Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server

[Mark F. <fe...@fe...>]

On Mon, Jan 26, 2015, at 03:03, Vjaceslavs Klimovs wrote:
> Hi Kevin,
> I have discovered additional problem. It seems whatever pattern is
> suppose
> to catch that case only matches when the bot presents some username, like
> this one:
> 
> Jan 26 00:50:14 pulley sshd[5378]: SSH: Server;Ltype: Version;Remote:
> 72.14.226.9-57385;Protocol: 2.0;Client: OpenSSH_6.6.1
> Jan 26 00:50:15 pulley sshd[5378]: SSH: Server;Ltype: Kex;Remote:
> 72.14.226.9-57385;Enc: aes128-ctr;MAC: hma...@op...;Comp:
> none
> [preauth]
> Jan 26 00:50:15 pulley sshd[5378]: SSH: Server;Ltype: Authname;Remote:
> 72.14.226.9-57385;Name: vklimovs [preauth]
> Jan 26 00:50:15 pulley sshd[5378]: Invalid user vklimovs from 72.14.226.9
> Jan 26 00:50:15 pulley sshd[5378]: input_userauth_request: invalid user
> vklimovs [preauth]
> Jan 26 00:50:15 pulley sshd[5378]: Connection closed by 72.14.226.9
> [preauth]
> 
> That get's detected successfully. However actual bots do not present any
> username at all, they drop at preauth phase, presumably upon learning
> that
> keyboard-interactive is not supported:
> 
> Jan 26 00:58:27 pulley sshd[7061]: SSH: Server;Ltype: Version;Remote:
> 103.41.124.17-57034;Protocol: 2.0;Client: PUTTY
> Jan 26 00:58:27 pulley sshd[7061]: SSH: Server;Ltype: Kex;Remote:
> 103.41.124.17-57034;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth]
> Jan 26 00:58:28 pulley sshd[7061]: SSH: Server;Ltype: Authname;Remote:
> 103.41.124.17-57034;Name: root [preauth]
> Jan 26 00:58:28 pulley sshd[7061]: Received disconnect from
> 103.41.124.17:
> 11:  [preauth]
> 
> That's all they leave in the logs (no "invalid user" and
> "input_userauth_request:" lines), and that does not get detected.
> 
> Presumably, the second case should be detected too?
> 

I could see that blocking monitoring tools which are checking for the
SSH banner. However, you should probably have those addresses
whitelisted if possible...