filter.d/sshd.conf: ddos/aggressive mode extended to match new messages caused by port scanner, wrong payload on ssh port:

- message authentication code incorrect [preauth]
  - connection corrupted [preauth]
  - timeout before authentication
closes gh-3486
pull/3690/head
sebres 10 months ago
parent 9bedc3c383
commit 4f679a56e0

@ -35,6 +35,10 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition
* `filter.d/sshd.conf`: * `filter.d/sshd.conf`:
- avoid double counting for "maximum authentication attempts exceeded" (gh-3502) - avoid double counting for "maximum authentication attempts exceeded" (gh-3502)
- message "Disconnecting ... Too many authentication failures" is not a failure anymore - message "Disconnecting ... Too many authentication failures" is not a failure anymore
- mode `ddos`/`aggressive` extended to match new messages caused by port scanner, wrong payload on ssh port (gh-3486):
* message authentication code incorrect [preauth]
* connection corrupted [preauth]
* timeout before authentication
ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm

@ -70,12 +70,13 @@ mdre-normal =
# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$ mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$
mdre-ddos = ^Did not receive identification string from <HOST> mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) <HOST>
^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
^Bad protocol version identification '(?:[^']|.*?)' (?:from )?<HOST>%(__suff)s$ ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?<HOST>%(__suff)s$
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+: ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
^banner exchange: Connection from <HOST><__on_port_opt>: invalid format ^(?:banner exchange|ssh_dispatch_run_fatal): Connection from <HOST><__on_port_opt>: (?:invalid format|(?:message authentication code incorrect|[Cc]onnection corrupted) \[preauth\])
# same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address): # same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address):
mdre-ddos-other = ^<F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$ mdre-ddos-other = ^<F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$
^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>(?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$ ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>(?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$

@ -325,6 +325,13 @@ Mar 1 18:59:33 hostname sshd[1189575]: error: kex_exchange_identification: bann
# failJSON: { "time": "2005-03-01T18:59:33", "match": true , "host": "192.0.2.12", "desc": "ddos: port scanner, https payload on ssh port (banner exchange: invalid format, gh-3169)" } # failJSON: { "time": "2005-03-01T18:59:33", "match": true , "host": "192.0.2.12", "desc": "ddos: port scanner, https payload on ssh port (banner exchange: invalid format, gh-3169)" }
Mar 1 18:59:33 hostname sshd[1189575]: banner exchange: Connection from 192.0.2.12 port 44105: invalid format Mar 1 18:59:33 hostname sshd[1189575]: banner exchange: Connection from 192.0.2.12 port 44105: invalid format
# failJSON: { "time": "2005-03-01T18:59:50", "match": true , "host": "192.0.2.13", "desc": "ddos: port scanner, wrong payload on ssh port (message authentication code incorrect [preauth], gh-3486)" }
Mar 1 18:59:50 hostname sshd[71905]: ssh_dispatch_run_fatal: Connection from 192.0.2.13 port 33738: message authentication code incorrect [preauth]
# failJSON: { "time": "2005-03-01T18:59:50", "match": true , "host": "192.0.2.13", "desc": "ddos: port scanner, wrong payload on ssh port (connection corrupted [preauth], gh-3486)" }
Mar 1 18:59:50 hostname sshd[80348]: ssh_dispatch_run_fatal: Connection from 192.0.2.13 port 52452: Connection corrupted [preauth]
# failJSON: { "time": "2005-03-01T18:59:52", "match": true , "host": "192.0.2.14", "desc": "ddos: port scanner (timeout before authentication, gh-3486)" }
Mar 1 18:59:52 srv sshd[12345]: fatal: Timeout before authentication for 192.0.2.14 port 55555
# failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" } # failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth] Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
# failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" } # failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }

Loading…
Cancel
Save