Difference between revisions of "Talk:OpenSSH"
(ssh and pam) |
(New section: Assymetrical policy for valid/invalid users) |
||
| Line 66: | Line 66: | ||
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST> | sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST> | ||
</pre> | </pre> | ||
| + | |||
| + | == Assymetrical policy for valid/invalid users == | ||
| + | |||
| + | It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts? | ||
Revision as of 08:23, 3 January 2008
please make it detect this earlyer:
Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241
Log injection
Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:
failregex = Authentication failure for .* from <HOST>$
Failed [-/\w]+ for .* from <HOST>$
ROOT LOGIN REFUSED .* FROM <HOST>$
[iI](?:llegal|nvalid) user .* from <HOST>$
However, these never match anything for me, since all of my SSH failed login lines end with port 12345 ssh2. So, shouldn't the rules be something like this?
failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
[iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$
-- 19:04, 29 June 2007 (CEST)
Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --Lostcontrol 14:01, 5 July 2007 (CEST)
ssh2 at end of log
From my system (Fedora Core 6):
Jul 12 06:07:59 foo sshd[8858]: Failed password for invalid user test from 192.168.0.178 port 49420 ssh2 Jul 12 06:07:59 foo sshd[8859]: Failed password for invalid user test from 192.168.0.178 port 60782 ssh2
Should be fixed in the next release. Thank you. --Lostcontrol 09:51, 13 July 2007 (CEST)
ssh and pam
OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log
Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29
Adding this regex rule is really helpful:
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
Assymetrical policy for valid/invalid users
It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts?
