From: Dionisios K. <ad...@vo...> - 2012-12-11 15:19:56
|
Have a look at the image: http://i48.tinypic.com/24vuo75.png On Fri, Dec 7, 2012 at 10:24 PM, Yaroslav Halchenko <li...@on...> wrote: > just out of exercise: > looked in openssh-5.9p1 from ubuntu and could not find it... but then > realized -- how could I forget about the fresh service: > > http://codesearch.debian.net/search?q=Bye+Bye > > which shows that it is most probably libssh: > > /** > * @brief Disconnect from a session (client or server). > * The session can then be reused to open a new session. > * > * @param[in] session The SSH session to use. > */ > void ssh_disconnect(ssh_session session) { > ... > str = ssh_string_from_char("Bye Bye"); > ... > > which is called all over in libssh, and in openssh actual log msg is > spitted out : > > case SSH2_MSG_DISCONNECT: > reason = packet_get_int(); > msg = packet_get_string(NULL); > logit("Received disconnect from %s: %u: %.400s", > get_remote_ipaddr(), reason, msg); > xfree(msg); > cleanup_exit(255); > break; > > and '11' probably is because of > > ./include/libssh/ssh2.h:#define SSH2_DISCONNECT_BY_APPLICATION 11 > > altogether this msg being logged looks like unexpected but legit > disconnects requested from client, but indeed should not be > following too often upon regular use. BUT it usually follows some other > fail log msg, like "Failed password for invalid user ...", which is a > sign of a dictionary attack, and for which we have regexps. It seems to > be quite unrelated to DDOS attacks where server is dragged into > extending its waiting time, thus unlikely an attacker would be kind > enough to just interrupt it with a legit signal. > > how does it proceed in your cases -- after some other failed login msgs > or on its own? > > > > On Fri, 07 Dec 2012, Dionisios K. wrote: > >> lsb_release -a: >> --- >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 12.04.1 LTS >> Release: 12.04 >> Codename: precise > >> ssh -v: >> --- >> OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 > >> uname: >> --- >> Linux host1 3.2.0-34-generic #53-Ubuntu SMP Thu Nov 15 10:48:16 UTC >> 2012 x86_64 x86_64 x86_64 GNU/Linux > >> A single log row: >> --- >> Dec 7 16:23:50 host1 sshd[4783]: Received disconnect from >> 88.212.xxx.xxx: 11: Bye Bye [preauth] > >> On Fri, Dec 7, 2012 at 4:08 PM, Yaroslav Halchenko <li...@on...> wrote: >> > I wonder who (implementation / versions) are spitting it out since I >> > can't find it in openssh I have in hands: > >> > novo:/tmp/openssh-6.1p1 >> > > grep -r Bye . > > >> > ? > >> > On Fri, 07 Dec 2012, Dionisios K. wrote: > >> >> This regex provided to me by another member on this list should be >> >> inclded by default in sshd-ddos filter: > >> >> ^%(__prefix_line)sReceived disconnect from <HOST>: 11: Bye Bye \[preauth\]\s*$ > >> >> It will match the following in the auth.log: > >> >> Received disconnect from <HOST>: 11: Bye Bye [preauth] > >> >> I thought its better to be included in sshd-ddos.conf and not >> >> sshd.conf because it is not actually an authentication error, however, >> >> it's an attack. > > -- > Yaroslav O. Halchenko > Postdoctoral Fellow, Department of Psychological and Brain Sciences > Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 > Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 > WWW: http://www.linkedin.com/in/yarik > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |