New signature: SSHD - No key exchange method found

Create issue
Issue #39 duplicate
Robert Pendell created an issue

It seems a bunch of older brute force tools for ssh used old key exchange methods that are not marked as vulnerable and/or weak. I've locked down my SSH by limiting the service to those ciphers that are known to still be strong and unbroken however attackers are still trying and they get stopped preauth with that error being logged.

Example message:

sshd[29591]: fatal: Unable to negotiate with 0.0.0.0 port 37618: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

The part after offer can vary.

Comments (13)

  1. Kevin Zheng

    Can you provide more information? Usually, output from uname -a, your error message, and ./configure command-line.

  2. Robert Pendell reporter

    loves blame
    I checked the blame logs and found line 299 was commited by you recently (7/12/2016). I undid the commit manually (it was one line) and it built ok after.

    Commit: 8ca82f3

  3. Robert Pendell reporter

    I can't properly test it due to an error in sshg-fw. Looks like the file is generated and as my log shows above I used iptables.

    sshguard[11010]: /usr/local/sshguard/libexec/sshg-fw: 36: /usr/local/sshguard/libexec/sshg-fw: Syntax error: "}" unexpected

    Later on I get this.
    sshguard[11010]: 116.31.116.18: blocking for 840 secs (4 attacks in 160 secs, after 1 abuses over 160 secs)
    sshguard[11010]: fw: broken pipe
    sshguard[11010]: Exiting on signal
    sshguard[11010]: fw: failed to flush blocked addresses

  4. Kevin Zheng

    Weird, bash doesn't like empty functions. Can you edit /usr/local/sshguard/libexec/sshg-fw and add something like echo "doing nothing" in the fw_fin() block?

  5. Robert Pendell reporter

    That looks better however it still isn't working iptables wise.

    On starting:
    sshguard[14820]: /usr/local/sshguard/libexec/sshg-fw: 7: [: unexpected operator

    On stopping:
    sshguard[14820]: /usr/local/sshguard/libexec/sshg-fw: 51: [: flush: unexpected operator
    sshguard[14820]: /usr/local/sshguard/libexec/sshg-fw: 53: [: flush: unexpected operator
    sshguard[14820]: /usr/local/sshguard/libexec/sshg-fw: 55: [: flush: unexpected operator

    I'll do some digging of my own. I think bash is being picky in its own way.

    Oops... Just realized it is actually dash because Ubuntu defaults it to that. :/

  6. Robert Pendell reporter

    Ok. I just tried your current code and it is building and running fine now. I copied the Ubuntu supplied sshguard-journalctl so it loads the local build instead the system one to test and everything appears to be good so far. I'll have to wait until someone starts spamming me with failed key exchange hits before I can confirm that string actually works as designed.

    Note: sshguard-journalctl just runs journalctl to get system logging and pipes it to sshguard via stdin.

    EDIT: Ok. Tested. Working good. Can't wait for the release later on. ;) http://p.robertpendell.com/raw/g0hxRYLBDq

  7. Log in to comment