Results 1 to 6 of 6

Thread: OpenSSH does not log failed authentication attempts with PublicKeys

Hybrid View

  1. #1
    Join Date
    Mar 2009
    Beans
    5
    Distro
    Ubuntu 9.10 Karmic Koala

    Exclamation OpenSSH does not log failed authentication attempts with PublicKeys

    My server runs Karmic Koala and OpenSSH. (the version you get from apt)
    I am using public keys and no passwords. When I try to connect with a correct username and a invalid keypair the login fails but I don't get a log message telling me so! Only this:
    Code:
    Feb 16 03:49:26 hybris sshd[3180]: Connection from 192.168.1.31 port 49277
    Using invalid usernames and successful logins both result in meaningful messages, so does using a wrong password, why doesn't a failed key-attempt?

    I googled it and came across two similar problems:
    https://bugs.launchpad.net/ubuntu/+s...sh/+bug/304598
    https://bugzilla.mindrot.org/show_bug.cgi?id=1468

    The solution was upping the LogLevel from INFO to VERBOSE, but if I try that I still don't get a appropriate message. I even tried out DEBUG, but still no luck. (Apart from making it really hard to read the logfile...)

    Am I the only one with this problem? I find it hard to believe that nobody is missing this message. An attacker could try thousands of keys without anyone ever noticing - including fail2ban.

  2. #2
    Join Date
    Nov 2005
    Location
    Bordeaux, France
    Beans
    11,297
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: OpenSSH does not log failed authentication attempts with PublicKeys

    Same behaviour on my two servers (one FreeBSD and one Debian). This is probably not a bug but normal default behaviour.

  3. #3
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: OpenSSH does not log failed authentication attempts with PublicKeys

    Quote Originally Posted by nizuri View Post
    Am I the only one with this problem? I find it hard to believe that nobody is missing this message. An attacker could try thousands of keys without anyone ever noticing - including fail2ban.
    Which is why I use iptables. Why install another service such as fail2ban or deny hosts when iptables is perfectly capable (both of logging and blocking these attempts) ?

    And yes, my iptables rules work with keys or passwords =)

    In terms of using thousands of keys, good luck on that. You would first need to somehow duplicate my private key, then get the user name, then get the password. Nothing is impossible, but cracking my server by using thousands of keys is highly improbable.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #4
    Join Date
    Mar 2009
    Beans
    5
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: OpenSSH does not log failed authentication attempts with PublicKeys

    Thanks to both of you.
    Same behaviour on my two servers (one FreeBSD and one Debian). This is probably not a bug but normal default behaviour.
    I'm afraid so. Im going to file a bug report anyway. Especially as it worked with OpenSSH 5.0, at least with a high enough LogLevel.

    Which is why I use iptables. Why install another service such as fail2ban or deny hosts when iptables is perfectly capable (both of logging and blocking these attempts) ?

    And yes, my iptables rules work with keys or passwords =)
    Hm, sounds good. How do you manage that? Block every IP that tries to connect too often in a given timeframe? (That's the only way I found using iptables.)
    It looks like it's no possible for iptables to differentiate between failed and successful attempts.
    On the other hand it's not very likely that I or scripts of mine try to connect in such short intervals anyway.

    Something like those two scripts?

    script in /etc/network/if-down.d/
    Code:
    #!/bin/bash
    [ "${METHOD}" != loopback ] || exit 0
    /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
    script in /etc/network/if-up.d/
    Code:
    #!/bin/bash
    [ "${METHOD}" != loopback ] || exit 0
    /sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    /sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
    http://kevin.vanzonneveld.net/techbl...with_iptables/

    In terms of using thousands of keys, good luck on that. You would first need to somehow duplicate my private key, then get the user name, then get the password. Nothing is impossible, but cracking my server by using thousands of keys is highly improbable.
    Of course you are right, that's not very likely. It just bugged me, that I'd have no way of telling if it would indeed happen. Or at least not a very obvious way.

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: OpenSSH does not log failed authentication attempts with PublicKeys

    Those rules look fine, be sure to test them.

    You are correct, iptables tracks NEW connections, but of course, for the most part,

    multiple failed attempts == multiple new connections.

    The only thing you may run across is scp, sftp, or other file transfers (SVN over SSH), each file may a new connection, so if you do a lot of transfers liberalize the number of new connections. If you are using keys and strong passwords you can always allow 10-20 new connections if needed.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Mar 2009
    Beans
    5
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: OpenSSH does not log failed authentication attempts with PublicKeys

    Oh, I completely forgot about scp and git. I wrote a script that copies a backup of all my repos over scp, but I wanted to rewrite it anyway, so that it tars all those small blobs into a single archive before the transfer.
    But that still leaves git itself. I'll have to try if it triggers the rules, when cloning large repos. I hope it's a single connection.

    Edit: I compiled 5.3p1 and the problem still exists, so I filed a bug-report. (I wonder why one still gets 5.1p1 with the sources in apt-get.)
    Both git and scp only open one connection, so at least that works. I set the iptables hitcount to 15 and kept 6 attempts for fail2ban.

    Thanks again.
    Last edited by nizuri; February 18th, 2010 at 02:01 PM. Reason: addition

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •