[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SSH password attacks



Title: Untitled
On Monday 20 September 2004 17:40, suse@xxxxxx wrote:
> Does anyone running a unix server really use "guest", "test", "user", or
> "admin" as real accounts?  Judging by the volume of attempts I'm getting,
> there has to be something causing this.  Was a borked version of ssh server
> released for windows, or something?  Or is this trying to connect to zombie
> machines?  From what I understand, ssh server isn't common on windows, and
> those accounts certainly aren't common to unix...  Anyone know what's going
> on here?

AFAIK, when someone attempts to log in with an existing user name and 
incorrect password, the timing on the denied/rejected response is a great 
deal longer than the timing on a denied/rejected response for a non-existant 
user.

Plugging your machine with first root, then a few accounts that in a typical 
unix environment will not exist, will give a potential hacker a bit of infor 
for their dictionary attack.

Running the sequence of unknown user/unknown password is  a huge resource 
requirement, so all they do now is just run a dictionary on user names, 
measure the response and make an educated guess from the responses what 
usernames probably do exist.

Then they can start with passwords.

B

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here