sshd logging with key-only authentication
Glen Barber
glen.j.barber at gmail.com
Fri Jul 9 02:29:37 UTC 2010
On 7/8/10 10:24 PM, David Adam wrote:
> On Thu, 8 Jul 2010, Glen Barber wrote:
>> I've been seeing quite a bit of ssh bruteforce attacks which appear to be
>> dictionary-based. That's fine; I have proper measures in place, such as
>> key-only access, bruteforce tables for PF, and so on; though some of the
>> attacks are delaying login attempts, bypassing the bruteforce rules, but that
>> isn't the reason for this post.
>>
>> What caught my interest is if I attempt to log in from a machine where I do
>> not have my key or an incorrect key, I see nothing logged in auth.log about a
>> failed login attempt. If I attempt with an invalid username, as expected, I
>> see 'Invalid user ${USER} from ${IP}.'
>>
>> I'm more concerned with ssh login failures with valid user names. Looking at
>> crypto/openssh/auth.c, allowed_user() returns true if the user is not in
>> DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not
>> empty), and has an executable shell. I'm no C hacker, but superficially it
>> looks like it can never meet a condition where the user is valid but the key
>> is invalid to trigger a log entry.
>>
>> Is this a bug in openssh, or have I overlooked something in my configuration?
>
> With LogLevel VERBOSE, you should get entries like
> sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
>
> Is that what you're after?
>
Sort of, but do I really need to set verbose logging to find that valid
users are used in SSH attacks? root is an obvious target, which in my
scenario is not allowed. I'm concerned about more specific, allowed users.
Regards,
--
Glen Barber
More information about the freebsd-stable
mailing list