blocks a source IP for many connections even when they are successful.

Create issue
Issue #65 invalid
j created an issue

output from auth.log: Feb 23 20:20:51 juju-b4d3a0-52 sshd[10693]: Connection closed by 107.5.212.189 port 61833 [preauth] Feb 23 20:20:51 juju-b4d3a0-52 sshd[10695]: Accepted publickey for ubuntu from 107.5.212.189 port 61834 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 20:24:09 juju-b4d3a0-52 sshd[10750]: Received disconnect from 107.5.212.189 port 61834:11: disconnected by user Feb 23 20:24:09 juju-b4d3a0-52 sshd[10750]: Disconnected from 107.5.212.189 port 61834 Feb 23 20:24:57 juju-b4d3a0-52 sshd[10959]: Connection closed by 107.5.212.189 port 61979 [preauth] Feb 23 20:24:57 juju-b4d3a0-52 sshd[10961]: Accepted publickey for ubuntu from 107.5.212.189 port 61980 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 20:24:57 juju-b4d3a0-52 sshd[10993]: Received disconnect from 107.5.212.189 port 61980:11: disconnected by user Feb 23 20:24:57 juju-b4d3a0-52 sshd[10993]: Disconnected from 107.5.212.189 port 61980 Feb 23 20:25:03 juju-b4d3a0-52 sshd[10996]: Connection closed by 107.5.212.189 port 61991 [preauth] Feb 23 20:25:04 juju-b4d3a0-52 sshd[10998]: Accepted publickey for ubuntu from 107.5.212.189 port 61992 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 20:25:06 juju-b4d3a0-52 sshd[11030]: Received disconnect from 107.5.212.189 port 61992:11: disconnected by user Feb 23 20:25:06 juju-b4d3a0-52 sshd[11030]: Disconnected from 107.5.212.189 port 61992 Feb 23 20:37:22 juju-b4d3a0-52 sshd[11083]: Connection closed by 107.5.212.189 port 62229 [preauth] Feb 23 20:37:23 juju-b4d3a0-52 sshguard[1450]: Blocking 107.5.212.189:4 for >630secs: 40 danger in 4 attacks over 992 seconds (all: 40d in 1 abuses over 992s). Feb 23 21:03:17 juju-b4d3a0-52 sshd[11200]: Connection closed by 107.5.212.189 port 62712 [preauth] Feb 23 21:03:17 juju-b4d3a0-52 sshd[11202]: Accepted publickey for ubuntu from 107.5.212.189 port 62715 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 21:08:53 juju-b4d3a0-52 sshd[11234]: Received disconnect from 107.5.212.189 port 62715:11: disconnected by user Feb 23 21:08:53 juju-b4d3a0-52 sshd[11234]: Disconnected from 107.5.212.189 port 62715 Feb 23 21:09:14 juju-b4d3a0-52 sshd[11686]: Connection closed by 107.5.212.189 port 62807 [preauth] Feb 23 21:09:14 juju-b4d3a0-52 sshd[11688]: Accepted publickey for ubuntu from 107.5.212.189 port 62808 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 21:09:28 juju-b4d3a0-52 sshd[11720]: Received disconnect from 107.5.212.189 port 62808:11: disconnected by user Feb 23 21:09:28 juju-b4d3a0-52 sshd[11720]: Disconnected from 107.5.212.189 port 62808 Feb 23 21:09:44 juju-b4d3a0-52 sshd[11951]: Connection closed by 107.5.212.189 port 62852 [preauth] Feb 23 21:09:46 juju-b4d3a0-52 sshd[11953]: Accepted publickey for ubuntu from 107.5.212.189 port 62853 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 21:10:17 juju-b4d3a0-52 sshd[11985]: Received disconnect from 107.5.212.189 port 62853:11: disconnected by user Feb 23 21:10:17 juju-b4d3a0-52 sshd[11985]: Disconnected from 107.5.212.189 port 62853 Feb 23 21:15:23 juju-b4d3a0-52 sshd[12027]: Connection closed by 107.5.212.189 port 62930 [preauth] Feb 23 21:15:24 juju-b4d3a0-52 sshd[12029]: Accepted publickey for ubuntu from 107.5.212.189 port 62931 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 21:15:24 juju-b4d3a0-52 sshguard[1450]: Blocking 107.5.212.189:4 for >945secs: 40 danger in 4 attacks over 727 seconds (all: 80d in 2 abuses over 3273s). Feb 23 21:54:00 juju-b4d3a0-52 sshd[12249]: Connection closed by 107.5.212.189 port 63677 [preauth] Feb 23 21:54:01 juju-b4d3a0-52 sshd[12251]: Accepted publickey for ubuntu from 107.5.212.189 port 63679 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 21:54:42 juju-b4d3a0-52 sshd[12305]: Received disconnect from 107.5.212.189 port 63679:11: disconnected by user Feb 23 21:54:42 juju-b4d3a0-52 sshd[12305]: Disconnected from 107.5.212.189 port 63679 Feb 23 21:54:46 juju-b4d3a0-52 sshd[12342]: Connection closed by 107.5.212.189 port 63697 [preauth] Feb 23 21:54:46 juju-b4d3a0-52 sshd[12344]: Accepted publickey for ubuntu from 107.5.212.189 port 63699 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 21:57:09 juju-b4d3a0-52 sshd[12376]: Received disconnect from 107.5.212.189 port 63699:11: disconnected by user Feb 23 21:57:09 juju-b4d3a0-52 sshd[12376]: Disconnected from 107.5.212.189 port 63699 Feb 23 21:57:24 juju-b4d3a0-52 sshd[12403]: Connection closed by 107.5.212.189 port 64764 [preauth] Feb 23 21:57:25 juju-b4d3a0-52 sshd[12405]: Accepted publickey for ubuntu from 107.5.212.189 port 64765 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 23 22:03:04 juju-b4d3a0-52 sshd[12437]: Received disconnect from 107.5.212.189 port 64765:11: disconnected by user Feb 23 22:03:04 juju-b4d3a0-52 sshd[12437]: Disconnected from 107.5.212.189 port 64765 Feb 24 21:17:32 juju-b4d3a0-52 sshd[21210]: Connection closed by 107.5.212.189 port 57813 [preauth] Feb 24 21:17:33 juju-b4d3a0-52 sshd[21212]: Accepted publickey for ubuntu from 107.5.212.189 port 57814 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 24 21:19:09 juju-b4d3a0-52 sshd[21314]: Connection closed by 107.5.212.189 port 46164 [preauth] Feb 24 21:19:10 juju-b4d3a0-52 sshd[21316]: Accepted publickey for ubuntu from 107.5.212.189 port 46168 ssh2: RSA SHA256:Bkn7CrUV8FjlsiYBogfhqncZEyg3Ff0guWQTRvZRcxM Feb 24 21:19:13 juju-b4d3a0-52 sshd[21348]: Received disconnect from 107.5.212.189 port 46168:11: disconnected by user Feb 24 21:19:13 juju-b4d3a0-52 sshd[21348]: Disconnected from 107.5.212.189 port 46168 Feb 24 21:22:18 juju-b4d3a0-52 sshd[21366]: Connection closed by 107.5.212.189 port 46690 [preauth] Feb 24 21:22:18 juju-b4d3a0-52 sshd[21368]: Connection closed by 107.5.212.189 port 46694 [preauth] Feb 24 21:22:18 juju-b4d3a0-52 sshguard[1450]: Blocking 107.5.212.189:4 for >0secs: 40 danger in 4 attacks over 286 seconds (all: 120d in 3 abuses over 90087s).

It seems sshguard is detecting too many connections and deeming this behavior bad, even though the connections are successful and pubkey is accepted.

What steps will reproduce the problem? 1. start an instance 2. use ssh to run remote commands, not start a session. 3. be sure sshmaster is disabled.

Comments (2)

  1. Daniel Aleksandersen

    SSHGuard is doing its job here. This looks like an attack.

    You should never see Connection closed by IP port PORT [preauth] from a well behaved client. It looks like the client cuts off the connection prematurely (from the server’s perspective). SSHGuard threats this like an abandoned connection which could be a sign of a DDoS.

    It’s interesting to note that you have preauth added to the end of the message. Could indicate a bug in openssh (session state not correctly flagged as authenticated), but I’ll suspect they’ll say it’s a configuration error. You can get some pointers that might help you sort out your SSH server configuration here, http://unix.stackexchange.com/q/102502/7670

    Alternatively, you can filter out this message from your logs with grep -v or add the client to SSHGuard’s whitelist.

  2. Log in to comment