Difference between revisions of "Talk:OpenSSH"

From Fail2ban
Jump to: navigation, search
(DenyGroups filter added)
(removed stuff that has been implemented for ages)
 
Line 1: Line 1:
please make it detect this earlyer:
 
 
Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers
 
Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist
 
Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241
 
Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241
 
 
== Log injection ==
 
 
Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:
 
 
<pre>
 
failregex = Authentication failure for .* from <HOST>$
 
            Failed [-/\w]+ for .* from <HOST>$
 
            ROOT LOGIN REFUSED .* FROM <HOST>$
 
            [iI](?:llegal|nvalid) user .* from <HOST>$
 
</pre>
 
 
However, these never match anything for me, since all of my SSH failed login lines end with <tt>port 12345 ssh2</tt>. So, shouldn't the rules be something like this?
 
 
<pre>
 
failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
 
            Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
 
            ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
 
            [iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$
 
</pre>
 
 
-- 19:04, 29 June 2007 (CEST)
 
 
----
 
 
Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --[[User:Lostcontrol|Lostcontrol]] 14:01, 5 July 2007 (CEST)
 
 
 
== ssh2 at end of log ==
 
 
From my system (Fedora Core 6):
 
 
<pre>
 
Jul 12 06:07:59 foo sshd[8858]: Failed password for invalid user test from 192.168.0.178 port 49420 ssh2
 
Jul 12 06:07:59 foo sshd[8859]: Failed password for invalid user test from 192.168.0.178 port 60782 ssh2
 
</pre>
 
 
----
 
 
Should be fixed in the next release. Thank you. --[[User:Lostcontrol|Lostcontrol]] 09:51, 13 July 2007 (CEST)
 
  
 
=== ssh and pam ===
 
=== ssh and pam ===
Line 66: Line 12:
 
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
 
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
 
</pre>
 
</pre>
 
== Assymetrical policy for valid/invalid users ==
 
 
It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts?
 
 
*[http://denyhosts.sourceforge.net/ DenyHosts] has support for special options for root, restricted users and invalid users which allow stricter ban behavior in these cases.  The invalid users match is obvious (the user doesn't exist on the system).  The restricted users option is a list of users contained in a configuration file.  Making these access attempts ban faster (possibly in one attempt) means that you can have a more lenient rule for your users e.g. 5 failures, and have a very strict e.g. 1 for root and for services like apache, nobody, and mysql that should never be using ssh.  Banning this quickly reduces the risk to your server from a lucky brute force while saving you and your users trouble from false bans.[[User:AdShea|AdShea]] 01:20, 19 February 2009 (UTC)
 
*We could implement this and other "special" ssh filters making a set of filters that would be used instead of the standard ssh filter.  Each of these would implement a specific type of ssh login failure and could have separate bantime and maxtries rules.[[User:AdShea|AdShea]] 01:20, 19 February 2009 (UTC)
 
 
== AllowUsers policy ==
 
<pre>
 
User .* from <HOST> not allowed because not listed in AllowUsers$
 
</pre>
 
 
== DenyGroups policy ==
 
 
In addtion to the failregex for AllowUsers here is the line if you have configured ''DenyGroups'' in ''sshd_config'' for example
 
DenyGroups root bin
 
 
^%(__prefix_line)sUser \S+ from <HOST> not allowed because a group is listed in DenyGroups$
 

Latest revision as of 02:24, 15 March 2014

ssh and pam

OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log

Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29

Adding this regex rule is really helpful:

sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>