Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Vjaceslavs,

On 01/05/15 19:59, Vjaceslavs Klimovs wrote:
> in the sshd config. Server has HPN patches, so full version string
> is OpenSSH_6.7p1-hpn14v5. I've noticed that sshguard no longer blocks
> bruteforce attempts (like it used to when keyboard-interactive was
> enabled). This is what appears in the logs:
> 
> Jan  5 10:32:51 pulley sshd[24107]: SSH: Server;Ltype: Version;Remote:
> 103.41.124.32-48688;Protocol: 2.0;Client: PUTTY
> Jan  5 10:32:51 pulley sshd[24107]: SSH: Server;Ltype: Kex;Remote:
> 103.41.124.32-48688;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth]
> Jan  5 10:32:51 pulley sshd[24105]: SSH: Server;Ltype: Authname;Remote:
> 103.41.124.29-53907;Name: root [preauth]
> Jan  5 10:32:51 pulley sshd[24105]: Received disconnect from
> 103.41.124.29 <http://103.41.124.29>: 11:  [preauth]
> 
> Any ideas on how to achieve blocking in this case?

Attack patterns are compiled into SSHGuard, which means that adding new
signatures requires some lex/yacc changes and a recompile.

This particular signature has been added in the development version.
I've attached a patch against the latest source tarball that should
detect this. If you are able to apply this patch and recompile, let me
know how it works.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server