sshguard-users

[SSHGuard-users] patch with parser for Proxmox VE auth failures

[<de...@kl...>]

Dear all,

please find attached a parser for evaluating authentication failure from pvedaemon, a major part of Proxmox Virtual Environment. (https://proxmox.com/en/proxmox-virtual-environment/overview)

This parser ist based upon information in the Proxmox wiki
(parser & jail for Fail2Ban) as well as some real-world
auth errors I've generated myself. :)

Additionally, I've attached the logs from running make check.
Hopefully this all will be of some use for you.

Notes on myself : I'm working as full-time sysadmin and we are evaluating using Proxmox at work. In private I'm using Proxmox since about 1.5 years. As I myself prefer sshguard over Fail2Ban due to it being way faster and for me easier to  understand and implement.
The instruction on how to contribute on the website is quite well thus I've decided to try to add this parser myself. Quite surprised it went that well at all. Nevertheless please bear with me it's my very first patch file ever.

kind regards
Christoph

----------------------------------------
>From 50bdd556f457bc42a1112d844a9b186ec4412881 Mon Sep 17 00:00:00 2001
From: chrkli <de...@kl...>
Date: Sun, 5 May 2024 03:18:08 +0200
Subject: [PATCH] add parser for Proxmox VE

based on information found on Proxmox wiki in regard to Fail2Ban, see
https://pve.proxmox.com/wiki/Fail2ban#Filter_Config
note: only parses messages from pvedaemon, does NOT consider additionally
thrown auth_pam error when using realm "PAM" inside Proxmox VE webapp
---
src/common/attack.h         |  1 +
src/common/service_names.c  |  1 +
src/parser/attack_parser.y  |  8 ++++++++
src/parser/attack_scanner.l | 10 +++++++++-
src/parser/tests.txt        | 16 ++++++++++++++++
5 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/src/common/attack.h b/src/common/attack.h
index e7e4896..d19945c 100644
--- a/src/common/attack.h
+++ b/src/common/attack.h
@@ -50,6 +50,7 @@ enum service {
     SERVICES_OPENVPN_PS     = 410,  //< OpenVPN Portshare
     SERVICES_GITEA          = 500,  //< Gitea
     SERVICES_MSSQL          = 600,  //< Microsoft SQL Server for Linux
+    SERVICES_PROXMOXVE      = 700,  //< Proxmox VE
};

/* an attack (source address & target service info) */
diff --git a/src/common/service_names.c b/src/common/service_names.c
index bbc4d69..174c57c 100644
--- a/src/common/service_names.c
+++ b/src/common/service_names.c
@@ -29,6 +29,7 @@ static const struct service_s services[] = {
     {SERVICES_GITEA, "Gitea"},
     {SERVICES_OPENVPN_PS, "OpenVPN Portshare"},
     {SERVICES_MSSQL, "MSSQL"},
+    {SERVICES_PROXMOXVE, "Proxmox VE"},
};

const char *service_to_name(enum service code) {
diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 601d81c..d632ac9 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -119,6 +119,8 @@ static void yyerror(attack_t *, const char *);
%token OPENVPN_PS_TERM_SUFF
/* MSSQL */
%token MSSQL_AUTHFAIL_PREF
+/* Proxmox VE */
+%token PROXMOXVE_AUTHFAIL_PREF PROXMOXVE_AUTHFAIL_SUFF

%%

@@ -195,6 +197,7 @@ msg_single:
   | giteamsg          { attack->service = SERVICES_GITEA; }
   | openvpnpsmsg      { attack->service = SERVICES_OPENVPN_PS; }
   | sqlservrmsg       { attack->service = SERVICES_MSSQL; }
+  | proxmoxvemsg      { attack->service = SERVICES_PROXMOXVE; }
   ;

/* an address */
@@ -390,6 +393,11 @@ openvpnpsmsg:
   | OPENVPN_PS_TERM_PREF '[' addr ']' OPENVPN_PS_TERM_SUFF
   ;

+ /* attack rules for Proxmox VE */
+proxmoxvemsg:
+    PROXMOXVE_AUTHFAIL_PREF addr PROXMOXVE_AUTHFAIL_SUFF
+  ;
+
%%

static void yyerror(__attribute__((unused)) attack_t *a,
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index a7c2a33..c7a4913 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -37,7 +37,7 @@ static int getsyslogpid(char *syslogbanner, int length);

  /* Start Conditions */
  /* for Login services */
-%s ssh_notallowed ssh_reversemap ssh_disconnect ssh_badproto ssh_invalid_format ssh_badkex cockpit_authfail
+%s ssh_notallowed ssh_reversemap ssh_disconnect ssh_badproto ssh_invalid_format ssh_badkex cockpit_authfail proxmoxve_authfail
  /* for SSHGuard */
%s sshguard_attack sshguard_block
%s bind
@@ -344,6 +344,14 @@ HTTP_LOGIN_200OK_BAD       .*({WORDPRESS_LOGIN}|{TYPO3_LOGIN}|{CONTAO_LOGIN}).*
"Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. [CLIENT: " { return MSSQL_AUTHFAIL_PREF; }
"Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: " { return MSSQL_AUTHFAIL_PREF; }

+ /* Proxmox VE */
+ /* failed authentication */
+"authentication failure; rhost="  { BEGIN(proxmoxve_authfail); return PROXMOXVE_AUTHFAIL_PREF; }
+<proxmoxve_authfail>" "+"user=".+" "+"msg=".+                        { BEGIN(INITIAL); return PROXMOXVE_AUTHFAIL_SUFF; }
+ /* unknown internal user */
+"authentication failure; rhost="  { BEGIN(proxmoxve_authfail); return PROXMOXVE_AUTHFAIL_PREF; }
+<proxmoxve_authfail>" "+"user=".+" "+"msg=no such user ('".+"')"     { BEGIN(INITIAL); return PROXMOXVE_AUTHFAIL_SUFF; }
+
  /**         COMMON-USE TOKENS       do not touch these          **/
  /* an IPv4 address */
{IPV4}                                                          { yylval.str = yytext; return IPv4; }
diff --git a/src/parser/tests.txt b/src/parser/tests.txt
index bd610fe..4ee143c 100644
--- a/src/parser/tests.txt
+++ b/src/parser/tests.txt
@@ -597,3 +597,19 @@ M
600 198.199.105.106 4 10
M

+#### Proxmox VE
+May 04 23:45:19 deb12-pve pvedaemon[2352]: authentication failure; rhost=::ffff:192.0.2.74 user=tester@pve msg=Authentication failure
+700 192.0.2.74 4 10
+M
+May 05 00:11:56 deb12-pve pvedaemon[2350]: authentication failure; rhost=2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd user=root@pam msg=Authentication failure
+700 2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd 6 10
+M
+May 05 00:07:09 deb12-pve pvedaemon[2351]: authentication failure; rhost=::ffff:192.0.2.154 user=tester2@pam msg=no such user ('tester2@pam')
+700 192.0.2.154 4 10
+M
+May 05 00:08:19 deb12-pve pvedaemon[2352]: authentication failure; rhost=::ffff:192.0.2.7 user=tester3@pve msg=no such user ('tester3@pve')
+700 192.0.2.7 4 10
+M
+May 05 00:12:11 deb12-pve pvedaemon[2352]: authentication failure; rhost=2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd user=root@pve msg=no such user ('root@pve')
+700 2001:0DB8:72a:1936:2d49:83ed:d49a:6ffd 6 10
+M
-- 
2.45.0

Re: [SSHGuard-users] patch with parser for Proxmox VE auth failures

[Kevin Z. <kev...@gm...>]

Hi Christoph,

Thanks for the patch. Happy to include this attack signature for Proxmox 
VE in SSHGuard.

I'm glad you found the documentation useful.

I made a small adjustment to your patch. In attack_scanner.l the attack 
signatures for the "unknown user" case overlap with those for the known 
user, so everything still works when I remove the two lines for the 
unknown user case.

I've committed this and this will be available in the next release.

Thanks again for your contribution!

Thanks,
Kevin

Re: [SSHGuard-users] patch with parser for Proxmox VE auth failures

[Jos C. <jo...@cl...>]

Hi, thank you both.

Best regards,
Jos

Kevin Zheng:
> Hi Christoph,
>
> Thanks for the patch. Happy to include this attack signature for 
> Proxmox VE in SSHGuard.
>
> I'm glad you found the documentation useful.
>
> I made a small adjustment to your patch. In attack_scanner.l the 
> attack signatures for the "unknown user" case overlap with those for 
> the known user, so everything still works when I remove the two lines 
> for the unknown user case.
>
> I've committed this and this will be available in the next release.
>
> Thanks again for your contribution!