Menu
▾
▴
Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server
|
From: Vjaceslavs K. <vkl...@gm...> - 2015-01-26 09:03:40
|
Hi Kevin, I have discovered additional problem. It seems whatever pattern is suppose to catch that case only matches when the bot presents some username, like this one: Jan 26 00:50:14 pulley sshd[5378]: SSH: Server;Ltype: Version;Remote: 72.14.226.9-57385;Protocol: 2.0;Client: OpenSSH_6.6.1 Jan 26 00:50:15 pulley sshd[5378]: SSH: Server;Ltype: Kex;Remote: 72.14.226.9-57385;Enc: aes128-ctr;MAC: hma...@op...;Comp: none [preauth] Jan 26 00:50:15 pulley sshd[5378]: SSH: Server;Ltype: Authname;Remote: 72.14.226.9-57385;Name: vklimovs [preauth] Jan 26 00:50:15 pulley sshd[5378]: Invalid user vklimovs from 72.14.226.9 Jan 26 00:50:15 pulley sshd[5378]: input_userauth_request: invalid user vklimovs [preauth] Jan 26 00:50:15 pulley sshd[5378]: Connection closed by 72.14.226.9 [preauth] That get's detected successfully. However actual bots do not present any username at all, they drop at preauth phase, presumably upon learning that keyboard-interactive is not supported: Jan 26 00:58:27 pulley sshd[7061]: SSH: Server;Ltype: Version;Remote: 103.41.124.17-57034;Protocol: 2.0;Client: PUTTY Jan 26 00:58:27 pulley sshd[7061]: SSH: Server;Ltype: Kex;Remote: 103.41.124.17-57034;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth] Jan 26 00:58:28 pulley sshd[7061]: SSH: Server;Ltype: Authname;Remote: 103.41.124.17-57034;Name: root [preauth] Jan 26 00:58:28 pulley sshd[7061]: Received disconnect from 103.41.124.17: 11: [preauth] That's all they leave in the logs (no "invalid user" and "input_userauth_request:" lines), and that does not get detected. Presumably, the second case should be detected too? On Mon, Jan 19, 2015 at 1:08 PM, Kevin Zheng <kev...@gm...> wrote: > Hi Vjaceslavs, > > On 01/19/2015 14:44, Vjaceslavs Klimovs wrote: > > What I really meant to say is based on your advice I compiled dev > > version and it blocks based on that pattern like a charm. > > I'm glad it works, thanks for testing it and reporting back! > > > FYI, I looked at how Gentoo compiles the binary to make sure I am not > > missing anything important and discovered that patch > > > > > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-admin/sshguard/files/sshguard-1.5-day-starts-with-0.patch?view=markup > > > > is being applied to fix > > > > https://bugs.gentoo.org/show_bug.cgi?id=518988 > > Thanks for bringing this to my attention. Unfortunately right now > bugs/reports that are submitted wind up in what essentially amounts to a > black hole -- a non-public bug database that nobody can see. > > I've applied the patch in the development repository. > > Thanks, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
