Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Question About Sys/Sec Logs
  • From: "Carlos E. R." <robin1.listas@xxxxxxxxxx>
  • Date: Tue, 15 Mar 2005 13:33:54 +0100 (CET)
  • Message-id: <Pine.LNX.4.58.0503151324420.7450@xxxxxxxxxxxxxxxx>

The Monday 2005-03-14 at 14:33 -0500, Don Parris wrote:

> In my syslog (via Yast) I found the following entries:
>
> (020405B401010402)
> Mar 14 08:04:42 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC=
> SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48
> ID=41916 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A032FB2830000000001030300) Mar 14 08:04:44 luke sshd[26285]:
> Invalid user test from ::ffff:218.153.147.92 Mar 14 08:04:45 luke kernel:
> SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180
> LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=27312 DF PROTO=TCP SPT=34740 DPT=22
> WINDOW=5840 RES=0x00 SYN URGP=0 OPT

It is a known attempt to login into your machine, probably automated,
trying to learn first if certain common user names do exist in your
machine: test, guest, admin, user, etc. Then, if they think that such a
user name exists, they will try to guess the password. Your system
rejected those attempts.

It seems they learn of the existence of those users because the sshd
daemon answers with different delays depending on the user name existence.

This was solved by a patch, reported in suse-security-announce on
18 Feb 2005:

- openssh information leak

Openssh as shipped with SUSE Linux allows a possible timing
attack that could be abused remotely to determine existing users
on the system by watching replies to failed password attempts.

This is tracked by the Mitre CVE ID CAN-2003-0190.

Additionally the output of failing PAM sessions will now be
displayed and the terminal-setting for aborted login-sessions
will get restored correctly.

This bugfix was released for SUSE Linux 9.1, 9.2 and SUSE Linux
Enterprise Server 9.

--
Cheers,
Carlos Robinson


< Previous Next >
References