Keyboard Interactive Attack?

[Ron Frederick]

On Jul 22, 2015, at 4:54 PM, Bostjan Skufca <bostjan at a2o.si> wrote:
> Thanks for clarification.
> 
> One question though:
> As far as I have tested openssh, it logs every unsuccessful
> authentication attempt on the very moment it becomes unsuccessful, not
> after the connection is closed (after timeout or when reaching max
> auth attempts). Is this true or not even for this attack or not?
> 
> Because if it is true, if there is a IDS system that bans IP after X
> failed logins, there should not be any problem. But if logging is
> deferred for any reason, then IDS can not detect the attack in timely
> manner.

I would expect the attempts to each be logged immediately in most cases, so it’s true that something scanning the logs should be able to add new IDS rules without waiting for the connection to close. I’m not all that familiar with the scripts that do that, though. It’s possible in some cases that established connections might not be subject to the new rules, even if they are added quickly. It’s quite common to have an “early” rule in the list that allows established connections to speed up the processing, for instance. If that’s the case, additional password attempts on that already open connection could still be let through.

In the example presented, this could allow 30,000 password attempts before the connection is closed unless some other timeout kicked in before that. As Damien said, though, anything in PAM itself which adds failure delays would still apply, though, as would any kind of account lockout on too many bad attempts.
-- 
Ron Frederick
ronf at timeheart.net