openssh bugs - Feb 2014 - [Bug 2199] New: "Too many authentication failures for root" does not log IP

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

            Bug ID: 2199
           Summary: "Too many authentication failures for root" does
not
                    log IP
           Product: Portable OpenSSH
           Version: 6.4p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sshbugzilla.apriori at spamgourmet.com

It would be useful if all log messages relating to authentication
failures would include the IP of the remote host.

In particular, the remote host is currently missing for the following
message:
> Disconnecting: Too many authentication failures for root [preauth]
Including the remote host would enable countermeasures against the
flooding of the logs, e.g. by employing a filter for fail2ban, which is
currently not possible because no IP address can be correlated with the
auth failures.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

mindrot at riechers.info changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mindrot at riechers.info

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
I think what you want is in 6.5:

auth.c in 6.5 has:

revision 1.160
date: 2013-06-02 07:41:51 +1000;  author: dtucker;  state: Exp;  lines:
+26 -4;
   - djm at cvs.openbsd.org 2013/05/19 02:42:42
     [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
     Standardise logging of supplemental information during userauth.
Keys
     and ruser is now logged in the auth success/failure message
alongside
     the local username, remote host/port and protocol in use.
Certificates
     contents and CA are logged too.
     Pushing all logging onto a single line simplifies log analysis as
it is
     no longer necessary to relate information scattered across
multiple log
     entries. "I like it" markus@


I don't think the exact line you're quoting has an IP address (it's
a
copy of the disconnection message sent to the client) but all of the
details you want should be available in other messages.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

--- Comment #2 from sshbugzilla.apriori at spamgourmet.com ---
Hi! I observed this behaviour on 6.5, so the revision you quoted should
be incorporated.

We discussed the idea of combining information from multiple log
messages in https://github.com/fail2ban/fail2ban/pull/45 . In
particular, one would have to combine the info from the IP-less ?too
many auth failures? message with the subsequent ?disconnecting?
message. However, it appeared as if correlating the two messages can?t
be done out of the box because the PIDs are not identical.

Someone suggested that setting the log level to verbose would produce
?connection from? messages, which include the remote host?s IP, and
whose PID matches the one from the ?too many auth failures? message. So
this might be a way to get a hold of the desired information.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

Roland Friedwagner <r.friedwagner at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |r.friedwagner at gmail.com

--- Comment #3 from Roland Friedwagner <r.friedwagner at gmail.com> ---
Confirm this Bug for openssh version 6.6p1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2449|                            |ok?(dtucker at zip.com.au)
              Flags|                            |
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org
             Status|NEW                         |ASSIGNED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2449
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2449&action=edit
Log authentication tries exceeded in similar format to success/failure

This patch logs the tries-exceeded message using a similar format to
the success/failure messages:

Jul  3 14:02:12 haru sshd[1334]: Disconnecting: Too many authentication
failures for djm from 127.0.0.1 port 27781 ssh2 [preauth]

and for invalid users:

Jul  3 14:03:02 haru sshd[6474]: Disconnecting: Too many authentication
failures for invalid user xxx from 127.0.0.1 port 34633 ssh2 [preauth]

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2449|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
             Blocks|                            |2226

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
patch applied - will be in openssh-6.7

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2199

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all bugs left open from 6.6 and 6.7 releases.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.