ssh block after just a single or two login attempts in a single connection

Create issue
Issue #139 open
Maciej S. Szmigiero created an issue

The SSHGuard signature set and default settings block some addresses after just one failed login attempt (with an invalid user name):

2021-02-14T21:15:54.431024+01:00 server sshd: Invalid user fox from 218.104.225.140 port 10581
2021-02-14T21:15:54.432171+01:00 server sshguard: Attack from "218.104.225.140" on service SSH with danger 10.
2021-02-14T21:15:54.725680+01:00 server sshd: Received disconnect from 218.104.225.140 port 10581:11: Bye Bye [preauth]
2021-02-14T21:15:54.726377+01:00 server sshd: Disconnected from invalid user fox 218.104.225.140 port 10581 [preauth]
2021-02-14T21:15:54.726699+01:00 server sshguard: Attack from "218.104.225.140" on service SSH with danger 10.
2021-02-14T21:15:54.727899+01:00 server sshguard: Attack from "218.104.225.140" on service SSH with danger 10.
2021-02-14T21:15:54.727981+01:00 server sshguard: Blocking "218.104.225.140/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)

That’s just a single login attempt with an invalid user “fox”, then an ordinary SSH protocol disconnect, yet the address got blocked.

Besides this, if a user mistypes their login name and types their password twice the address will also get blocked even though it was just a single SSH connection with two login attempts.

This seems far too harsh by default.

This is a bit similar to @René Neumann issue 137, but here users will not get 3 attempts to login, but only a single one in the worst case.

SSHGuard version 2.4.1, OpenSSH 8.4_p1.

Comments (6)

  1. Kevin Zheng
    • changed status to open

    With the current parser in the (unreleased) Git source code, this log only generates two attacks. This is better than the reported three, but is still worse than one.

  2. Kevin Zheng

    It seems to me that the correct fix would be to decrease the score of the signature matching the 'Received disconnect from 218.104.225.140 port 10581:11: Bye Bye [preauth]' line.

  3. Maciej S. Szmigiero reporter

    Received disconnect from 218.104.225.140 port 10581:11: Bye Bye [preauth] means that a SSH protocol disconnect message was received.

    This will always result in the Disconnected from*user fox 218.104.225.140 port 10581 [preauth] line being printed, too.

    That’s why I think the first line (about the SSH protocol message) should either have a low score or even be ignored, as otherwise we are scoring the same exact event twice.

    By the way, below is the trace from the second situation I’ve mentioned: a user mistyped their login name (represented as invaliduser in the trace) and unknowingly typed their (possibly correct) password twice in a single SSH connection which resulted in a block being issued:

    2021-02-17T00:59:11.903573+01:00 server sshd: Invalid user invaliduser from 1.2.3.4 port 2195
    2021-02-17T00:59:11.904554+01:00 server sshguard: Attack from "1.2.3.4" on service SSH with danger 10.
    2021-02-17T00:59:11.985934+01:00 server sshd: Postponed keyboard-interactive for invalid user invaliduser from 1.2.3.4 port 2195 ssh2 [preauth]
    2021-02-17T00:59:13.391335+01:00 server sshd: pam_unix(sshd:auth): check pass; user unknown
    2021-02-17T00:59:13.391582+01:00 server sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
    2021-02-17T00:59:13.392776+01:00 server sshd: pam_faillock(sshd:auth): User unknown: invaliduser
    2021-02-17T00:59:13.393403+01:00 server sshd: pam_unix(sshd:auth): check pass; user unknown
    2021-02-17T00:59:13.394046+01:00 server sshd: pam_faillock(sshd:auth): User unknown: invaliduser
    2021-02-17T00:59:14.852946+01:00 server sshd: error: PAM: Authentication failure for illegal user invaliduser from 1.2.3.4
    2021-02-17T00:59:14.853920+01:00 server sshguard: Attack from "1.2.3.4" on service SSH with danger 10.
    2021-02-17T00:59:14.854691+01:00 server sshd: Failed keyboard-interactive/pam for invalid user invaliduser from 1.2.3.4 port 2195 ssh2
    2021-02-17T00:59:14.896332+01:00 server sshd: Postponed keyboard-interactive for invalid user invaliduser from 1.2.3.4 port 2195 ssh2 [preauth]
    2021-02-17T00:59:16.864945+01:00 server sshd: pam_unix(sshd:auth): check pass; user unknown
    2021-02-17T00:59:16.865201+01:00 server sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
    2021-02-17T00:59:16.866263+01:00 server sshd: pam_faillock(sshd:auth): User unknown: invaliduser
    2021-02-17T00:59:16.866575+01:00 server sshd: pam_unix(sshd:auth): check pass; user unknown
    2021-02-17T00:59:16.867182+01:00 server sshd: pam_faillock(sshd:auth): User unknown: invaliduser
    2021-02-17T00:59:18.737645+01:00 server sshd: error: PAM: Authentication failure for illegal user invaliduser from 1.2.3.4
    2021-02-17T00:59:18.738646+01:00 server sshguard: Attack from "1.2.3.4" on service SSH with danger 10.
    2021-02-17T00:59:18.738951+01:00 server sshguard: Blocking "1.2.3.4/32" for 120 secs (3 attacks in 7 secs, after 1 abuses over 7 secs.)
    2021-02-17T00:59:18.739214+01:00 server sshd: Failed keyboard-interactive/pam for invalid user invaliduser from 1.2.3.4 port 2195 ssh2

  4. Kevin Zheng

    What is the expected behavior in the second situation? That this should only count as one attack?

  5. Maciej S. Szmigiero reporter

    Fixed original issue in 3855770.

    Thanks.

    What is the expected behavior in the second situation? That this should only count as one attack?

    It depends how one looks at it.

    On the one hand, there was just a single mistake (mistyped login name) in a single SSH connection.

    On the other hand there were two attempts to provide a password (and so, two login attempts).

  6. Log in to comment