sshguard <2.1.0 doesn't match "Failed password for invalid user ..."
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sshguard (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
I observe that sshguard 1.7.1-1 in bionic doesn't block SSH bruteforce attacks which are trying to log in as nonexistent accounts.
Whilst it blocks attacks which result in auth.log messages like:
Jan 15 08:51:19 io sshd[18965]: Failed password for root from 223.223.200.14 port 48974 ssh2
it doesn't block attacks which result in:
Jan 15 11:31:15 io sshd[11997]: Failed password for invalid user guest from 58.186.196.223 port 21715 ssh2
Matching log lines which include "invalid user" was added in sshguard 2.1.0 (https:/
I consider this a security issue since sshguard is not performing its function -- it looks at first glance like it is working and it does block *some* attacks, but it misses the majority.
Could this or a later version be backported to bionic?
| description: | updated |
| Jason Stangroome (a-launchpad-7) wrote | #1 |
| Jason Stangroome (a-launchpad-7) wrote | #2 |
| Malcolm Scott (malcscott) wrote | #3 |
This change in logging was introduced in OpenSSH 7.5 and explicitly noted in the "Potentially-
> The format of several log messages emitted by the packet code has
> changed to include additional information about the user and
> their authentication state. Software that monitors ssh/sshd logs
> may need to account for these changes. For example:
> Connection closed by user x 1.1.1.1 port 1234 [preauth]
> Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
> Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
> Affected messages include connection closure, timeout, remote
> disconnection, negotiation failure and some other fatal messages
> generated by the packet code.
https:/