bugzilla-daemon at mindrot.org
2014-Feb-04 08:38 UTC
[Bug 2199] New: "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Bug ID: 2199 Summary: "Too many authentication failures for root" does not log IP Product: Portable OpenSSH Version: 6.4p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: sshbugzilla.apriori at spamgourmet.com It would be useful if all log messages relating to authentication failures would include the IP of the remote host. In particular, the remote host is currently missing for the following message:> Disconnecting: Too many authentication failures for root [preauth]Including the remote host would enable countermeasures against the flooding of the logs, e.g. by employing a filter for fail2ban, which is currently not possible because no IP address can be correlated with the auth failures. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Mar-06 10:29 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 mindrot at riechers.info changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mindrot at riechers.info -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Mar-06 11:00 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- I think what you want is in 6.5: auth.c in 6.5 has: revision 1.160 date: 2013-06-02 07:41:51 +1000; author: dtucker; state: Exp; lines: +26 -4; - djm at cvs.openbsd.org 2013/05/19 02:42:42 [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@ I don't think the exact line you're quoting has an IP address (it's a copy of the disconnection message sent to the client) but all of the details you want should be available in other messages. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Mar-07 16:34 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 --- Comment #2 from sshbugzilla.apriori at spamgourmet.com --- Hi! I observed this behaviour on 6.5, so the revision you quoted should be incorporated. We discussed the idea of combining information from multiple log messages in https://github.com/fail2ban/fail2ban/pull/45 . In particular, one would have to combine the info from the IP-less ?too many auth failures? message with the subsequent ?disconnecting? message. However, it appeared as if correlating the two messages can?t be done out of the box because the PIDs are not identical. Someone suggested that setting the log level to verbose would produce ?connection from? messages, which include the remote host?s IP, and whose PID matches the one from the ?too many auth failures? message. So this might be a way to get a hold of the desired information. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-03 11:24 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Roland Friedwagner <r.friedwagner at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |r.friedwagner at gmail.com --- Comment #3 from Roland Friedwagner <r.friedwagner at gmail.com> --- Confirm this Bug for openssh version 6.6p1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 04:05 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2449| |ok?(dtucker at zip.com.au) Flags| | Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org CC| |djm at mindrot.org Status|NEW |ASSIGNED --- Comment #4 from Damien Miller <djm at mindrot.org> --- Created attachment 2449 --> https://bugzilla.mindrot.org/attachment.cgi?id=2449&action=edit Log authentication tries exceeded in similar format to success/failure This patch logs the tries-exceeded message using a similar format to the success/failure messages: Jul 3 14:02:12 haru sshd[1334]: Disconnecting: Too many authentication failures for djm from 127.0.0.1 port 27781 ssh2 [preauth] and for invalid users: Jul 3 14:03:02 haru sshd[6474]: Disconnecting: Too many authentication failures for invalid user xxx from 127.0.0.1 port 34633 ssh2 [preauth] -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 05:45 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2449|ok?(dtucker at zip.com.au) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 11:18 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED Blocks| |2226 --- Comment #5 from Damien Miller <djm at mindrot.org> --- patch applied - will be in openssh-6.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Oct-07 21:00 UTC
[Bug 2199] "Too many authentication failures for root" does not log IP
https://bugzilla.mindrot.org/show_bug.cgi?id=2199 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- Close all bugs left open from 6.6 and 6.7 releases. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- Human readable .ssh/known_hosts?
- [Bug 2252] New: RekeyLimit breaks ClientAlive
- [Bug 83897] New: GK106 (GeForce GTX 660): Frequent GPU lockups
- [Bug 297] New: sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode
- [Bug 79820] New: Strange readout on fan1_input when pwm1_min < 33