COMMAND

    sshd

SYSTEMS AFFECTED

    SSHd up to 2.0.11

PROBLEM

    Zhodiac found following.  In the default instalation of sshd2  (up
    to 2.0.11) there  is an open  way to bruteforce  a login/password,
    without any kind  of ip logging  by the sshd.   When a ssh  client
    connects to  the daemon,  it has  a number  (default is  three) of
    attempts to guess the  correct password before disconnecting.   If
    we shutdown the connection before using up the number of attempts,
    the  daemon  will  not  log  neither  the connection, the password
    guesses nor the ip of the client.  One cristal clear example:

        [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
        zhodiac's password:
        zhodiac's password:
        zhodiac's password:

        Disconnected; authentication error.
        [zhodiac@piscis zhodiac]$

    In /var/log/messages:

        May  9 12:42:53 piscis sshd2[1391]: User authentication failed:
        'Authentication method disabled. (user 'zhodiac', client address
        '192.168.1.1:1344', requested service 'ssh-connection')'

    Now we try the bug:

        [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
        zhodiac's password:
        zhodiac's password:
        zhodiac's password: FATAL: Received signal 2.
        [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
        zhodiac's password:
        zhodiac's password:
        zhodiac's password: FATAL: Received signal 2.
        [zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
        zhodiac's password:
        zhodiac's password:
        zhodiac's password: FATAL: Received signal 2.
        [zhodiac@piscis zhodiac]$

    Those  "FATAL: Received signal2." are the response of interrupting
    the program with a ^C.  Lets see what syslog did:

        May  9 12:44:41 piscis sshd2[1403]: Remote host disconnected:
        Connection closed.
        May  9 12:44:44 piscis sshd2[1405]: Remote host disconnected:
        Connection closed.
        May  9 12:44:47 piscis sshd2[1407]: Remote host disconnected:
        Connection closed.

    No ip, no password guesses attempts on the logs!

SOLUTION

    Edit the file sshd2_config  (usually at /etc/ssh2), set  the value
    of "PasswordGuesses"  to 1.   With this  each time  a password  is
    tried it will log it in the following way:

        May  9 12:46:07 piscis sshd[1308]: User authentication failed:
        'Authentication method disabled. (user 'zhodiac', client address
        '192.168.1.1:1527', requested service 'ssh-connection')'

    It is also recommended to  set the value of "ListenAddress"  so we
    will have more control  of which ips can  use our ssh service.   A
    better solution is  to upgrade to  2.0.12 version or  newer , with
    them at connection it will log via syslog in the following way:

        May  9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"