Re: SSH brute force blocking tool

[Tavis Ormandy <taviso () gentoo org>]

On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
> Tavis Ormandy wrote:
>
> > I'm not sure what you mean by modification, I simply subsituted the name
> > for the logfile I use.
> >
> > Thanks, Tavis.
> >
> >  
> So for the third time now. Explain to me how I am backdooring someone's 
> system.

J, Please calm down. You have made a programming error in your script
that attempts to eliminate the minor `log noise` from incorrect ssh
logins with a script that can be subverted to execute arbitrary shell
commands.


> [root@localhost include]# uname -a
> Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 
> i686 i386 GNU/Linux
> [root@localhost include]# awk '/error retrieving/{getline;print $13}' 
> /var/log/secure|sort -ru
> 222.171.20.252
> 211.137.74.58
>
> My logs parse out addresses not named and there is no redirection going 
> on.

Yes, but you assume a fixed format of the log entries. This is not the
case. The string "error retrieving" is easily placed in the log by
setting it as your username and attempting to login. You also assume
that the multiple log entries generated by a failed login are logged
atomically (ie, no other log entries will appear between these two
entries), this is also not the case.

> If you want to say "Hey... It should be written as such" then gladly 
> do so. But posting "hey you're backdooring the planet" like a jackass is 
> moronic.

J, you asked people to install your "security tool" which contacts you
with enough information to find out who installed it and where, and
contains several rather obvious security flaws. If I mistook stupidity
for malice, I apologise.

> Line by line on my machines it does what it needs to do and it 
> does so just fine.

This is because your logs dont contain any entries specially crafted by
an attacker to subvert your machine. I'm sure some members of the list
are already attempting this on your web server, so you can check your
logs for examples.

> Did you see any notes of Gentoo on the comments? I
> didn't because I don't use it, never have, don't care to. So if it does 
> something different on Gentoo, let's use the brain for a moment... "Gee 
> this works horrible on Gentoo. The author is a shitty writer... I think 
> I should let him know" as opposed to "Oh my gawd he's backdooring you".

It's a standard format J, my log entries look identical to yours. It has
nothing to do with Gentoo.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my pgp key.
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/