Difference between revisions of "Talk:OpenSSH"

From Fail2ban
Jump to: navigation, search
(Added AllowUsers policy)
Line 70: Line 70:
  
 
It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts?
 
It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts?
 +
 +
== AllowUsers policy ==
 +
<pre>
 +
User .* from <HOST> not allowed because not listed in AllowUsers$
 +
</pre>

Revision as of 16:11, 5 January 2009

please make it detect this earlyer:

Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers
Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist
Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241
Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241

Log injection

Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:

failregex = Authentication failure for .* from <HOST>$
            Failed [-/\w]+ for .* from <HOST>$
            ROOT LOGIN REFUSED .* FROM <HOST>$
            [iI](?:llegal|nvalid) user .* from <HOST>$

However, these never match anything for me, since all of my SSH failed login lines end with port 12345 ssh2. So, shouldn't the rules be something like this?

failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
            Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
            ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
            [iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$

-- 19:04, 29 June 2007 (CEST)


Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --Lostcontrol 14:01, 5 July 2007 (CEST)


ssh2 at end of log

From my system (Fedora Core 6):

Jul 12 06:07:59 foo sshd[8858]: Failed password for invalid user test from 192.168.0.178 port 49420 ssh2
Jul 12 06:07:59 foo sshd[8859]: Failed password for invalid user test from 192.168.0.178 port 60782 ssh2

Should be fixed in the next release. Thank you. --Lostcontrol 09:51, 13 July 2007 (CEST)

ssh and pam

OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log

Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29

Adding this regex rule is really helpful:

sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>

Assymetrical policy for valid/invalid users

It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts?

AllowUsers policy

User .* from <HOST> not allowed because not listed in AllowUsers$