Talk:OpenSSH
please make it detect this earlyer:
Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241 Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241
Log injection
Daniel B. Cid's article on OSSEC reccommends using these failregex rules for SSH to prevent log injection:
failregex = Authentication failure for .* from <HOST>$
Failed [-/\w]+ for .* from <HOST>$
ROOT LOGIN REFUSED .* FROM <HOST>$
[iI](?:llegal|nvalid) user .* from <HOST>$
However, these never match anything for me, since all of my SSH failed login lines end with port 12345 ssh2. So, shouldn't the rules be something like this?
failregex = Authentication failure for .* from <HOST> port \d+ ssh2$
Failed [-/\w]+ for .* from <HOST> port \d+ ssh2$
ROOT LOGIN REFUSED .* FROM <HOST> port \d+ ssh2$
[iI](?:llegal|nvalid) user .* from <HOST> port \d+ ssh2$
-- 19:04, 29 June 2007 (CEST)
Please could you discuss this on the mailing-list? Could you provide a log line with these "ssh2" at the end? Thank you. --Lostcontrol 14:01, 5 July 2007 (CEST)
ssh2 at end of log
From my system (Fedora Core 6):
Jul 12 06:07:59 foo sshd[8858]: Failed password for invalid user test from 192.168.0.178 port 49420 ssh2 Jul 12 06:07:59 foo sshd[8859]: Failed password for invalid user test from 192.168.0.178 port 60782 ssh2
Should be fixed in the next release. Thank you. --Lostcontrol 09:51, 13 July 2007 (CEST)
ssh and pam
OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log
Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29
Adding this regex rule is really helpful:
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
Assymetrical policy for valid/invalid users
It occurs to me that the suggestion to allow 5 failed attempts for valid user names vs. 2 attempts for invalid users will reveal that information (which user names are valid on the machine) to attackers. This seems senseless to me. Any thoughts?
- DenyHosts has support for special options for root, restricted users and invalid users which allow stricter ban behavior in these cases. The invalid users match is obvious (the user doesn't exist on the system). The restricted users option is a list of users contained in a configuration file. Making these access attempts ban faster (possibly in one attempt) means that you can have a more lenient rule for your users e.g. 5 failures, and have a very strict e.g. 1 for root and for services like apache, nobody, and mysql that should never be using ssh. Banning this quickly reduces the risk to your server from a lucky brute force while saving you and your users trouble from false bans.AdShea 01:20, 19 February 2009 (UTC)
- We could implement this and other "special" ssh filters making a set of filters that would be used instead of the standard ssh filter. Each of these would implement a specific type of ssh login failure and could have separate bantime and maxtries rules.AdShea 01:20, 19 February 2009 (UTC)
AllowUsers policy
User .* from <HOST> not allowed because not listed in AllowUsers$
