After installing OPENSSH V8.9-1G bad logins are no longer announced.
Posted: Wed Feb 21, 2024 10:33 pm
Back in October, I found my system under attack from an SSH brute force attempt. Looking back at the bug report, OPCOM was happily announcing every attempt made, no matter the account name and it had made for a tidy abuse report. Recently, I had found myself under the same, but intrusions were no longer being announced/added to the intrusion database when the account name isn't valid.
I've setup a machine with OPENSSH V8.9-1F installed to record desired behaviors.
I did try the invalid user INVALIDK to show that it's not aliasing all invalid logins to INVALID. After installing OPENSSH V8.9-1G the system is no longer recording logins with an invalid username. OPENSSH V8.9-1H behaves the same as well. I am not sure if this is an intentional change, but it does make recording/reporting much harder.
Furthermore with OPENSSH V8.9-1F you can try 3 login attempts, but with OPENSSH V8.9-1G and later it disconnects immediately.
I've setup a machine with OPENSSH V8.9-1F installed to record desired behaviors.
Code: Select all
%%%%%%%%%%% OPCOM 22-FEB-2024 03:52:01.75 %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event: Network login failure
Event time: 22-FEB-2024 03:52:01.75
PID: 00000490
Process name: SSHD22_BG863
Username: SSH$SSH
Remote nodename: SSH_PUBLICKEY:192.168.1.250
Remote username: INVALIDK
Status: %LOGIN-F-NOSUCHUSER, no such user
$
%%%%%%%%%%% OPCOM 22-FEB-2024 03:52:02.73 %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event: Network login failure
Event time: 22-FEB-2024 03:52:02.73
PID: 00000490
Process name: SSHD22_BG863
Username: SSH$SSH
Remote nodename: SSH_PASSWORD:192.168.1.250
Remote username: INVALIDK
Status: %LOGIN-F-NOSUCHUSER, no such user
$
Code: Select all
$ show int
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK INTRUDER 6 22-FEB-2024 03:57:06.55 SSH_PASSWORD:192.168.
1.250::INVALIDK
NETWORK INTRUDER 9 22-FEB-2024 03:55:53.38 SSH_PASSWORD:192.168.
1.250::SYSTEM
NETWORK SUSPECT 4 22-FEB-2024 04:11:56.29 SSH_PUBLICKEY:192.168
.1.250::INVALIDK
Furthermore with OPENSSH V8.9-1F you can try 3 login attempts, but with OPENSSH V8.9-1G and later it disconnects immediately.