ssh new rule to be added

[octavsly]

The following attack is not detected by fail2ban version 0.9.1 (gentoo)

Nov 24 23:46:39 weurope sshd[32686]: SSH: Server;Ltype: Version;Remote: 121.199.22.83-1780;Protocol: 2.0;Client: libssh2_1.4.3
Nov 24 23:46:40 weurope sshd[32686]: SSH: Server;Ltype: Kex;Remote: 121.199.22.83-1780;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth]
Nov 24 23:46:41 weurope sshd[32686]: SSH: Server;Ltype: Authname;Remote: 121.199.22.83-1780;Name: root [preauth]
Nov 24 23:46:43 weurope sshd[32686]: fatal: Read from socket failed: Connection reset by peer [preauth]

To detect it I did add in sshd.conf the following:
^.Remote: -.\n.*fatal: Read from socket failed: Connection reset by peer [preauth]$
This needs to be changed to a proper/better regexp.

[sebres]

I think, it is not really an attack... (can be just a closed connection);
@octavsly How often do you see it in the log?

But, during I tried to reproduce this situation, I found another one, that will not be detected from f2b:

Nov 25 01:33:13 srv sshd[...]: Received disconnect from <HOST>: 14: No supported authentication methods available [preauth]
Nov 25 01:34:12 srv sshd[...]: Received disconnect from <HOST>: 14: No supported authentication methods available [preauth]

And although without any known regexp of sshd-filter, such "authentication failed/error", "invalid user ...", "User ... not allowed" etc. Just this one line.

[yarikoptic]

On Mon, 24 Nov 2014, Serg G. Brester wrote:

I think, it is not really an attack... (can be just a closed connection);
@octavsly How often do you see it in the log?
But, during I tried to reproduce this situation, I found another one, that
will not be detected from f2b:

Nov 25 01:33:13 srv sshd[...]: Received disconnect from : 14: No supported authentication methods available [preauth]
Nov 25 01:34:12 srv sshd[...]: Received disconnect from : 14: No supported authentication methods available [preauth]

And although without any known regexp of sshd-filter, such "authentication
failed/error", "invalid user ...", "User ... not allowed" etc. Just this
one line.

both of those might be relevant for sshd-ddos where for now we have only

failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

[octavsly]

I see this more than 8000 times. Furthermore,

1. the address is somewhere in China
2. I am running a personal server, so I should be the only one logging
3. I am running on a non standard port (thus not 22)

On November 25, 2014 3:53:51 AM CET, Yaroslav Halchenko notifications@github.com wrote:

On Mon, 24 Nov 2014, Serg G. Brester wrote:

I think, it is not really an attack... (can be just a closed
connection);
@octavsly How often do you see it in the log?
But, during I tried to reproduce this situation, I found another
one, that
will not be detected from f2b:

Nov 25 01:33:13 srv sshd[...]: Received disconnect from : 14:
No supported authentication methods available [preauth]
Nov 25 01:34:12 srv sshd[...]: Received disconnect from : 14:
No supported authentication methods available [preauth]

And although without any known regexp of sshd-filter, such
"authentication
failed/error", "invalid user ...", "User ... not allowed" etc.
Just this
one line.

both of those might be relevant for sshd-ddos where for now we have
only

failregex = ^%(__prefix_line)sDid not receive identification string
from <HOST>\s*$

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

---

Reply to this email directly or view it on GitHub:
#864 (comment)

[sebres]

@yarikoptic both of those might be relevant for sshd-ddos where for now we have only...

I think at least "No supported authentication methods available [preauth]" should be an expression in sshd-filter, because it occurred if I try to connect with invalid method (without key for user with key only or from host not allowed for this user etc.).
Furthermore I don't know how to reproduce an original issue reported @octavsly (strange "chinese" connect). Because the HOST address is not in line with "connection reset..." and sshd has a definitely single line logic. In addition this "second" entry occurred 2 seconds after line with HOST, so the sample multiline regexp given @octavsly is too hazardous - If between this two lines sshd will log some legal activity - it will ban a wrong host or will ban nothing at all.
I know other similar string sshd can produce for such connections, but it contains a host directly in line self:

Nov 25 01:30:57 srv sshd[...]: Received disconnect from <HOST>: Bye Bye [preauth]

[octavsly]

An option would be to write a feature request to openssh so they print the host on the same line with the error. Does it make sense?

On November 25, 2014 9:31:39 AM CET, "Serg G. Brester" notifications@github.com wrote:

@yarikoptic both of those might be relevant for sshd-ddos where for now we have only...

I think at least "No supported authentication methods available
[preauth]" should be an expression in sshd-filter, because it occurred
if I try to connect with invalid method (without key for user with key
only or from host not allowed for this user etc.).
Furthermore I don't know how to reproduce an original issue reported
@octavsly (strange "chinese" connect). Because the HOST address is not
in line with "connection reset..." and sshd has a definitely single
line logic. In addition this "second" entry occurred 2 seconds after
line with HOST, so the sample multiline regexp given @octavsly is too
hazardous - If between this two lines sshd will log some legal activity

• it will ban a wrong host or will ban nothing at all.
  I know other similar string sshd can produce for such connections, but
  it contains a host directly in line self:

Nov 25 01:30:57 srv sshd[...]: Received disconnect from <HOST>: Bye Bye
[preauth]

---

Reply to this email directly or view it on GitHub:
#864 (comment)

[sebres]

About sense of adding a host in error case: it would be always good, but I don't think you can get it quickly fixed with simple feature request :)
It make more sense, if at last sshd would log one unique string or prefix after connection failure, no matter why.
Something like:

Nov 25 01:33:13 srv sshd[...]: Failure from <HOST>: <here can be a reason why ...>

Or if sshd gets a system callback (like call_if_fails) with address of failed connection. Then we can self produce a failure for fail2ban.

About a subject self (as long as not fixed) - I believe, it can be an issue/bug by sshd, that can be easy avoided using simple config changes.
Just add to sshd_config a Ciphers should be allowed.
For details about this server "bug", see http://serverfault.com/questions/583355/ssh-issues-read-from-socket-failed-connection-reset-by-peer.

[yarikoptic]

@sebres re "unique" string, wouldn't daemon pid (logged as 32686 in the report) suffice?

[sebres]

@yarikoptic nope, because sshd will write many success/info messages with the same pid as well.

[yarikoptic]

that pid is per connection... if there are success/info msgs we would better ignore that anyways as you have described it is merely up to an sshd config tune up

but once again -- what should we do about it -- add to sshd-ddos? or not even bother at all since might be just a false positive at times

[octavsly]

created a feature request at openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=2327

[marcosfrm]

sshd[XXX]: error: Received disconnect from X.X.X.X: 14: No supported authentication methods available [preauth]

My server only allows pubkey auth. This error happens when one knows a valid user name but does not have the key.

I think it should be added.

[sebres]

@octavsly, @marcosfrm tests of #1209 are welcome

[octavsly]

I have tested the patch with the code present at the beginning of the ticket, and it works.
It does match the HOST.
Thank you.

[stevenengland]

Hi there, using the current 0.10 build and running
fail2ban-regex -e UTF-8 /var/log/auth.log /etc/fail2ban/filter.d/sshd-aggressive.conf
to catch all lines with filter regex from sshd.conf
^%(__prefix_line_sl)sReceived disconnect from <HOST>%(__on_port_opt)s: 14: No supported authentication methods available%(__suff)s$
does not recognize lines like

Jan 22 12:27:55 ubuntu sshd[3625]: error: Received disconnect from 192.168.2.92 port 1684:14: No supported authentication methods available [preauth]

The (for testing-purposes) simplified version
^.*<HOST>.*14: No supported authentication methods available.*$
detects it. Can you please have a look?

UPDATE: The problem is the part
%(__on_port_opt)s: 14
The whitespace in front of "14" is too much for the logs like I receive them...

[sebres]

Fixed, Thx...