Menu
▾
▴
[SSHGuard-users] Fwd: Auth error ignored by sshguard
|
From: Reshey <re...@gm...> - 2017-01-24 16:05:34
|
New to this mailing list thing. sorry if I sent it two times. --Thank you for your replay I got sshguard working in OpenBSD 6.0. It seems the problem was, I had enforced key based login for ssh. Question : Is it possible for sshguard to ban bruteforcer, while having password login disabled? sshguard bans user who fails password login, but does nothing to brutforcers who is trying while password login is disabled. Attached log: # I hammer server from putty, with no key file. sshd is set to ONLY accept key based login. sshguard does not ban this "attacker". Jan 24 16:03:12 wall sshd[99571]: Received disconnect from 176.11.88.222 port 49902:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:12 wall sshd[99571]: Disconnected from 176.11.88.222 port 49902 [preauth] Jan 24 16:03:16 wall sshd[25553]: Received disconnect from 176.11.88.222 port 49903:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:16 wall sshd[25553]: Disconnected from 176.11.88.222 port 49903 [preauth] Jan 24 16:03:21 wall sshd[78292]: Received disconnect from 176.11.88.222 port 49904:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:21 wall sshd[78292]: Disconnected from 176.11.88.222 port 49904 [preauth] Jan 24 16:03:25 wall sshd[61028]: Received disconnect from 176.11.88.222 port 49905:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:25 wall sshd[61028]: Disconnected from 176.11.88.222 port 49905 [preauth] Jan 24 16:03:28 wall sshd[47277]: Received disconnect from 176.11.88.222 port 49907:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:28 wall sshd[47277]: Disconnected from 176.11.88.222 port 49907 [preauth] Jan 24 16:03:31 wall sshd[3940]: Received disconnect from 176.11.88.222 port 49908:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:31 wall sshd[3940]: Disconnected from 176.11.88.222 port 49908 [preauth] Jan 24 16:03:34 wall sshd[94581]: Received disconnect from 176.11.88.222 port 49909:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:34 wall sshd[94581]: Disconnected from 176.11.88.222 port 49909 [preauth] Jan 24 16:03:35 wall sshd[61363]: Connection closed by 123.183.209.132 port 64750 [preauth] Jan 24 16:03:40 wall sshd[31923]: Received disconnect from 176.11.88.222 port 49910:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:40 wall sshd[31923]: Disconnected from 176.11.88.222 port 49910 [preauth] Jan 24 16:03:46 wall sshd[13880]: Received disconnect from 176.11.88.222 port 49911:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:03:46 wall sshd[13880]: Disconnected from 176.11.88.222 port 49911 [preauth] Jan 24 16:04:50 wall sshd[80716]: Received disconnect from 123.183.209.132 port 53406:11: [preauth] Jan 24 16:04:50 wall sshd[80716]: Disconnected from 123.183.209.132 port 53406 [preauth] # I then changed sshd to accept password login, and restarted sshd. Jan 24 16:05:22 wall sshd[75937]: Received signal 15; terminating. Jan 24 16:05:22 wall sshd[73886]: Server listening on 0.0.0.0 port 22. Jan 24 16:05:22 wall sshd[73886]: Server listening on :: port 22. # I continue o hammer from putty, at the sever. Now sshguard bans "attacker" Jan 24 16:06:06 wall sshd[75413]: Failed password for xxx from 176.11.88.222 port 49945 ssh2 Jan 24 16:06:06 wall sshd[75413]: Received disconnect from 176.11.88.222 port 49945:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:06 wall sshd[75413]: Disconnected from 176.11.88.222 port 49945 [preauth] Jan 24 16:06:06 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2 Jan 24 16:06:07 wall sshd[18262]: Failed password for root from 123.183.209.132 port 61962 ssh2 Jan 24 16:06:09 wall sshd[35947]: Failed password for xxx from 176.11.88.222 port 49946 ssh2 Jan 24 16:06:09 wall sshd[35947]: Received disconnect from 176.11.88.222 port 49946:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:09 wall sshd[35947]: Disconnected from 176.11.88.222 port 49946 [preauth] Jan 24 16:06:12 wall sshd[18262]: Received disconnect from 123.183.209.132 port 61962:11: [preauth] Jan 24 16:06:12 wall sshd[18262]: Disconnected from 123.183.209.132 port 61962 [preauth] Jan 24 16:06:12 wall sshd[29005]: Failed password for xxx from 176.11.88.222 port 49947 ssh2 Jan 24 16:06:12 wall sshd[29005]: Received disconnect from 176.11.88.222 port 49947:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:12 wall sshd[29005]: Disconnected from 176.11.88.222 port 49947 [preauth] Jan 24 16:06:15 wall sshd[22704]: Failed password for xxx from 176.11.88.222 port 49948 ssh2 Jan 24 16:06:15 wall sshd[22704]: Received disconnect from 176.11.88.222 port 49948:11: Normal Shutdown, Thank you for playing [preauth] Jan 24 16:06:15 wall sshd[22704]: Disconnected from 176.11.88.222 port 49948 [preauth] Jan 24 16:06:15 wall sshguard[42310]: Blocking 176.11.88.222:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s) On Sun, Jan 22, 2017 at 11:54 PM, <li...@la...> wrote: > Ha, I am the only legitimate client. ;-) Besides, if I don't support the > standard, nothing will get through. I caught some OVH VPS hammering my > email server with an outmoded crypto, which was related to poodle and/or > heartbleed. > http://disablessl3.com/ > > SHA1 is out of favor these days. Commercially they won't issue certs with > SHA1. > http://arstechnica.com/security/2016/05/microsoft-to-retire- > support-for-sha1-certificates-in-the-next-4-months/ > > One of those Chinese certs was "illegally" (as if certs have any legal > standing) issuing SHA1 certs. WoSign I think. > > My philosophy is if someone is doing goofy stuff, block them. Today you > can repel them, but tomorrow there may be a zero day. In any event, these > clowns can flood a service. > > I've been reluctant to use the ipfw table 22 the sshguard generates for > anything other than port 22, but I think I will add Web and email rules. > Just not port 25 because that would probably block some legitimate email. > > I have a number of blocks on email other than port 25, and some days > block 30 or so IP addresses trying to hack the ports. I traced one supposed > hacker to a (cough cough) research team claiming to be doing a survey on > email ports. They provided CIDRs, so I guess they were really doing > research. On the other hand, the University of Michigan attempts to mess > with my imap on a daily basis, and attempts to contact them via email go > nowhere. Obviously they get firewall blocked now except on 25. > > > Original Message > From: Daniel Aleksandersen > Sent: Sunday, January 22, 2017 1:55 PM > To: ssh...@li... > Subject: Re: [SSHGuard-users] Auth error ignored by sshguard > > On Sun, Jan 22, 2017, at 11:53, li...@la... wrote: > > >From FreeBsd auth.log: > > ---------------------------------- > > Jan 22 04:16:13 theranch sshd[48754]: fatal: Unable to negotiate with > > 198.50.142.115 port 57860: no matching key exchange method found. Their > > offer: diffie-hellman-group1-sha1 [pre auth] > > --------------------- > > I suppose this is an odd case for an ssh login attempt, but I figured > > I'd post it for what it is worth. Sshguard didn't block the IP. Now I > > suppose you can say if the key exchange method isn't supported, they > > will never get it, but it seems to me that could leave the system open > > to some exploit. > > Hm. Wouldn’t that potentially block some legitimate clients that are > trying to negotiate a connection? > > > I'm still on rev 1.7. > > > > IP is OVH. Oh, I'm shocked. ;-) > -- > Daniel Aleksandersen > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
