split up access and authorization, revoke access etc without relying on something complex like ldap/kerberos for user management.
> Also, if somebody hacked into a non-root administrative account, they can just use sudo to elevate.
If they only have your ssh key, they'd typically need your password to elevate. Or you might require a shared root password - or set a password on wheel and require newgrp wheel before sudo. Not sure if the latter with disabled root account has much benefit, though.
One other nice thing about keys is that you can restrict them to a specific command. If you have users who are running well defined tasks that can be a great way to avoid handing out full accounts.
There are situations where using a password can be a little more convenient, for instance if you like to connect to the machine from random computers and you don't want to/can't carry your private key with you all the time. Obviously it's not the best security-wise, using a hardware token containing the key or even OTPs are probably a better solution.
Some servers I manage accept either password with two-factor code, or keys. Helpful when logging in from a new machine without having to carry authorized keys around somehow.
For non trivial environments with audit requirements this is not an option.
Running all software under the same uid is also usually best avoided, you'll always have data at rest somewhere (which needs to be backed up, access controlled, and so on).
Well, it would but the exposed containers don't have any non-default users.
Plus, this is LXC, not Docker. There is no data volumes or backups attached. Backups are shipped to an append only server via SSH tunnel with low privileges, which also doesn't have nonstandard users setup.
Subject: Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
A disappointing number of servers happily give away this information in their http response headers. For those that don't, `nmap -O` will sometimes do the trick.
