From: Frank S. <fst...@bi...> - 2018-09-26 14:56:42
|
Hi, trying to make my sshguard config valid against the currently running ssh attacks I stepped again on the problem of multiple counts of the same action with ssh. Here's an example. Our ssh config has MaxAuthTries=3. Invalid ssh keys are counted as failed try and our default is that every user has one key for hosts inside our network. For some hosts keys are not allowed, so ssh will accept two password tries to login. Assuming that both are wrong, here's what journalctl shows: Sep 26 16:14:33 galois sshd[19429]: Postponed keyboard-interactive for someuser from x.x.x.x port 39022 ssh2 [preauth] Sep 26 16:14:36 myhost sshd[19431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=someuser Sep 26 16:14:38 myhost sshd[19429]: error: PAM: Authentication failure for someuser from x.x.x.x Sep 26 16:14:38 myhost sshguard[17898]: matched SSH_LOGINERR_PAM Sep 26 16:14:38 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10. Sep 26 16:14:38 myhost sshd[19429]: Postponed keyboard-interactive for someuser from x.x.x.x port 39022 ssh2 [preauth] Sep 26 16:14:38 myhost sshd[19434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=someuser Sep 26 16:14:40 myhost sshd[19429]: error: PAM: Authentication failure for someuser from x.x.x.x Sep 26 16:14:40 myhost sshd[19429]: Failed keyboard-interactive/pam for someuser from x.x.x.x port 39022 ssh2 Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10. Sep 26 16:14:40 myhost sshd[19429]: error: maximum authentication attempts exceeded for someuser from x.x.x.x port 39022 ssh2 [preauth] Sep 26 16:14:40 myhost sshd[19429]: Disconnecting: Too many authentication failures [preauth] Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10. Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_LOGINERR_PAM Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_LOGINERR_PREF Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_ADDR_SUFF Sep 26 16:14:40 myhost sshguard[17898]: matched ssh_maxauth Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_ADDR_SUFF Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10. Thus, four attacks with score 10 each are counted, giving a score of 40 for two wrong passwords. That happens because in addition to the two wrong passwords (SSH_LOGINERR_PAM, I've patched the scanner to see which rules matched) sshguard also counts the "maximum authentication attempts exceeded" (ssh_maxauth) and the "Failed keyboard-interactive/pam for someuser" (SSH_LOGINERR_PREF). This really makes it hard to configure sshguard in a reasonable way. Two wrong ftp passwords are score 20, two wrong ssh passwords are 40. For my config it wouldn't be neccessary to count the "failed keyboard-interactive" or the "max attempts" when I already count each wrong password. I saw in the comments that the rule SSH_LOGINERR_PREF was meant for Ubuntu, the SSH_LOGINERR_PAM for FreeBSD/Debian, but for our SuSE system they match both. I see only two ways to solve this problem in general: Either you define groups of commands that mean the same and are only counted as one attack. But it might be very hard to figure out e.g which pam messages belong to with sshd parent process if several connections are done in parallel. Or you allow users to define which rules should be counted with which score in the config file. E.g. setting sth. likle this in sshguard.conf: SSH_LOGINERR_PREF=0 SSH_MAXAUTH=3 That would sshguard cause to ignore the "Failed keyboard-interactive/pam" and counting the "max attempt" message with score 3 only. This would allow every admin to adjust scoring to his/her specific needs, even different settings for several hosts. cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * |