Reset attack score after successful login

Create issue
Issue #132 open
Former user created an issue

log:

Connection from $MY_IP port 43448 on $HOST port 22
Failed publickey for $USER from $MY_IP port 43448 ssh2: RSA SHA256:xxx
Accepted key ECDSA SHA256:yyy found at /etc/ssh/authorized_keys.d/$USER:7
Postponed publickey for $USER from $MY_IP port 43448 ssh2 [preauth]
Accepted key ECDSA SHA256:yyy found at /etc/ssh/authorized_keys.d/$USER:7
Accepted publickey for $USER from $MY_IP port 43448 ssh2: ECDSA SHA256:yyy
pam_unix(sshd:session): session opened for user $USER by (uid=0)

I'm trying to use node-ssh and apparently it sends my RSA key first whereas openssh sends my ECDSA first. When I run my script multiple times, it blocks me because of the failed key.

Is this a problem with node-ssh, or a problem with the detection? Should a successful connection with a different key not reduce the threat level?

Comments (8)

  1. Kevin Zheng
    • changed status to open

    What version of SSHGuard were you running? I can't reproduce the parser recognizing the lines you submitted as an attack.

  2. Wout Mertens

    I tried upgrading to 2.4.2, but the problem persists:

    sshd[19387]: Connection from $CLIENT_IP port 49208 on $HOST port 22 rdomain ""
    sshd[19387]: Failed publickey for $USER from $CLIENT_IP port 49208 ssh2: RSA SHA256:yVkVwjvIB0BFo9z3x4/tsFPABQvdrnxjF36QK9sHpKQ
    sshd[19387]: Accepted key ECDSA SHA256:b9wagFZnB807dPkV30Y8j621FAh/8joCRKD+vUHVPc4 found at /etc/ssh/authorized_keys.d/$USER:4
    sshd[19387]: Postponed publickey for $USER from $CLIENT_IP port 49208 ssh2 [preauth]
    sshd[19387]: Accepted key ECDSA SHA256:b9wagFZnB807dPkV30Y8j621FAh/8joCRKD+vUHVPc4 found at /etc/ssh/authorized_keys.d/$USER:4
    sshd[19387]: Accepted publickey for $USER from $CLIENT_IP port 49208 ssh2: ECDSA SHA256:b9wagFZnB807dPkV30Y8j621FAh/8joCRKD+vUHVPc4
    sshd[19387]: pam_unix(sshd:session): session opened for user $USER(uid=1000) by (uid=0)
    sshd[19387]: User child is on pid 19389
    sshguard[1901]: Attack from "$CLIENT_IP" on service SSH with danger 10.
    sshguard[1901]: Blocking "$CLIENT_IP/32" for 120 secs (3 attacks in 292 secs, after 1 abuses over 292 secs.)
    

    โ€Œ

  3. Kevin Zheng

    I was able to reproduce the issue with the attack signature you posted 5 days ago (with the actual ssh2: RSA SHA256: line, instead of the original signature posted here (with xxx) as the key.

    I think the right solution here is to have successful logins reset the attack score.

  4. Log in to comment