sshguard-users

[SSHGuard-users] Query over 'double counting' attacks?

[Karl P. <kpi...@td...>]

Hi,

I've recently installed sshguard 2.1.0 under FreeBSD - and it's all setup, 
and appears to be working fine.

In the logs though I'll see entries like:

Apr 20 10:43:32 sshd2[90659]: Connection from x.x.x.x port 58942 on 
192.168.1.129 port 2323
Apr 20 10:43:42 sshd2[90659]: Invalid user test from x.x.x.x
Apr 20 10:43:42 sshguard[89640]: Attack from "x.x.x.x" on service 100 with 
danger 10.
Apr 20 10:43:42 sshd2[90659]: Received disconnect from x.x.x.x port 
58942:11: Normal Shutdown, Thank you for playing [preauth]
Apr 20 10:43:42 sshd2[90659]: Disconnected from x.x.x.x port 58942 [preauth]
Apr 20 10:43:42 sshguard[89640]: Attack from "x.x.x.x" on service 100 with 
danger 10.


So sshguard triggers for the 'Invalid user' line - and then, again for the 
'Disconnected from' line.


Will this count as a 'danger' of 20? - Or does sshguard know / realise 
these are both for the same connection, so collapse them? - The logs seem 
to indicate they're treated as two separate things...

Thanks,

-Karl

Re: [SSHGuard-users] Query over 'double counting' attacks?

[Kevin Z. <kev...@gm...>]

On 04/20/2018 03:09, Karl Pielorz wrote:
> So sshguard triggers for the 'Invalid user' line - and then, again for
> the 'Disconnected from' line.
> 
> 
> Will this count as a 'danger' of 20? - Or does sshguard know / realise
> these are both for the same connection, so collapse them? - The logs
> seem to indicate they're treated as two separate things...

No, SSHGuard currently does not.

Checking the timestamp and throwing away duplicates could possibly work,
but there are also many attackers who make multiple connections in the
span of one second.

I'm open to ideas on how to fix this.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Query over 'double counting' attacks?

[Jim S. <jse...@Li...>]

On Fri, 20 Apr 2018 08:57:18 -0700
Kevin Zheng <kev...@gm...> wrote:

> On 04/20/2018 03:09, Karl Pielorz wrote:
> > So sshguard triggers for the 'Invalid user' line - and then,
> > again for the 'Disconnected from' line.
> > 
> > 
> > Will this count as a 'danger' of 20? - Or does sshguard know /
> > realise these are both for the same connection, so collapse them?
> > - The logs seem to indicate they're treated as two separate
> > things...  
> 
> No, SSHGuard currently does not.
> 
> Checking the timestamp and throwing away duplicates could possibly
> work, but there are also many attackers who make multiple
> connections in the span of one second.
> 
> I'm open to ideas on how to fix this.
> 

Does it really *need* fixing?  If somebody's hammering SSH that hard,
from multiple different angles, I'd want them blocked sooner, rather
than later, anyway.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Re: [SSHGuard-users] Query over 'double counting' attacks?

[Karl P. <kpi...@td...>]

--On 20 April 2018 at 08:57:18 -0700 Kevin Zheng <kev...@gm...> 
wrote:

>> Will this count as a 'danger' of 20? - Or does sshguard know / realise
>> these are both for the same connection, so collapse them? - The logs
>> seem to indicate they're treated as two separate things...
>
> No, SSHGuard currently does not.
>
> Checking the timestamp and throwing away duplicates could possibly work,
> but there are also many attackers who make multiple connections in the
> span of one second.
>
> I'm open to ideas on how to fix this.

Ok, it's not a major issue (as someone else already replied 'Does it really 
need fixing?')

It did confuse me a little looking at the logs (and obviously has 
implications for the counts before blocking - but it is all working).

I might see if I can get away with ignoring the "Disconnected from" lines - 
as so far it looks like everything 'evil' triggers from at least one other 
line - I'll collect some logs and check.

The bigger annoyance is 99% of IP's don't seem to trip the blocks (because 
they only try once or twice from a single IP and never again) - I can't 
think of any simple way of handling that either. Obvious dictionary attacks 
from single IP's are shut down very quickly though, which is good.

Thanks,

-Karl

Re: [SSHGuard-users] Query over 'double counting' attacks?

[Jim S. <jse...@Li...>]

On Fri, 20 Apr 2018 18:29:39 +0100
Karl Pielorz <kpi...@td...> wrote:

[snip]
> 
> The bigger annoyance is 99% of IP's don't seem to trip the blocks
> (because they only try once or twice from a single IP and never
> again) - I can't think of any simple way of handling that either.
[snip]

That's one weakness in a tool like sshguard.  Using a bot farm, the
attacker can spread the attack vector out all over Internet creation,
and attempt from any given IP address just once every so many hours
or days.

There's no good way to counter that, other than making sshguard a
*lot* smarter than it is.  E.g.: Detect multiple failed attempts over
N days, with zero successes, from a given IP address.

That would of course require a very fast database.  (Very fast in
terms of lookups.)  And it would probably increase the likelihood of
sshguard, itself, becoming a DOS vector, if an attacker were
so-inclined.

In the end what really needs to happen is the hardening of client
systems, including IoT devices, so they're no longer quite so easily
turned into attack tools.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.