Re: SSH brute force blocking tool

[gabriel rosenkoetter <gr () eclipsed net>]

On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
> Uh... actually, no. The provided exploit Will work, and you're the
> idiot.

Begging your pardon, you are saved by single-quoting your awk(1)
statement:

> > awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >> 
> > /tmp/hosts.deny
[...]
> What will be in column 13 when Tavis does this:
>
> > Tavis Ormandy wrote:
> > > ssh 'foo bar `/sbin/halt`'@victim
[...]
> Why, the shelled-out output of `/sbin/halt`!

Nope, I'm wrong, just the literal string "`/sbin/halt`", which you
never exec.

Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.

On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
> Look at the script. Although YOU'RE opening /var/log/authlog what is the 
> script opening. Please tell me you're really not that stupid.

Actually, your BSD version DOES open /var/log/authlog (which will
fail on FreeBSD, btw, where it's /var/log/auth.log), so you should
probably stop casting stones and quit while you're ahead with my
explanation above of why Tavis's exploit is a non-starter.

But since we're on the topic... wouldn't it be a better plan to
check the local syslog.conf for the location of the auth failure
log messages rather than hard code it?

-- 
gabriel rosenkoetter
gr () eclipsed net

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/