Hi,
I've been seeing quite a bit of ssh bruteforce attacks which appear to
be dictionary-based. That's fine; I have proper measures in place, such
as key-only access, bruteforce tables for PF, and so on; though some of
the attacks are delaying login attempts, bypassing the bruteforce rules,
but that isn't the reason for this post.
What caught my interest is if I attempt to log in from a machine where I
do not have my key or an incorrect key, I see nothing logged in auth.log
about a failed login attempt. If I attempt with an invalid username, as
expected, I see 'Invalid user ${USER} from ${IP}.'
I'm more concerned with ssh login failures with valid user names.
Looking at crypto/openssh/auth.c, allowed_user() returns true if the
user is not in DenyUsers or DenyGroups, exists in AllowUsers or
AllowGroups (if it is not empty), and has an executable shell. I'm no C
hacker, but superficially it looks like it can never meet a condition
where the user is valid but the key is invalid to trigger a log entry.
Is this a bug in openssh, or have I overlooked something in my
configuration?
Regards,
--
Glen Barber
On 7/8/10 10:24 PM, David Adam wrote:> On Thu, 8 Jul 2010, Glen Barber wrote: >> I've been seeing quite a bit of ssh bruteforce attacks which appear to be >> dictionary-based. That's fine; I have proper measures in place, such as >> key-only access, bruteforce tables for PF, and so on; though some of the >> attacks are delaying login attempts, bypassing the bruteforce rules, but that >> isn't the reason for this post. >> >> What caught my interest is if I attempt to log in from a machine where I do >> not have my key or an incorrect key, I see nothing logged in auth.log about a >> failed login attempt. If I attempt with an invalid username, as expected, I >> see 'Invalid user ${USER} from ${IP}.' >> >> I'm more concerned with ssh login failures with valid user names. Looking at >> crypto/openssh/auth.c, allowed_user() returns true if the user is not in >> DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not >> empty), and has an executable shell. I'm no C hacker, but superficially it >> looks like it can never meet a condition where the user is valid but the key >> is invalid to trigger a log entry. >> >> Is this a bug in openssh, or have I overlooked something in my configuration? > > With LogLevel VERBOSE, you should get entries like > sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2 > > Is that what you're after? >Sort of, but do I really need to set verbose logging to find that valid users are used in SSH attacks? root is an obvious target, which in my scenario is not allowed. I'm concerned about more specific, allowed users. Regards, -- Glen Barber
On Thu, 8 Jul 2010, Glen Barber wrote:> I've been seeing quite a bit of ssh bruteforce attacks which appear to be > dictionary-based. That's fine; I have proper measures in place, such as > key-only access, bruteforce tables for PF, and so on; though some of the > attacks are delaying login attempts, bypassing the bruteforce rules, but that > isn't the reason for this post. > > What caught my interest is if I attempt to log in from a machine where I do > not have my key or an incorrect key, I see nothing logged in auth.log about a > failed login attempt. If I attempt with an invalid username, as expected, I > see 'Invalid user ${USER} from ${IP}.' > > I'm more concerned with ssh login failures with valid user names. Looking at > crypto/openssh/auth.c, allowed_user() returns true if the user is not in > DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not > empty), and has an executable shell. I'm no C hacker, but superficially it > looks like it can never meet a condition where the user is valid but the key > is invalid to trigger a log entry. > > Is this a bug in openssh, or have I overlooked something in my configuration?With LogLevel VERBOSE, you should get entries like sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2 Is that what you're after? David Adam zanchey@ucc.gu.uwa.edu.au
On Thu, Jul 08, 2010 at 07:42:15PM -0400, Glen Barber wrote:> ... > What caught my interest is if I attempt to log in from a machine where I > do not have my key or an incorrect key, I see nothing logged in auth.log > about a failed login attempt. If I attempt with an invalid username, as > expected, I see 'Invalid user ${USER} from ${IP}.' > > I'm more concerned with ssh login failures with valid user names. > Looking at crypto/openssh/auth.c, allowed_user() returns true if the > user is not in DenyUsers or DenyGroups, exists in AllowUsers or > AllowGroups (if it is not empty), and has an executable shell. I'm no C > hacker, but superficially it looks like it can never meet a condition > where the user is valid but the key is invalid to trigger a log entry. > > Is this a bug in openssh, or have I overlooked something in my > configuration?What I do is configure IPFW to log all attempted session-initiation packets on 22/tcp, and correlate /var/log/auth.log & /var/log/security. It's rather interesting to see how many entries show up in the latter that have no corresponding entry in the former. Peace, david -- David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20100709/46986877/attachment.pgp