- changed status to open
sshd: Overblocking on invalid user?
I’m using sshguard v2.4.1 in combination with OpenSSL v1.1.1h.
I’m seeing the following in my logs:
Dec 12 16:36:29 host sshd[841123]: Invalid user rtkit from 142.44.162.161 port 43376
Dec 12 16:36:30 host sshd[841123]: Received disconnect from 142.44.162.161 port 43376:11: Bye Bye [preauth]
Dec 12 16:36:30 host sshd[841123]: Disconnected from invalid user rtkit 142.44.162.161 port 43376 [preauth]
Dec 12 16:36:30 host sshguard[814693]: Attack from "142.44.162.161" on service SSH with danger 10.
Dec 12 16:36:30 host sshguard[814693]: Attack from "142.44.162.161" on service SSH with danger 10.
Dec 12 16:36:30 host sshguard[814693]: Attack from "142.44.162.161" on service SSH with danger 10.
Dec 12 16:36:30 host sshguard[814693]: Blocking "142.44.162.161/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)
While blocking those scumbags can never be too early, this seems to block every typo in the usernames as, for whatever reason, every wrong username counts as three attempts. I think, this is a bug
Comments (3)
-
-
reporter With an existing user, I see the same as you →
With an invalid user, I see two entries which count as two attacks:
sshd[3403890]: Invalid user ro from xx.xx.xx.xx port 47294 sshd[3403890]: Connection closed by invalid user ro xx.xx.xx.xx port 47294 [preauth] sshguard[306]: Attack from "xx.xx.xx.xx" on service SSH with danger 10. sshguard[306]: Attack from "xx.xx.xx.xx" on service SSH with danger 2.
I’d still argue, that counting it twice is too much – but the second “attack” only counts with weight 2, and shouldn’t be a problem, though.
I cannot reproduce the triple attack as of my original posting and see it only for actual attacks. Hence, the issue only hits the right people .
Close at will.
-
- changed status to closed
Thanks for the report. Since the second attack only has danger 2, users will actually get 3 attempts because it takes cumulative score 30 to block (and 2*12 is only 24).
Please do let us know if legitimate, login mistakes start counting twice!
- Log in to comment
This one is a bit tricky. All of these signatures are recognized as "attacks" because they have also appeared by themselves separately.
I've tried to "brute force" my own server (making sure that I could be locked out):
What I see on my log is:
That is, just a single line, that is correctly classified as one attack. I surmise that these brute force scripts are doing other funny things in the SSH protocol that causes OpenSSH to print out 3 messages for what looks like one connection.
Would you be able to try to "brute force" yourself and see if only one message gets generated?