- changed status to resolved
SSH attack signatures are changed
My sshd OpenSSH_7.5p1-hpn14v12, OpenSSL 1.0.2k 26 Jan 2017 reports: "Invalid user admin from 190.179.191.9 port 46683" not "Invalid user admin from 190.179.191.9" and messages ends with "port 46683" is not recognized as attack pattern.
Other unrecognised patterns from sshd : "error: PAM: Authentication failure for illegal user blankendes from 103.79.141.166" "Did not receive identification string from 204.8.156.142 port 51616" "Bad protocol version identification '\026\003\001' from 169.54.233.125 port 54041" "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.25.217.109 user=root" "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.25.217.109 user=root" "
-- AWa.
Comments (3)
-
-
OpenSSH_7.4p1, OpenSSL 1.0.2q
SSHGuard 2.2.0Pattern: "Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20.95.202 port 56452" is not recognized as attack .
--
AWa.
-
Fixed in 6e752ed, thanks!
- Log in to comment
These should be fixed in SSHGuard 2.1 that should be out any day now. You can read more about the release candidate.