[Sshguard-users] sshguard 1.5 not recognizing invalid user log messages from sshd on OpenBSD.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

sshguard 1.5 is not recognizing messages in /var/log/authlog from sshd
on an OpenBSD 4.9 or 5.1 system [1] as containing an attack signature.

Apparently, it's been a problem since at least OpenBSD 4.8, per:
http://sourceforge.net/mailarchive/forum.php?thread_name=AE3E9B9A-6376-4572-ACF9-128256676CD9%40sshguard.net&forum_name=sshguard-users

Example messages in /var/log/authlog:

Jun  9 21:46:07 green sshd[28212]: Failed password for invalid user staff from 122.70.128.5 port 35686 ssh2
Jun  9 21:46:07 green sshd[28212]: input_userauth_request: invalid user staff [preauth]
Jun  9 21:46:09 green sshd[19052]: Failed password for invalid user sales from 122.70.128.5 port 37580 ssh2
Jun  9 21:46:09 green sshd[19052]: input_userauth_request: invalid user sales [preauth]
Jun  9 21:46:11 green sshd[16201]: Failed password for invalid user recruit from 122.70.128.5 port 39886 ssh2
Jun  9 21:46:11 green sshd[16201]: input_userauth_request: invalid user recruit [preauth]

Your attack pattern web docs say sshguard is looking for the form:
	Invalid user inexu from 6.6.6.0
and attack_patternsl.l indeed lists an insistence for uppercase 'I' on
the word invalid:
	"Invalid user ".+" from"

The quick patch here fixes the recognition problem if I do a direct
paste of the truncated 'invalid user staff from 122.70.128.5' portion
into sshguard when it is running in debug mode.

--- src/parser/attack_scanner.l.orig	Wed Feb  9 05:01:47 2011
+++ src/parser/attack_scanner.l	Sun Jun 24 17:07:02 2012
@@ -128,6 +128,8 @@
 
  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
 "Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
+ /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
+"invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
 "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }


But that patch does not fix the recognition of the pattern within the
longer lines when running 'sshguard -l /var/log/authlog'.

It also does not fix recognition of even the truncated portion of the
line mentioned above when it's appended to a separate log file and
watched with 'sshguard -l /tmp/truncatedtest'.

Still, am I at least heading in the right direction?  Is there other
parsing that is too specific to match those sshd authlog entries? 
Thanks!


Richard

-------
[1]
sshd on OpenBSD 5.1:	OpenSSH_6.0, OpenSSL 1.0.0f 4 Jan 2012
sshd on OpenBSD 4.9:	OpenSSH_5.6, OpenSSL 0.9.8k25 Mar 2009

-------
PS - sourceforge mailing list subscription finally came through after I
put the above info here as well:
http://www.sshguard.net/support/submission/detail/37ce7e8f4d7cc1cf7af6/





[Sshguard-users] sshguard 1.5 not recognizing invalid user log messages from sshd on OpenBSD.

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] sshguard 1.5 not recognizing invalid user log messages from sshd on OpenBSD.