Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Jul 2010 22:29:23 -0400
From:      Glen Barber <glen.j.barber@gmail.com>
To:        David Adam <zanchey@ucc.gu.uwa.edu.au>
Cc:        stable@FreeBSD.org
Subject:   Re: sshd logging with key-only authentication
Message-ID:  <4C368983.4040100@gmail.com>
In-Reply-To: <alpine.DEB.1.10.1007091017040.23399@martello.ucc.gu.uwa.edu.au>
References:  <4C366257.8040201@gmail.com> <alpine.DEB.1.10.1007091017040.23399@martello.ucc.gu.uwa.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 7/8/10 10:24 PM, David Adam wrote:
> On Thu, 8 Jul 2010, Glen Barber wrote:
>> I've been seeing quite a bit of ssh bruteforce attacks which appear to be
>> dictionary-based.  That's fine; I have proper measures in place, such as
>> key-only access, bruteforce tables for PF, and so on; though some of the
>> attacks are delaying login attempts, bypassing the bruteforce rules, but that
>> isn't the reason for this post.
>>
>> What caught my interest is if I attempt to log in from a machine where I do
>> not have my key or an incorrect key, I see nothing logged in auth.log about a
>> failed login attempt.  If I attempt with an invalid username, as expected, I
>> see 'Invalid user ${USER} from ${IP}.'
>>
>> I'm more concerned with ssh login failures with valid user names. Looking at
>> crypto/openssh/auth.c, allowed_user() returns true if the user is not in
>> DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not
>> empty), and has an executable shell.  I'm no C hacker, but superficially it
>> looks like it can never meet a condition where the user is valid but the key
>> is invalid to trigger a log entry.
>>
>> Is this a bug in openssh, or have I overlooked something in my configuration?
>
> With LogLevel VERBOSE, you should get entries like
> sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
>
> Is that what you're after?
>

Sort of, but do I really need to set verbose logging to find that valid 
users are used in SSH attacks?  root is an obvious target, which in my 
scenario is not allowed.  I'm concerned about more specific, allowed users.

Regards,

-- 
Glen Barber

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C368983.4040100>