Menu
▾
▴
[SSHGuard-users] [PATCH v2 1/1] Add signature for dropbear ssh logs
|
From: Gregor H. <gre...@ew...> - 2025-05-14 11:09:38
|
Added Dropbear SSH service to the parser.
Signed-off-by: Gregor Herburger <gre...@ew...>
---
v2: adjust dangerousness for exit before auth to 2 (similar to ssh)
src/common/attack.h | 1 +
src/common/service_names.c | 1 +
src/parser/attack_parser.y | 11 +++++++++++
src/parser/attack_scanner.l | 6 ++++++
src/parser/tests.txt | 21 +++++++++++++++++++++
5 files changed, 40 insertions(+)
diff --git a/src/common/attack.h b/src/common/attack.h
index d19945cdddf4..46dfef351ab5 100644
--- a/src/common/attack.h
+++ b/src/common/attack.h
@@ -29,6 +29,7 @@ enum service {
SERVICES_SSH = 100, //< ssh
SERVICES_SSHGUARD = 110, //< SSHGuard
SERVICES_BIND = 120, //< BIND (named)
+ SERVICES_DROPBEAR = 130, //< Dropbear SSH
SERVICES_UWIMAP = 200, //< UWimap for imap and pop daemon
SERVICES_DOVECOT = 210, //< dovecot
SERVICES_CYRUSIMAP = 220, //< cyrus-imap
diff --git a/src/common/service_names.c b/src/common/service_names.c
index 174c57c7f644..beaa176a9b46 100644
--- a/src/common/service_names.c
+++ b/src/common/service_names.c
@@ -8,6 +8,7 @@ struct service_s {
static const struct service_s services[] = {
{SERVICES_SSH, "SSH"},
{SERVICES_SSHGUARD, "SSHGuard"},
+ {SERVICES_DROPBEAR, "Dropbear"},
{SERVICES_UWIMAP, "UW IMAP"},
{SERVICES_DOVECOT, "Dovecot"},
{SERVICES_CYRUSIMAP, "Cyrus IMAP"},
diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 0cfc5d66a74b..1b7f72630b92 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -62,6 +62,10 @@ static void yyerror(attack_t *, const char *);
%token SSH_INVALIDFORMAT_PREF SSH_INVALIDFORMAT_SUFF
%token SSH_BADKEX_PREF SSH_BADKEX_SUFF
%token SSH_DISCONNECT_PREF SSH_CONNECTION_CLOSED SSH_PREAUTH_SUFF
+/* dropbear */
+%token DROPBEAR_BAD_PASSWORD
+%token DROPBEAR_BAD_USER
+%token DROPBEAR_EXIT_BEFORE_AUTH_PREF DROPBEAR_EXIT_BEFORE_AUTH_SUFF
/* SSHGuard */
%token SSHGUARD_ATTACK_PREF SSHGUARD_ATTACK_SUFF
%token SSHGUARD_BLOCK_PREF SSHGUARD_BLOCK_SUFF
@@ -163,6 +167,7 @@ repetition_suffix:
msg_single:
sshmsg { attack->service = SERVICES_SSH; }
+ | dropbearmsg { attack->service = SERVICES_DROPBEAR; }
| sshguardmsg { attack->service = SERVICES_SSHGUARD; }
| bindmsg { attack->service = SERVICES_BIND; }
| dovecotmsg { attack->service = SERVICES_DOVECOT; }
@@ -254,6 +259,12 @@ ssh_badkex:
SSH_BADKEX_PREF addr SSH_BADKEX_SUFF
;
+dropbearmsg:
+ DROPBEAR_BAD_PASSWORD addr ':' INTEGER
+ | DROPBEAR_BAD_USER addr ':' INTEGER
+ | DROPBEAR_EXIT_BEFORE_AUTH_PREF addr ':' INTEGER DROPBEAR_EXIT_BEFORE_AUTH_SUFF { attack->dangerousness = 2; }
+ ;
+
/* attacks and blocks from SSHGuard */
sshguardmsg:
SSHGUARD_ATTACK_PREF addr SSHGUARD_ATTACK_SUFF
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 9857cb3affec..6dfde151ff10 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -192,6 +192,12 @@ HTTP_LOGIN_200OK_BAD .*({WORDPRESS_LOGIN}|{TYPO3_LOGIN}|{CONTAO_LOGIN}).*
"fatal: "?"Unable to negotiate with " { BEGIN(ssh_badkex); return SSH_BADKEX_PREF; }
<ssh_badkex>(" port ".*)?[: ].*"no matching ".*" found".* { BEGIN(INITIAL); return SSH_BADKEX_SUFF; }
+[Bb]"ad "("PAM ")?"password attempt for "[^ ]+" from " { return DROPBEAR_BAD_PASSWORD; }
+[Ll]"ogin attempt for nonexistent user from" { return DROPBEAR_BAD_USER; }
+[Ee]"xit before auth from <" { return DROPBEAR_EXIT_BEFORE_AUTH_PREF; }
+">:".* { return DROPBEAR_EXIT_BEFORE_AUTH_SUFF; }
+
+
/* SSHGuard */
"Attack from \"" { BEGIN(sshguard_attack); return SSHGUARD_ATTACK_PREF; }
<sshguard_attack>"\" on service "{NUMBER}" with danger "{NUMBER}"." { BEGIN(INITIAL); return SSHGUARD_ATTACK_SUFF; }
diff --git a/src/parser/tests.txt b/src/parser/tests.txt
index eaba934a035a..497c34111793 100644
--- a/src/parser/tests.txt
+++ b/src/parser/tests.txt
@@ -177,6 +177,27 @@ Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20
M
# }}}
+# Dropbear {{{
+Bad password attempt for 'root' from ::ffff:1.2.3.4:55990
+130 1.2.3.4 4 10
+M
+Bad PAM password attempt for 'user23' from ::ffff:1.2.3.4:55992
+130 1.2.3.4 4 10
+M
+Login attempt for nonexistent user from 1.2.3.4:60794
+130 1.2.3.4 4 10
+M
+May 08 09:49:25 hostname dropbear[1773]: Exit before auth from <::ffff:10.42.42.135:46154>: (user 'root', 0 fails): Exited normally
+130 10.42.42.135 4 2
+M
+May 08 10:02:05 server dropbear[1977]: Exit before auth from <::ffff:10.42.63.135:50288>: Exited normally
+130 10.42.63.135 4 2
+M
+Exit before auth from <::ffff:1.2.3.4:47810>: (user 'root', 0 fails): Error reading: Connection reset by peer
+130 1.2.3.4 4 2
+M
+# }}}
+
#### Remote SSHGuard {{{
Attack from "2001:db8::a11:beef:456e" on service 100 with danger 10.
110 2001:db8::a11:beef:456e 6 10
--
2.34.1
|
