After installing OPENSSH V8.9-1G bad logins are no longer announced.

pocketprobe · Post by **pocketprobe** » Wed Feb 21, 2024 10:33 pm

Back in October, I found my system under attack from an SSH brute force attempt. Looking back at the bug report, OPCOM was happily announcing every attempt made, no matter the account name and it had made for a tidy abuse report. Recently, I had found myself under the same, but intrusions were no longer being announced/added to the intrusion database when the account name isn't valid.

I've setup a machine with OPENSSH V8.9-1F installed to record desired behaviors.

Code: Select all

 
%%%%%%%%%%%  OPCOM  22-FEB-2024 03:52:01.75  %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event:          Network login failure
Event time:               22-FEB-2024 03:52:01.75
PID:                      00000490        
Process name:             SSHD22_BG863    
Username:                 SSH$SSH         
Remote nodename:          SSH_PUBLICKEY:192.168.1.250                           
          
Remote username:          INVALIDK
Status:                   %LOGIN-F-NOSUCHUSER, no such user

$ 
%%%%%%%%%%%  OPCOM  22-FEB-2024 03:52:02.73  %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event:          Network login failure
Event time:               22-FEB-2024 03:52:02.73
PID:                      00000490        
Process name:             SSHD22_BG863    
Username:                 SSH$SSH         
Remote nodename:          SSH_PASSWORD:192.168.1.250                            
          
Remote username:          INVALIDK
Status:                   %LOGIN-F-NOSUCHUSER, no such user

$

Code: Select all

$ show int
Intrusion       Type       Count        Expiration         Source
---------       ----       -----        ----------         ------
   NETWORK      INTRUDER      6   22-FEB-2024 03:57:06.55  SSH_PASSWORD:192.168.
1.250::INVALIDK
   NETWORK      INTRUDER      9   22-FEB-2024 03:55:53.38  SSH_PASSWORD:192.168.
1.250::SYSTEM
   NETWORK      SUSPECT       4   22-FEB-2024 04:11:56.29  SSH_PUBLICKEY:192.168
.1.250::INVALIDK

I did try the invalid user INVALIDK to show that it's not aliasing all invalid logins to INVALID. After installing OPENSSH V8.9-1G the system is no longer recording logins with an invalid username. OPENSSH V8.9-1H behaves the same as well. I am not sure if this is an intentional change, but it does make recording/reporting much harder.

Furthermore with OPENSSH V8.9-1F you can try 3 login attempts, but with OPENSSH V8.9-1G and later it disconnects immediately.

m_detommaso · Post by **m_detommaso** » Thu Feb 22, 2024 8:07 am

I tested OpenSSH V8.9-1H on x86-64 V9.2-2 and I observed the same reported issue.

/Maurizio

pocketprobe · Post by **pocketprobe** » Thu Feb 22, 2024 10:02 am

Additionally, this issue is present on 9.2-1 as well and neither of the released System Update patches affect this.

dgordon · Post by **dgordon** » Thu Feb 22, 2024 10:17 am

This issue has been escalated to engineering.

VSI OpenVMS Forum

After installing OPENSSH V8.9-1G bad logins are no longer announced.

After installing OPENSSH V8.9-1G bad logins are no longer announced.

Re: After installing OPENSSH V8.9-1G bad logins are no longer announced.

Re: After installing OPENSSH V8.9-1G bad logins are no longer announced.

Re: After installing OPENSSH V8.9-1G bad logins are no longer announced.