BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf

2013-04-18 04:38:03 +10:00 · 2013-04-18 04:38:03 +10:00 · 41b9f7b6ac
parent 32d10e904a
commit 41b9f7b6ac
2 changed files with 7 additions and 1 deletions
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@ -2,6 +2,13 @@
 #
 # Author: Yaroslav Halchenko
 #
+# The regex here also relates to a exploit:
+#
+#  http://www.securityfocus.com/bid/17958/exploit
+#  The example code here shows the pushing of the exploit straight after
+#  reading the server version. This is where the client version string normally
+#  pushed. As such the server will read this unparsible information as
+#  "Did not receive identification string".

 [INCLUDES]

--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -24,7 +24,6 @@ _daemon = sshd
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
-            ^%(__prefix_line)sDid not receive identification string from <HOST>$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$