On 7/8/10 10:24 PM, David Adam wrote:
On Thu, 8 Jul 2010, Glen Barber wrote:
I've been seeing quite a bit of ssh bruteforce attacks which appear to be
dictionary-based. That's fine; I have proper measures in place, such as
key-only access, bruteforce tables for PF, and so on; though some of the
attacks are delaying login attempts, bypassing the bruteforce rules, but that
isn't the reason for this post.
What caught my interest is if I attempt to log in from a machine where I do
not have my key or an incorrect key, I see nothing logged in auth.log about a
failed login attempt. If I attempt with an invalid username, as expected, I
see 'Invalid user ${USER} from ${IP}.'
I'm more concerned with ssh login failures with valid user names. Looking at
crypto/openssh/auth.c, allowed_user() returns true if the user is not in
DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not
empty), and has an executable shell. I'm no C hacker, but superficially it
looks like it can never meet a condition where the user is valid but the key
is invalid to trigger a log entry.
Is this a bug in openssh, or have I overlooked something in my configuration?
With LogLevel VERBOSE, you should get entries like
sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
Is that what you're after?
Sort of, but do I really need to set verbose logging to find that valid
users are used in SSH attacks? root is an obvious target, which in my
scenario is not allowed. I'm concerned about more specific, allowed users.
Regards,
--
Glen Barber
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
