Difference between revisions of "Talk:OpenSSH"
From Fail2ban
Jump to navigationJump to search (Log injection) |
|||
| Line 13: | Line 13: | ||
Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241 | Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241 | ||
Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241 | Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241 | ||
| + | |||
| + | == Log injection == | ||
| + | |||
| + | Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection: | ||
| + | |||
| + | <pre> | ||
| + | failregex = Authentication failure for .* from <HOST>$ | ||
| + | Failed [-/\w]+ for .* from <HOST>$ | ||
| + | ROOT LOGIN REFUSED .* FROM <HOST>$ | ||
| + | [iI](?:llegal|nvalid) user .* from <HOST>$ | ||
| + | </pre> | ||
| + | |||
| + | However, these never match anything for me, since all of my SSH failed login lines end with <tt>port 12345 ssh2</tt>. So, shouldn't the rules be something like this? | ||
| + | |||
| + | <pre> | ||
| + | failregex = Authentication failure for .* from <HOST> port \d+ ssh2$ | ||
| + | Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$ | ||
| + | ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$ | ||
| + | [iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$ | ||
| + | </pre> | ||
| + | |||
| + | -- 19:04, 29 June 2007 (CEST) | ||
Revision as of 19:04, 29 June 2007
please make it detect this earlyer:
Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241
Log injection
Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:
failregex = Authentication failure for .* from <HOST>$
Failed [-/\w]+ for .* from <HOST>$
ROOT LOGIN REFUSED .* FROM <HOST>$
[iI](?:llegal|nvalid) user .* from <HOST>$
However, these never match anything for me, since all of my SSH failed login lines end with port 12345 ssh2. So, shouldn't the rules be something like this?
failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
[iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$
-- 19:04, 29 June 2007 (CEST)
