After installing OPENSSH V8.9-1G bad logins are no longer announced.

[pocketprobe]

Back in October, I found my system under attack from an SSH brute force attempt. Looking back at the bug report, OPCOM was happily announcing every attempt made, no matter the account name and it had made for a tidy abuse report. Recently, I had found myself under the same, but intrusions were no longer being announced/added to the intrusion database when the account name isn't valid.

I've setup a machine with OPENSSH V8.9-1F installed to record desired behaviors.

Code: Select all

 
%%%%%%%%%%%  OPCOM  22-FEB-2024 03:52:01.75  %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event:          Network login failure
Event time:               22-FEB-2024 03:52:01.75
PID:                      00000490        
Process name:             SSHD22_BG863    
Username:                 SSH$SSH         
Remote nodename:          SSH_PUBLICKEY:192.168.1.250                           
          
Remote username:          INVALIDK
Status:                   %LOGIN-F-NOSUCHUSER, no such user

$ 
%%%%%%%%%%%  OPCOM  22-FEB-2024 03:52:02.73  %%%%%%%%%%%
Message from user AUDIT$SERVER on AVALON
Security alarm (SECURITY) and security audit (SECURITY) on AVALON, system id: 32
046
Auditable event:          Network login failure
Event time:               22-FEB-2024 03:52:02.73
PID:                      00000490        
Process name:             SSHD22_BG863    
Username:                 SSH$SSH         
Remote nodename:          SSH_PASSWORD:192.168.1.250                            
          
Remote username:          INVALIDK
Status:                   %LOGIN-F-NOSUCHUSER, no such user

$  

Code: Select all

$ show int
Intrusion       Type       Count        Expiration         Source
---------       ----       -----        ----------         ------
   NETWORK      INTRUDER      6   22-FEB-2024 03:57:06.55  SSH_PASSWORD:192.168.
1.250::INVALIDK
   NETWORK      INTRUDER      9   22-FEB-2024 03:55:53.38  SSH_PASSWORD:192.168.
1.250::SYSTEM
   NETWORK      SUSPECT       4   22-FEB-2024 04:11:56.29  SSH_PUBLICKEY:192.168
.1.250::INVALIDK

I did try the invalid user INVALIDK to show that it's not aliasing all invalid logins to INVALID. After installing OPENSSH V8.9-1G the system is no longer recording logins with an invalid username. OPENSSH V8.9-1H behaves the same as well. I am not sure if this is an intentional change, but it does make recording/reporting much harder.

Furthermore with OPENSSH V8.9-1F you can try 3 login attempts, but with OPENSSH V8.9-1G and later it disconnects immediately.

[m_detommaso]

I tested OpenSSH V8.9-1H on x86-64 V9.2-2 and I observed the same reported issue.

/Maurizio

[pocketprobe]

Additionally, this issue is present on 9.2-1 as well and neither of the released System Update patches affect this.

[dgordon]

This issue has been escalated to engineering.

[pocketprobe]

In E9.2-3, bad logins for known/valid accounts are now announced via OPCOM and appear in the intrusion database. Invalid/unknown usernames are still not announced/recorded. Furthermore OpenSSH closes the connection after the first password entry.

Added in 2 hours 2 minutes 21 seconds:
Disregard, this is now fixed in V8.9-1I. Working identically to V8.9-1F.

Thanks!