Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2017-05-26 00:04:15
|
sshguard 1.7 is not catching key exchange ssh hacks. The number of fools attempting such a hack is small, but some are persistent. I've been blocking them by hand. # uname -a FreeBSD theranch 10.3-RELEASE-p18 FreeBSD 10.3-RELEASE-p18 #0: Tue Apr 11 10:31:00 UTC 2017 ro...@am...:/usr/obj/usr/src/sys/GENERIC amd64 # # pkg version -v | grep ssh sshguard-ipfw-1.7.1 = up-to-date with index auth.log.0.bz2:May 24 20:37:06 theranch sshd[60250]: fatal: Unable to negotiate with 172.81.185.192 port 50267: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] |
|
From: Kevin Z. <kev...@gm...> - 2017-05-26 00:33:38
|
On 05/25/2017 17:04, li...@la... wrote: > sshguard 1.7 is not catching key exchange ssh hacks. The number of > fools attempting such a hack is small, but some are persistent. I've > been blocking them by hand. I can't reproduce your issue. Specifically, I checked out the 1.7.1 sshg-parser and ran: $ echo "May 24 20:37:06 theranch sshd[60250]: fatal: Unable to negotiate with 172.81.185.192 port 50267: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]" | sshg-parser And got an attack. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2017-05-26 01:22:14
|
I can't find the location of sshg-parser. The program isn't in my search path and I have looked in the obvious places. On FreeBSD, sshguard is located in /usr/local/sbin. Once I have sshg-parser, I will feed it an archived log. Original Message From: Kevin Zheng Sent: Thursday, May 25, 2017 5:33 PM To: ssh...@li... Subject: Re: [SSHGuard-users] key exchange ssh not being blocked On 05/25/2017 17:04, li...@la... wrote: > sshguard 1.7 is not catching key exchange ssh hacks. The number of > fools attempting such a hack is small, but some are persistent. I've > been blocking them by hand. I can't reproduce your issue. Specifically, I checked out the 1.7.1 sshg-parser and ran: $ echo "May 24 20:37:06 theranch sshd[60250]: fatal: Unable to negotiate with 172.81.185.192 port 50267: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]" | sshg-parser And got an attack. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2017-05-26 03:33:37
|
On 05/25/2017 18:22, li...@la... wrote: > I can't find the location of sshg-parser. The program isn't in my search path and I have looked in the obvious places. On FreeBSD, sshguard is located in /usr/local/sbin. > > Once I have sshg-parser, I will feed it an archived log. /usr/local/libexec/sshg-parser You should be running the same version I am; I don't know what discrepancy there might be. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2017-05-26 08:16:55
|
On Thu, 25 May 2017 18:22:01 -0700 li...@la... wrote: > I can't find the location of sshg-parser. The program isn't in my > search path and I have looked in the obvious places. On FreeBSD, > sshguard is located in /usr/local/sbin. > > Once I have sshg-parser, I will feed it an archived log. > > > > > Original Message > From: Kevin Zheng > Sent: Thursday, May 25, 2017 5:33 PM > To: ssh...@li... > Subject: Re: [SSHGuard-users] key exchange ssh not being blocked > > On 05/25/2017 17:04, li...@la... wrote: > > sshguard 1.7 is not catching key exchange ssh hacks. The number of > > fools attempting such a hack is small, but some are persistent. I've > > been blocking them by hand. > > I can't reproduce your issue. Specifically, I checked out the 1.7.1 > sshg-parser and ran: > > $ echo "May 24 20:37:06 theranch sshd[60250]: fatal: Unable to > negotiate with 172.81.185.192 port 50267: no matching key exchange > method found. Their offer: diffie-hellman-group1-sha1 [preauth]" | > sshg-parser > > And got an attack. > How do I see the attack? I don't see an entry doing a tail of auth.log. |
|
From: Kevin Z. <kev...@gm...> - 2017-05-27 17:22:52
|
On 05/26/2017 01:16, li...@la... wrote: > How do I see the attack? I don't see an entry doing a tail of auth.log. If you run sshg-parser by itself and pipe your log to it, you should get a line of output for each attack it detects. If there is no output, an attack wasn't detected. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2017-05-28 03:31:19
|
On Thu, 25 May 2017 20:33:33 -0700 Kevin Zheng <kev...@gm...> wrote: > On 05/25/2017 18:22, li...@la... wrote: > > I can't find the location of sshg-parser. The program isn't in my > > search path and I have looked in the obvious places. On FreeBSD, > > sshguard is located in /usr/local/sbin. > > > > Once I have sshg-parser, I will feed it an archived log. > > /usr/local/libexec/sshg-parser > > You should be running the same version I am; I don't know what > discrepancy there might be. > Now I am getting a trigger. I don't know why I didn't get one the other time I mimicked your echo then pipe. I think the ultimate test would be to create a new user, then a key that I won't put on the server, then try logging into the server. I'll do the test from public wifi so I don't lock myself out. Howerver, what do I do to prevent sshguard from permanently blocking IP addresses. My ipfw list is over 3000 hits. I was thinking of flushing it, but I don't know if sshguard maintains a database of hits or just checks table 22. |
|
From: <li...@la...> - 2017-05-30 08:02:45
|
This looks perfect. Perhaps the IPs that weren't being blocked had hits too far apart. The attacker is a Google Cloud service. Lovely... May 26 01:50:05 theranch sshd[86071]: fatal: Unable to negotiate with 104.154.221.11 port 54157: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [pr eauth] May 26 01:50:06 theranch sshd[86073]: fatal: Unable to negotiate with 104.154.221.11 port 54297: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [pr eauth] May 26 01:50:07 theranch sshd[86075]: fatal: Unable to negotiate with 104.154.221.11 port 54438: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [pr eauth] May 26 01:50:07 theranch sshguard[703]: blacklist: added 104.154.221.11 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X