Difference between revisions of "Talk:OpenSSH"

From Fail2ban
Jump to: navigation, search
(Log injection)
Line 39: Line 39:
  
 
Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --[[User:Lostcontrol|Lostcontrol]] 14:01, 5 July 2007 (CEST)
 
Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --[[User:Lostcontrol|Lostcontrol]] 14:01, 5 July 2007 (CEST)
 +
 +
 +
== ssh2 at end of log ==
 +
 +
From my system (Fedora Core 6):
 +
 +
<pre>
 +
Jul 12 06:07:59 foo sshd[8858]: Failed password for invalid user test from 192.168.0.178 port 49420 ssh2
 +
Jul 12 06:07:59 foo sshd[8859]: Failed password for invalid user test from 192.168.0.178 port 60782 ssh2
 +
</pre>

Revision as of 21:02, 12 July 2007

please make it detect this earlyer:

Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers
Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist
Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241

Log injection

Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:

failregex = Authentication failure for .* from <HOST>$
            Failed [-/\w]+ for .* from <HOST>$
            ROOT LOGIN REFUSED .* FROM <HOST>$
            [iI](?:llegal|nvalid) user .* from <HOST>$

However, these never match anything for me, since all of my SSH failed login lines end with port 12345 ssh2. So, shouldn't the rules be something like this?

failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
            Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
            ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
            [iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$

-- 19:04, 29 June 2007 (CEST)


Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --Lostcontrol 14:01, 5 July 2007 (CEST)


ssh2 at end of log

From my system (Fedora Core 6):

Jul 12 06:07:59 foo sshd[8858]: Failed password for invalid user test from 192.168.0.178 port 49420 ssh2
Jul 12 06:07:59 foo sshd[8859]: Failed password for invalid user test from 192.168.0.178 port 60782 ssh2