Menu
▾
▴
[Sshguard-users] "preauth" failures not blocked
|
From: CSS <cs...@mo...> - 2014-03-18 23:55:59
|
I'm curious about attacks that look like this - it appears there's a connect, then multiple tries to authenticate (perhaps by password when keys are the only option?), and then a disconnect:
(100s of these…)
Mar 17 13:51:17 h26 sshd[20882]: Disconnecting: Too many authentication failures for root [preauth]
Mar 17 13:51:19 h26 sshd[20884]: Disconnecting: Too many authentication failures for root [preauth]
Mar 17 13:51:19 h26 sshd[20886]: Disconnecting: Too many authentication failures for root [preauth]
Mar 17 13:51:19 h26 sshd[20888]: Disconnecting: Too many authentication failures for root [preauth]
Mar 17 13:51:20 h26 sshd[20890]: Disconnecting: Too many authentication failures for root [preauth]
Mar 17 13:51:20 h26 sshd[20892]: Disconnecting: Too many authentication failures for root [preauth]
Mar 17 13:51:20 h26 sshd[20899]: Received disconnect from 218.28.26.59: 11: [preauth]
Mar 17 13:51:20 h26 sshd[20894]: Received disconnect from 218.28.26.59: 11: [preauth]
Mar 17 13:51:20 h26 sshd[20902]: Received disconnect from 218.28.26.59: 11: [preauth]
Mar 17 13:51:20 h26 sshd[20896]: Received disconnect from 218.28.26.59: 11: [preauth]
Mar 17 13:51:20 h26 sshd[20898]: Received disconnect from 218.28.26.59: 11: [preauth]
I'm not really clear on just what's being logged here, mainly due to the huge volume and not being able to match up pid numbers between the "Disconnecting" messages and the "Received disconnect…" messages.
Regardless, here's some overall stats that made me wonder how this is slipping past sshguard:
Log runs for 24 hours.
Number of loglines when nagios ssh checks are omitted:
[root@h26 /home/spork]# bzgrep -v "10.99.88.xx" /var/log/auth.log.0.bz2 |wc -l
2428
Number of hosts blocked:
[root@h26 /home/spork]# bzgrep Blocking /var/log/auth.log.0.bz2 | wc -l
2
Number of disconnects not from nagios ssh checks:
[root@h26 /home/spork]# bzgrep -v "10.99.88.xx" /var/log/auth.log.0.bz2 | grep "Received disconnect from" | wc -l
108
Number of auth failures not from nagios ssh checks (not that nagios should be failing auth):
[root@h26 /home/spork]# bzgrep -v "10.99.88.xx" /var/log/auth.log.0.bz2 | grep "Disconnecting: Too many authentication failures" | wc -l
2215
What's letting 2215 failures slip through?
Thanks,
Charles
|
