SSH attack signatures are changed

Create issue
Issue #81 resolved
Former user created an issue

My sshd OpenSSH_7.5p1-hpn14v12, OpenSSL 1.0.2k 26 Jan 2017 reports: "Invalid user admin from 190.179.191.9 port 46683" not "Invalid user admin from 190.179.191.9" and messages ends with "port 46683" is not recognized as attack pattern.

Other unrecognised patterns from sshd : "error: PAM: Authentication failure for illegal user blankendes from 103.79.141.166" "Did not receive identification string from 204.8.156.142 port 51616" "Bad protocol version identification '\026\003\001' from 169.54.233.125 port 54041" "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.25.217.109 user=root" "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.25.217.109 user=root" "

-- AWa.

Comments (3)

  1. AWa.

    OpenSSH_7.4p1, OpenSSL 1.0.2q
    SSHGuard 2.2.0

    Pattern: "Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20.95.202 port 56452" is not recognized as attack .

    --

    AWa.

  2. Log in to comment