bugzilla-daemon at mindrot.org
2014-Dec-13 22:45 UTC
[Bug 2327] New: sshd to log one unique string or prefix after connection failure, no matter why.
https://bugzilla.mindrot.org/show_bug.cgi?id=2327
Bug ID: 2327
Summary: sshd to log one unique string or prefix after
connection failure, no matter why.
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: octavsly at gmail.com
To allow fail2ban to correctly ban some sshd attacks, more information
would be needed to be logged:
More is discussed at: https://github.com/fail2ban/fail2ban/issues/864
==Quote====It make more sense, if at last sshd would log one unique string or
prefix after connection failure, no matter why.
Something like:
Nov 25 01:33:13 srv sshd[...]: Failure from <HOST>: <here can be a
reason why ...>
Or if sshd gets a system callback (like call_if_fails) with address of
failed connection. Then we can self produce a failure for fail2ban.
===================
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-01 14:14 UTC
[Bug 2327] sshd to log one unique string or prefix after connection failure, no matter why.
https://bugzilla.mindrot.org/show_bug.cgi?id=2327
Karl Schmidt <karl at xtronics.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |karl at xtronics.com
--- Comment #1 from Karl Schmidt <karl at xtronics.com> ---
This poorly titled bug has been around a long time. The key is the IP
address is missing.
This bug is alive at Cisco
https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv42794
It is also listed as a bug in Debian
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726579
Having the IP address on the same line - with info log level is
obviously needed for identifying attackers..
>From /var/log/auth.log
Jul 28 08:37:27 hostname sshd[12053]: fatal: no matching cipher found:
client
aes128-cbc,blowfish-cbc,3des-cbc server
aes256-ctr,aes192-ctr,aes128-ctr [preauth]
Jul 28 08:58:38 hostname sshd[12512]: fatal: Unable to negotiate a key
exchange method [preauth]
I think more examples of the missing IP address exist.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-01 14:43 UTC
[Bug 2327] sshd to log one unique string or prefix after connection failure, no matter why.
https://bugzilla.mindrot.org/show_bug.cgi?id=2327
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Karl Schmidt from comment #1)
[...]> Jul 28 08:58:38 hostname sshd[12512]: fatal: Unable to negotiate a
> key exchange method [preauth]
These ones have been fixed for a while:
$ ssh -p 2022 -o kexalgorithms=diffie-hellman-group1-sha1 localhost
ssh_dispatch_run_fatal: Connection to 127.0.0.1: no matching key
exchange method found [preauth]
$ ssh -p 2022 -o ciphers=3des-cbc localhost
ssh_dispatch_run_fatal: Connection to 127.0.0.1: no matching cipher
found [preauth]
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-01 19:17 UTC
[Bug 2327] sshd to log one unique string or prefix after connection failure, no matter why.
https://bugzilla.mindrot.org/show_bug.cgi?id=2327 --- Comment #3 from Karl Schmidt <karl at xtronics.com> --- I'm running 6.7p1 - at which version fixed this? (No backport for Debian stable ) If fixed, we should close these bugs.. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 05:15 UTC
[Bug 2327] sshd to log one unique string or prefix after connection failure, no matter why.
https://bugzilla.mindrot.org/show_bug.cgi?id=2327
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
It varies depending on exactly which bit you are looking at.
Remote IP addresses: bug#2257 since at least 6.9:
https://anongit.mindrot.org/openssh.git/commit/?id=639d6bc5
Remote port numbers: bug#2503, first in 7.2
https://anongit.mindrot.org/openssh.git/commit/?id=a4b9e0f4
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:03 UTC
[Bug 2327] sshd to log one unique string or prefix after connection failure, no matter why.
https://bugzilla.mindrot.org/show_bug.cgi?id=2327
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.