VSI OpenVMS Forum

The official board to discuss OpenVMS-related topics
https://forum.vmssoftware.com/

After installing OPENSSH V8.9-1G bad logins are no longer announced.

https://forum.vmssoftware.com/viewtopic.php?f=30&t=8969

Page 1 of 1

After installing OPENSSH V8.9-1G bad logins are no longer announced.

Posted: Wed Feb 21, 2024 10:33 pm
by pocketprobe
Back in October, I found my system under attack from an SSH brute force attempt. Looking back at the bug report, OPCOM was happily announcing every attempt made, no matter the account name and it had made for a tidy abuse report. Recently, I had found myself under the same, but intrusions were no longer being announced/added to the intrusion database when the account name isn't valid.

I've setup a machine with OPENSSH V8.9-1F installed to record desired behaviors.

Code: Select all

 
%%%%%%%%%%%  OPCOM  22-FEB-2024 03:52:01.75  %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event:          Network login failure
Event time:               22-FEB-2024 03:52:01.75
PID:                      00000490        
Process name:             SSHD22_BG863    
Username:                 SSH$SSH         
Remote nodename:          SSH_PUBLICKEY:192.168.1.250                           
          
Remote username:          INVALIDK
Status:                   %LOGIN-F-NOSUCHUSER, no such user

$ 
%%%%%%%%%%%  OPCOM  22-FEB-2024 03:52:02.73  %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event:          Network login failure
Event time:               22-FEB-2024 03:52:02.73
PID:                      00000490        
Process name:             SSHD22_BG863    
Username:                 SSH$SSH         
Remote nodename:          SSH_PASSWORD:192.168.1.250                            
          
Remote username:          INVALIDK
Status:                   %LOGIN-F-NOSUCHUSER, no such user

$

Code: Select all

$ show int
Intrusion       Type       Count        Expiration         Source
---------       ----       -----        ----------         ------
   NETWORK      INTRUDER      6   22-FEB-2024 03:57:06.55  SSH_PASSWORD:192.168.
1.250::INVALIDK
   NETWORK      INTRUDER      9   22-FEB-2024 03:55:53.38  SSH_PASSWORD:192.168.
1.250::SYSTEM
   NETWORK      SUSPECT       4   22-FEB-2024 04:11:56.29  SSH_PUBLICKEY:192.168
.1.250::INVALIDK
I did try the invalid user INVALIDK to show that it's not aliasing all invalid logins to INVALID. After installing OPENSSH V8.9-1G the system is no longer recording logins with an invalid username. OPENSSH V8.9-1H behaves the same as well. I am not sure if this is an intentional change, but it does make recording/reporting much harder.

Furthermore with OPENSSH V8.9-1F you can try 3 login attempts, but with OPENSSH V8.9-1G and later it disconnects immediately.

Re: After installing OPENSSH V8.9-1G bad logins are no longer announced.

Posted: Thu Feb 22, 2024 8:07 am
by m_detommaso

I tested OpenSSH V8.9-1H on x86-64 V9.2-2 and I observed the same reported issue.

/Maurizio

Re: After installing OPENSSH V8.9-1G bad logins are no longer announced.

Posted: Thu Feb 22, 2024 10:02 am
by pocketprobe
Additionally, this issue is present on 9.2-1 as well and neither of the released System Update patches affect this.

Re: After installing OPENSSH V8.9-1G bad logins are no longer announced.

Posted: Thu Feb 22, 2024 10:17 am
by dgordon
This issue has been escalated to engineering.
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/