False positives

Create issue
Issue #83 duplicate
Former user created an issue

I do parallel sftp transfers from a remote server via lftp, and sshguard-2.0.0 is triggering off disconnect log entries:

Dec  1 06:25:27 server sshd[19956]: Accepted publickey for User from 1.2.3.4 port 21563 ssh2: RSA SHA256:...
Dec  1 06:25:27 server sshd[19471]: Received disconnect from 1.2.3.4 port 60058:11: disconnected by user
Dec  1 06:25:27 server sshd[19471]: Disconnected from 1.2.3.4 port 60058
Dec  1 06:25:27 server sshd[19959]: Accepted publickey for User from 1.2.3.4 port 21564 ssh2: RSA SHA256:...
Dec  1 06:25:27 server sshd[19454]: Received disconnect from 1.2.3.4 port 11159:11: disconnected by user
Dec  1 06:25:27 server sshd[19454]: Disconnected from 1.2.3.4 port 11159
Dec  1 06:25:28 server sshd[19961]: Received disconnect from 1.2.3.4 port 21562:11: disconnected by user
Dec  1 06:25:28 server sshd[19961]: Disconnected from 1.2.3.4 port 21562
Dec  1 06:25:28 server sshd[19987]: Connection closed by 1.2.3.4 port 21569 [preauth]
Dec  1 06:25:28 server sshguard[76807]: Attack from "1.2.3.4" on service 100 with danger 10.
Dec  1 06:25:28 server sshguard[76807]: Blocking "1.2.3.4" forever (3 attacks in 36 secs, after 1 abuses over 36 secs.)

This type of signature doesn't appear to pose any entry risk, perhaps a DDOS? It should be ignored or given a much lower "dangerousness" vs. a failed authentication attempt.

Comments (3)

  1. Kevin Zheng
    • changed status to open

    Perhaps a fix would be to recognize the "Accepted publickey" line as a success and reset the accumulated danger. Or as you mention, lowering the dangerousness.

  2. Kevin Zheng

    Only the "Connection closed by 1.2.3.4 port 21569 [preauth]" is recognized by SSHGuard (the lines above it aren't), so this is a duplicate of #77.

  3. Log in to comment