Roger Bumgarner un jour écrivit:
I just tested this behavior on my Lenny/Sid workstation and Etch
server... frightening indeed! Lenny does spit out an error whereas
Etch still gives a password prompt.
Well, It is not that bad as It is usualy only exploitable localy. But
still certainly not
I just tested this behavior on my Lenny/Sid workstation and Etch
server... frightening indeed! Lenny does spit out an error whereas
Etch still gives a password prompt.
however, since this happens at the login shell, I'd be more concerned
about a user booting a liveCD. I assume SSH still behaves co
Le Sam 13 septembre 2008 04:47, s. keeling a écrit :
[...]
>> Try to login on any Lenny box console with an invalid account.
>> You will get "Incorrect login" without being prompted for a
>> password at all.
> What? And you get a shell prompt?!?
>
Even if you do not have a shell, you do have
he solution was as Cerbelle said. Login as a normal user and do
> > >>> sudo ( or you can activate root login from the login menu; but i
> > >>> personally consider it really dangerous!)
> > >>
> > >> I am wondering why this is dangerous?
> >
Vincent Deffontaines <[EMAIL PROTECTED]>:
> Marek Kubica a écrit :
> > On Thu, 4 Sep 2008 13:25:13 +0100
> > Pawe? Krzywicki <[EMAIL PROTECTED]> wrote:
> >
> >>> the solution was as Cerbelle said. Login as a normal user and do
> >>> sudo
Marek Kubica a écrit :
On Thu, 4 Sep 2008 13:25:13 +0100
Paweł Krzywicki <[EMAIL PROTECTED]> wrote:
the solution was as Cerbelle said. Login as a normal user and do
sudo ( or you can activate root login from the login menu; but i
personally consider it really dangerous!)
I am wonderi
Le Jeu 4 septembre 2008 16:24, Maximilian Wilhelm a écrit :
> sudo sh
> rm /etc/passwd
> kill -9 $$
cat >> /root/.bashrc << EOF
shopt -s histappend
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
EOF
;-)
> # grep Root /etc/ssh/sshd_config
> PermitRootLogin without-password
:''-(
Fanfan
--
lle said. Login as a normal user and do sudo (
> >> or you can activate root login from the login menu; but i personally
> >> consider it really dangerous!)
> > I am wondering why this is dangerous?
> > If your password is seen as "strong" "FaG34#fCFD12dr
lution was as Cerbelle said. Login as a normal user and do sudo (
>>> or you can activate root login from the login menu; but i personally
>>> consider it really dangerous!)
>> I am wondering why this is dangerous?
>> If your password is seen as "strong" "FaG3
Le Jeu 4 septembre 2008 14:25, PaweÅ Krzywicki a écrit :
> On czwartek, 4 wrzeÅnia 2008, [EMAIL PROTECTED] wrote:
>> i too noticed a similar thing when i installed on my new laptop etch.
>> the solution was as Cerbelle said. Login as a normal user and do sudo (
>> or you ca
On Thu, 4 Sep 2008 13:25:13 +0100
Paweł Krzywicki <[EMAIL PROTECTED]> wrote:
> > the solution was as Cerbelle said. Login as a normal user and do
> > sudo ( or you can activate root login from the login menu; but i
> > personally consider it really dangerous!)
>
Paweł Krzywicki wrote:
> On czwartek, 4 września 2008, [EMAIL PROTECTED] wrote:
>> i too noticed a similar thing when i installed on my new laptop etch.
>>
>> the solution was as Cerbelle said. Login as a normal user and do sudo (
>> or you can activate root login
On czwartek, 4 września 2008, [EMAIL PROTECTED] wrote:
> i too noticed a similar thing when i installed on my new laptop etch.
>
> the solution was as Cerbelle said. Login as a normal user and do sudo (
> or you can activate root login from the login menu; but i personally
> con
i too noticed a similar thing when i installed on my new laptop etch.
the solution was as Cerbelle said. Login as a normal user and do sudo (
or you can activate root login from the login menu; but i personally
consider it really dangerous!)
Kishore Chalakkal
--
To UNSUBSCRIBE, email to
On Fri, Jun 17, 2005 at 10:47:49PM +0200, Marcin Owsiany wrote:
> On Fri, Jun 17, 2005 at 07:33:02PM +0100, David Ramsden wrote:
> > Does anyone know what generated the above log entries?
>
> try:
>
> find /usr/sbin /sbin /usr/local/sbin \
> /usr/bin /usr/local/bin /bin /usr/lib /lib -type f
On Fri, Jun 17, 2005 at 07:33:02PM +0100, David Ramsden wrote:
> Does anyone know what generated the above log entries?
try:
find /usr/sbin /sbin /usr/local/sbin \
/usr/bin /usr/local/bin /bin /usr/lib /lib -type f | \
while read f; do
if strings $f | egrep -q 'no ip\?!'; then
echo "it's
Hi,
Logcheck has just given me three of the following:
Jun 17 17:17:15 hexstream [877]: root login denied [username: (0), IP/port: no
ip?!]
Each one with a different PID. They appear in my /var/log/auth.log
I've never seen this type of message before but I've recently upgraded to t
PROTECTED]
Cc: Noah Meyerhans
Subject: Re: [sec] Re: failed root login attempts
* Quoting Phillip Hofmeister ([EMAIL PROTECTED]):
> On Tue, 28 Sep 2004 at 09:18:51PM -0400, Noah Meyerhans wrote:
> > That doesn't seem to be the case. The most common one uses
> > root/test/
all disconnect by sending the string "Bye Bye", e.g.:
> > sshd[13613]: Received disconnect from 64.246.26.19: 11: Bye Bye
> >
> > I've seen many more aggressive root login attempts, as well as 'admin'
> > and a number of other users.
> >
> &
> sshd[13613]: Received disconnect from 64.246.26.19: 11: Bye Bye
>
> I've seen many more aggressive root login attempts, as well as 'admin'
> and a number of other users.
>
> The somewhat unsetting thing that I'm wondering about is whether these
> machines are a
ost common one uses
root/test/guest, but there are more that seem to be based on the same
code. They all disconnect by sending the string "Bye Bye", e.g.:
sshd[13613]: Received disconnect from 64.246.26.19: 11: Bye Bye
I've seen many more aggressive root login attempts, as well as
On Tue, Sep 21, 2004 at 01:45:46PM +0100, Steve Kemp wrote:
> On Sun, 19 Sep 2004, martin f krafft wrote:
>
> > > If you ask me, logcheck should learn how to evaluate log messages in
> > > their context...
>
> If you want to have instant alerts of problems then logcheck is
> what you want.
On Sun, 19 Sep 2004, martin f krafft wrote:
> > If you ask me, logcheck should learn how to evaluate log messages in
> > their context...
If you want to have instant alerts of problems then logcheck is
what you want. If you to ignore some things and still receive timely
alerts then you're
> this point, though, just to shut up logcheck without telling it to
> > ignore all failed root login attempts.
>
> If you ask me, logcheck should learn how to evaluate log messages in
> their context...
hmm there are ideas for logcheck after sarge+1, please elaborate.
ATM logcheck
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Thurman wrote:
| On 9/19/04 1:30 PM, "martin f krafft" wrote:
|
|
|>Other than blacklisting the IPs (which is a race I am going to
|>lose), what are people doing? Are there any distinctive marks in the
|>SSH login attempt that one could filter on?
f scanning and have it automatically manipulate access lists on
> the routers, I'm not sure I really like the idea. I'm sort of leaning
> in that direction, at this point, though, just to shut up logcheck
> without telling it to ignore all failed root login attempts.
This
On 9/19/04 1:30 PM, "martin f krafft" wrote:
> Other than blacklisting the IPs (which is a race I am going to
> lose), what are people doing? Are there any distinctive marks in the
> SSH login attempt that one could filter on?
We are using our hosts.deny files to stop all ssh attempts from ALL IP
also sprach Arthur de Jong <[EMAIL PROTECTED]> [2004.09.20.1201 +0200]:
> sshd[21195]: debug1: no match: libssh-0.1
I wonder whether sshd could be somehow made to just ignore when the
banner does not match.
> I'm not particularly worries since I have PermitRootLogin
> without-password in /etc/ssh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, 19 Sep 2004, martin f krafft wrote:
> Are there any distinctive marks in the SSH login attempt that one could
> filter on?
The volume in attempts isn't as high here as on your system bug this is
what I got when I set loglevel to debug:
sshd[
On Sun, Sep 19, 2004 at 04:16:39PM -0400, Noah Meyerhans wrote:
interfere with any random login based password guessing. Especially
since, from what I hear about this scanner that's responsible for all
these login attempts, it's trying mind-numbingly simple passwords, like
root/root, guest/guest,
martin f krafft <[EMAIL PROTECTED]> writes:
> Are there any distinctive marks in the SSH login attempt that one
> could filter on?
Yes, the SSH banner: my honeyd logs show that of all such attempts, 63%
use the banner 'SSH-2.0-windrone2', 35% use the banner
'SSH-2.0-libssh-0.1'.
--
,''`.
: :
gt; scripts to react to this kind of scanning and have it
> automatically manipulate access lists on the routers, I'm not sure
> I really like the idea. I'm sort of leaning in that direction, at
> this point, though, just to shut up logcheck without telling it to
> ignore all fa
lly manipulate access lists on
the routers, I'm not sure I really like the idea. I'm sort of leaning
in that direction, at this point, though, just to shut up logcheck
without telling it to ignore all failed root login attempts.
noah
pgphAykCqjpee.pgp
Description: PGP signature
On Sun, Sep 19, 2004 at 09:53:23PM +0200, Bernd Eckenfels wrote:
> You can either move your ssh to another port, that will greatly reduce the
> distributed brute force attacks, or you can put a filter with port knocking
> in front of it. Another option is to turn off password authentication,
> comp
also sprach Bernd Eckenfels <[EMAIL PROTECTED]> [2004.09.19.2153 +0200]:
> You can either move your ssh to another port, that will greatly
> reduce the distributed brute force attacks, or you can put
> a filter with port knocking in front of it. Another option is to
> turn off password authenticati
In article <[EMAIL PROTECTED]> you wrote:
> Other than blacklisting the IPs (which is a race I am going to
> lose), what are people doing? Are there any distinctive marks in the
> SSH login attempt that one could filter on?
You can either move your ssh to another port, that will greatly reduce the
also sprach Dossy Shiobara <[EMAIL PROTECTED]> [2004.09.19.2203 +0200]:
> > If I notice the scan immediately, I will occasionally blackhole
> > the source IP at our network border, but it's rare that I notice
> > in time.
>
> That's why I suggested writing something that tail's the syslog
> and de
On 2004.09.19, Noah Meyerhans <[EMAIL PROTECTED]> wrote:
> If I notice the scan immediately, I will occasionally blackhole the
> source IP at our network border, but it's rare that I notice in time.
That's why I suggested writing something that tail's the syslog and
detects the scan immediately ..
On Sun, Sep 19, 2004 at 02:42:08PM -0400, Dossy Shiobara wrote:
> > Other than blacklisting the IPs (which is a race I am going to
> > lose),
>
> Why do you say that? I haven't seen this more than a few times a week
> so I haven't bothered to do anything yet, but I'm very close to writing
> a scr
On Sun, 19 Sep 2004, Dossy Shiobara wrote:
> On 2004.09.19, martin f krafft <[EMAIL PROTECTED]> wrote:
> > Other than blacklisting the IPs (which is a race I am going to
> > lose),
> Why do you say that? I haven't seen this more than a few times a week
> so I haven't bothered to do anything yet, b
On 2004.09.19, martin f krafft <[EMAIL PROTECTED]> wrote:
> Other than blacklisting the IPs (which is a race I am going to
> lose),
Why do you say that? I haven't seen this more than a few times a week
so I haven't bothered to do anything yet, but I'm very close to writing
a script that tail's th
I am seeing millions (literally) of these in the logs of my
machines:
sshd[30216]: Failed password for root from 203.71.62.9 port 35778 ssh2
I understand that this is some kind of virus, but it's not making me
very happy because logcheck and and some of our IDS systems are
going haywire, creati
* Ennio-Sr <[EMAIL PROTECTED]> [Thu, 23 Oct 2003 at 23:00 GMT]:
> Hi, everybody on the NG.
> I limited root login to two ttys only (in /etc/securetty) but yesterday
> I discovered I could 'su -' to root in the excluded ttys. Do you think
> [...]
Many thanks to a
* Ennio-Sr <[EMAIL PROTECTED]> [Thu, 23 Oct 2003 at 23:00 GMT]:
> Hi, everybody on the NG.
> I limited root login to two ttys only (in /etc/securetty) but yesterday
> I discovered I could 'su -' to root in the excluded ttys. Do you think
> [...]
Many thanks to a
On Fri, 24 Oct 2003 10:50, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I discovered I could 'su -' to root in the excluded ttys. Do you think
> > this is normal behaviour or does my system need re-configuration ?
>
> This is the intended normal behaviour. Idea behind it
In article <[EMAIL PROTECTED]> you wrote:
> I discovered I could 'su -' to root in the excluded ttys. Do you think
> this is normal behaviour or does my system need re-configuration ?
This is the intended normal behaviour. Idea behind it is to avoid random
admins logging into the system as root s
On Thu, Oct 23, 2003 at 10:13:16PM +, Ennio-Sr wrote:
> I limited root login to two ttys only (in /etc/securetty) but yesterday
> I discovered I could 'su -' to root in the excluded ttys. Do you think
> this is normal behaviour
Yes.
| [EMAIL PROTECTED]:/etc/pam.d# grep
On Fri, 24 Oct 2003 10:50, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I discovered I could 'su -' to root in the excluded ttys. Do you think
> > this is normal behaviour or does my system need re-configuration ?
>
> This is the intended normal behaviour. Idea behind it
In article <[EMAIL PROTECTED]> you wrote:
> I discovered I could 'su -' to root in the excluded ttys. Do you think
> this is normal behaviour or does my system need re-configuration ?
This is the intended normal behaviour. Idea behind it is to avoid random
admins logging into the system as root s
Hi, everybody on the NG.
This is my first post here and I hope it won't be the last one too :-)
[Using Debian/Woody-3.0 on knl 2.2.22 on a home PC.]
I limited root login to two ttys only (in /etc/securetty) but yesterday
I discovered I could 'su -' to root in the excluded ttys
On Thu, Oct 23, 2003 at 10:13:16PM +, Ennio-Sr wrote:
> I limited root login to two ttys only (in /etc/securetty) but yesterday
> I discovered I could 'su -' to root in the excluded ttys. Do you think
> this is normal behaviour
Yes.
| [EMAIL PROTECTED]:/etc/pam.d# grep
Hi, everybody on the NG.
This is my first post here and I hope it won't be the last one too :-)
[Using Debian/Woody-3.0 on knl 2.2.22 on a home PC.]
I limited root login to two ttys only (in /etc/securetty) but yesterday
I discovered I could 'su -' to root in the excluded ttys
52 matches
Mail list logo
