[SSHGuard-users] Scoring problems

[Frank S. <fst...@bi...>]

Hi,

trying to make my sshguard config valid against the currently running
ssh attacks I stepped again on the problem of multiple counts of the
same action with ssh.

Here's an example. Our ssh config has MaxAuthTries=3. Invalid ssh keys
are counted as failed try and our default is that every user has one
key for hosts inside our network. For some hosts keys are not allowed,
so ssh will accept two password tries to login.

Assuming that both are wrong, here's what journalctl shows:

Sep 26 16:14:33 galois sshd[19429]: Postponed keyboard-interactive for someuser from x.x.x.x port 39022 ssh2 [preauth]
Sep 26 16:14:36 myhost sshd[19431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=someuser
Sep 26 16:14:38 myhost sshd[19429]: error: PAM: Authentication failure for someuser from x.x.x.x
Sep 26 16:14:38 myhost sshguard[17898]: matched SSH_LOGINERR_PAM
Sep 26 16:14:38 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.
Sep 26 16:14:38 myhost sshd[19429]: Postponed keyboard-interactive for someuser from x.x.x.x port 39022 ssh2 [preauth]
Sep 26 16:14:38 myhost sshd[19434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=someuser
Sep 26 16:14:40 myhost sshd[19429]: error: PAM: Authentication failure for someuser from x.x.x.x
Sep 26 16:14:40 myhost sshd[19429]: Failed keyboard-interactive/pam for someuser from x.x.x.x port 39022 ssh2
Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.
Sep 26 16:14:40 myhost sshd[19429]: error: maximum authentication attempts exceeded for someuser from x.x.x.x port 39022 ssh2 [preauth]
Sep 26 16:14:40 myhost sshd[19429]: Disconnecting: Too many authentication failures [preauth]
Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_LOGINERR_PAM
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_LOGINERR_PREF
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_ADDR_SUFF
Sep 26 16:14:40 myhost sshguard[17898]: matched ssh_maxauth
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_ADDR_SUFF
Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.


Thus, four attacks with score 10 each are counted, giving a score of 40
for two wrong passwords. That happens because in addition to the two
wrong passwords (SSH_LOGINERR_PAM, I've patched the scanner to see
which rules matched) sshguard also counts the "maximum authentication
attempts exceeded" (ssh_maxauth) and the "Failed keyboard-interactive/pam
for someuser" (SSH_LOGINERR_PREF).

This really makes it hard to configure sshguard in a reasonable way.
Two wrong ftp passwords are score 20, two wrong ssh passwords are
40. For my config it wouldn't be neccessary to count the
"failed keyboard-interactive" or the "max attempts" when I already
count each wrong password.

I saw in the comments that the rule SSH_LOGINERR_PREF was meant for
Ubuntu, the SSH_LOGINERR_PAM for FreeBSD/Debian, but for our SuSE
system they match both.

I see only two ways to solve this problem in general: Either you
define groups of commands that mean the same  and are only counted
as one attack. But it might  be very hard to figure out e.g which
pam messages belong to with sshd parent process if several connections
are done in parallel.

Or you allow users to define which rules should be counted with
which score in the config file. E.g. setting sth. likle this
in sshguard.conf:

SSH_LOGINERR_PREF=0
SSH_MAXAUTH=3

That would sshguard cause to ignore the "Failed keyboard-interactive/pam"
and counting the "max attempt" message with score 3 only.

This would allow every admin to adjust scoring to his/her specific
needs, even different settings for several hosts.

cu,
Frank


-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *