Re: [Sshguard-users] "Connection closed by x.x.x.x [preauth]" attack not handled

[<jo...@te...>]

On Sun, 18 May 2014 22:31:40 +0200,
Anders Bergh <an...@gm...> wrote :

> May  7 08:28:26 vm sshd[15657]: Connection closed by 83.191.86.213
> [preauth]

> Reading a token: --accepting rule at line 110 ("May  7 08:28:26 vm
> sshd[15657]: ")

As can be seen, sshguard will not react on these messages.  I think
this was the reason of your initial post :)

Having sshguard in debug though, enables to see why.  It did not took
much time to make it work with those sshd messages which, after, if
made furiously, could provoke some resources stealing.

Thing is, I made it using the sshguard that I already modify for other
uses.  I think it could be good to have support for that type of
message in the official releae but it looks like sshguard upstream is
not maintained.  Nor is this mailing list read by the
author/maintainer.  Tell me if I'm wrong. 

I will certainly include it in the personalized sshguard I'm working on.

So here's the recipe to make it work.  It's not a formal diff, sorry.
It starts with a working demo in two parts, then followed by the
code modifications to add.  I defined '[preauth]' as somethign lex can
return.

A) Demo: one try

[...]
Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.

May  7 08:28:26 vm sshd[15657]: Connection closed by 83.191.86.213
[preauth]
[...]

Cleanup: popping token $end ()
Cleanup: popping nterm text ()

Matched address 83.191.86.213:4 attacking service 100, dangerousness
10.

B) Demo: after a few copy/paste of same log msg

Matched address 83.191.86.213:4 attacking service 100, dangerousness
10.

Purging stale attackers.

First abuse of '83.191.86.213', adding to offenders list.

Offender '83.191.86.213:4' scored 40 danger in 1 abuses.

Blocking 83.191.86.213:4 for >630secs: 40 danger in 4 attacks over 7
seconds (all: 40d in 1 abuses over 7s).

Setting environment:
SSHG_ADDR=83.191.86.213;SSHG_ADDRKIND=4;SSHG_SERVICE=100.


C) Code modifications in three parts, then recompile.  
                                                                                             
1)
attack_parser.h                                                                           
                                                                                             
   enum yytokentype
{                                                                        
   [...]
     SSH_NOLOGIN = 280,
     SSHPREAUTH = 281,

#define SSH_NOLOGIN 280
#define SSHPREAUTH 281


2) attack_scanner.l

Add ssh_nologin:

%s ssh_notallowed ssh_loginerr ssh_reversemap ssh_nologin

Add recognition of extra string:

\[preauth\]             return SSHPREAUTH;

Add parsing regex:

 /* SSH: initiate a connect but terminates without login */
"Connection closed by "  { return SSH_NOLOGIN; }


3) attack_scanner.y

Add token:

%token SSH_NOLOGIN SSHPREAUTH

Add to sshmsg definitions:

sshmsg:
 [...]
     | ssh_nologin
 ;

Add syntax:

ssh_nologin:
    SSH_NOLOGIN addr SSHPREAUTH
    ;