sshd: Overblocking on invalid user?

Create issue
Issue #137 closed
René Neumann created an issue

I’m using sshguard v2.4.1 in combination with OpenSSL v1.1.1h.

I’m seeing the following in my logs:

Dec 12 16:36:29 host sshd[841123]: Invalid user rtkit from 142.44.162.161 port 43376
Dec 12 16:36:30 host sshd[841123]: Received disconnect from 142.44.162.161 port 43376:11: Bye Bye [preauth]
Dec 12 16:36:30 host sshd[841123]: Disconnected from invalid user rtkit 142.44.162.161 port 43376 [preauth]
Dec 12 16:36:30 host sshguard[814693]: Attack from "142.44.162.161" on service SSH with danger 10.
Dec 12 16:36:30 host sshguard[814693]: Attack from "142.44.162.161" on service SSH with danger 10.
Dec 12 16:36:30 host sshguard[814693]: Attack from "142.44.162.161" on service SSH with danger 10.
Dec 12 16:36:30 host sshguard[814693]: Blocking "142.44.162.161/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)

While blocking those scumbags can never be too early, this seems to block every typo in the usernames as, for whatever reason, every wrong username counts as three attempts. I think, this is a bug 🙂

Comments (3)

  1. Kevin Zheng
    • changed status to open

    This one is a bit tricky. All of these signatures are recognized as "attacks" because they have also appeared by themselves separately.

    I've tried to "brute force" my own server (making sure that I could be locked out):

    $ ssh nobody@my.server.here
    

    What I see on my log is:

    Dec 31 17:02:47 quasar sshd[82136]: Connection closed by authenticating user nobody x.x.x.x port 15174 [preauth]
    

    That is, just a single line, that is correctly classified as one attack. I surmise that these brute force scripts are doing other funny things in the SSH protocol that causes OpenSSH to print out 3 messages for what looks like one connection.

    Would you be able to try to "brute force" yourself and see if only one message gets generated?

  2. René Neumann reporter

    With an existing user, I see the same as you → ✅

    With an invalid user, I see two entries which count as two attacks:

    sshd[3403890]: Invalid user ro from xx.xx.xx.xx port 47294
    sshd[3403890]: Connection closed by invalid user ro xx.xx.xx.xx port 47294 [preauth]
    sshguard[306]: Attack from "xx.xx.xx.xx" on service SSH with danger 10.
    sshguard[306]: Attack from "xx.xx.xx.xx" on service SSH with danger 2.
    

    I’d still argue, that counting it twice is too much – but the second “attack” only counts with weight 2, and shouldn’t be a problem, though.

    I cannot reproduce the triple attack as of my original posting and see it only for actual attacks. Hence, the issue only hits the right people 😉.

    Close at will.

  3. Kevin Zheng

    Thanks for the report. Since the second attack only has danger 2, users will actually get 3 attempts because it takes cumulative score 30 to block (and 2*12 is only 24).

    Please do let us know if legitimate, login mistakes start counting twice!

  4. Log in to comment