So, I've been noticing a rash of SSH connections getting a "failed password for root" recently, and yet they're not being caught and blocked by blocklistd.
Unlike those that do get blocked these all have "[preauth]" tacked onto
the end of all but the "Failed" entry.
sshd[1340]: SSH: Server;Ltype: Kex;Remote: 177.22.113.74-44680;Enc:
aes128-ctr;MAC: hmac-sha2-256-...@openssh.com;Comp: none [preauth]
sshd[1340]: SSH: Server;Ltype: Authname;Remote: 177.22.113.74-44680;Name: root
[preauth]
sshd[1340]: Failed password for root from 177.22.113.74 port 44680 ssh2
sshd[1340]: Connection closed by authenticating user root 177.22.113.74 port
44680 [preauth]
I'm struggling to find where these are coming from in the code, and why
they aren't being passed to blocklistd. Every place I see where the
"Failed" message can be generated, there's an associated call to
plfilter_notify().
I think these "preauth" messages must be coming from the code in
monitor.c, but both the auth_log() calls there have pfilter_notify()
calls for the "Failed" state.
--
Greg A. Woods <gwo...@acm.org>
Kelowna, BC +1 250 762-7675 RoboHack <wo...@robohack.ca>
Planix, Inc. <wo...@planix.com> Avoncote Farms <wo...@avoncote.ca>
pgpkKiBxYUIIv.pgp
Description: OpenPGP Digital Signature
