|
|
| (8 intermediate revisions by 7 users not shown) |
| Line 1: |
Line 1: |
| − | please make it detect this earlyer:
| |
| | | | |
| − | Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241
| + | === ssh and pam === |
| − | Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers
| |
| − | Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist
| |
| − | Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241
| |
| − | Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241
| |
| − | | |
| − | == Log injection == | |
| − | | |
| − | Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:
| |
| | | | |
| | + | OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log |
| | <pre> | | <pre> |
| − | failregex = Authentication failure for .* from <HOST>$
| + | Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29 |
| − | Failed [-/\w]+ for .* from <HOST>$
| |
| − | ROOT LOGIN REFUSED .* FROM <HOST>$
| |
| − | [iI](?:llegal|nvalid) user .* from <HOST>$
| |
| | </pre> | | </pre> |
| | | | |
| − | However, these never match anything for me, since all of my SSH failed login lines end with <tt>port 12345 ssh2</tt>. So, shouldn't the rules be something like this?
| + | Adding this regex rule is really helpful: |
| | | | |
| | <pre> | | <pre> |
| − | failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
| + | sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST> |
| − | Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
| |
| − | ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
| |
| − | [iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$
| |
| | </pre> | | </pre> |
| − |
| |
| − | -- 19:04, 29 June 2007 (CEST)
| |
Latest revision as of 03:24, 15 March 2014
ssh and pam
OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log
Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29
Adding this regex rule is really helpful:
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
