openssh bugs - Dec 2014 - [Bug 2327] New: sshd to log one unique string or prefix after connection failure, no matter why.

https://bugzilla.mindrot.org/show_bug.cgi?id=2327

            Bug ID: 2327
           Summary: sshd to log one unique string or prefix after
                    connection failure, no matter why.
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: octavsly at gmail.com

To allow fail2ban to correctly ban some sshd attacks, more information
would be needed to be logged:

More is discussed at: https://github.com/fail2ban/fail2ban/issues/864


==Quote====It make more sense, if at last sshd would log one unique string or
prefix after connection failure, no matter why.
Something like:

Nov 25 01:33:13 srv sshd[...]: Failure from <HOST>: <here can be a
reason why ...>

Or if sshd gets a system callback (like call_if_fails) with address of
failed connection. Then we can self produce a failure for fail2ban.
===================
-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2327

Karl Schmidt <karl at xtronics.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |karl at xtronics.com

--- Comment #1 from Karl Schmidt <karl at xtronics.com> ---
This poorly titled bug has been around a long time.  The key is the IP
address is missing. 

This bug is alive at Cisco
https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv42794

It is also listed as a bug in Debian 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726579


Having the IP address on the same line - with info log level is
obviously needed for identifying attackers..
>From /var/log/auth.log
Jul 28 08:37:27 hostname sshd[12053]: fatal: no matching cipher found:
client 
aes128-cbc,blowfish-cbc,3des-cbc server
aes256-ctr,aes192-ctr,aes128-ctr [preauth]

Jul 28 08:58:38 hostname sshd[12512]: fatal: Unable to negotiate a key
exchange method [preauth]

I think more examples of the missing IP address exist.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2327

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Karl Schmidt from comment #1)
[...]
> Jul 28 08:58:38 hostname sshd[12512]: fatal: Unable to negotiate a
> key exchange method [preauth]
These ones have been fixed for a while:

$ ssh -p 2022 -o kexalgorithms=diffie-hellman-group1-sha1 localhost

ssh_dispatch_run_fatal: Connection to 127.0.0.1: no matching key
exchange method found [preauth]

$ ssh -p 2022 -o ciphers=3des-cbc localhost

ssh_dispatch_run_fatal: Connection to 127.0.0.1: no matching cipher
found [preauth]

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2327

--- Comment #3 from Karl Schmidt <karl at xtronics.com> ---
I'm running 6.7p1  - at which version fixed this?  (No backport for
Debian stable )

If fixed, we should close these bugs..

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2327

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
It varies depending on exactly which bit you are looking at.

Remote IP addresses: bug#2257 since at least 6.9:
https://anongit.mindrot.org/openssh.git/commit/?id=639d6bc5

Remote port numbers: bug#2503, first in 7.2
https://anongit.mindrot.org/openssh.git/commit/?id=a4b9e0f4

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2327

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.