I’ve just had a genuine user banned because they couldn’t remember their username twice, when I thought I had it configured to require more than 5 failures to trigger a ban.
I have the
collections/sshd installed, but also have an extra scenario configured, simply so I can have it look for a capacity (still 5 before this) over a longer time period of 1 hour.
It appears that the way
sshd-logs.yaml is set up it will count each of three separate lines for the same failure as separate events. Thus two failures equates to 6 events and goes over the capacity of 5.
Specifically that parser is matching on all of:
SSHD_PREAUTH_AUTHENTICATING_USER and … something else? I only have the one pam-related line for
SSHD_AUTH_FAIL, and nothing seems to match on the
Failed none for invalid user lines. But given my acquis.yaml is:
#Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log filenames: - /var/log/auth.log labels: type: syslog --- #Generated acquisition file - wizard.sh (service: mysql) / files : /var/log/mysql/error.log filenames: - /var/log/mysql/error.log labels: type: mysql --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log /var/log/messages filenames: - /var/log/syslog - /var/log/kern.log - /var/log/messages labels: type: syslog ---
grep -F <ip> /var/log/auth.log /var/log/mysql/error.log /var/log/syslog /var/log/kern.log /var/log/messages | grep -Fc sshd says
7, there’s no double-counting of sshd lines otherwise.
Is this actually intended ? Does this mean the provided scenario’s capacity of 5 is intended to ban after only two invalid attempts ?
I can accept this is just a documentation issue, because Hub | doesn’t mention this at all, and there’s no comment in the ssh-bf.yaml scenario file to explain why it has ‘5’ in it.
For reference, the anonymised
auth.log is the following. These are the only lines for that IP (log file started at 06:25:39):
Feb 19 09:33:37 river sshd: Invalid user user1 from A.B.C.D port 52868 Feb 19 09:34:24 river sshd: Failed none for invalid user user1 from A.B.C.D port 52868 ssh2 Feb 19 09:34:26 river sshd: Connection closed by invalid user user1 A.B.C.D port 52868 [preauth] Feb 19 09:34:37 river sshd: Invalid user user2 from A.B.C.D port 52870 Feb 19 09:34:41 river sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=A.B.C.D Feb 19 09:34:43 river sshd: Failed password for invalid user user2 from A.B.C.D port 52870 ssh2 Feb 19 09:35:18 river sshd: Connection closed by invalid user user2 A.B.C.D port 52870 [preauth]
and the anonymised crowdsec.log lines are:
time="19-02-2023 09:35:18" level=info msg="Ip A.B.C.D performed 'fysh/ssh-bf' (6 events over 1m41.061656148s) at 2023-02-19 09:35:18.26682107 +0000 UTC" time="19-02-2023 09:35:18" level=info msg="(<api credential>/crowdsec) fysh/ssh-bf by ip A.B.C.D (GB/5607) : 72h ban on Ip
The installed collection is:
crowdsecurity/sshd ✔️ enabled 0.2 /etc/crowdsec/collections/sshd.yaml
And before I changed the capacity the custom scenario was:
# ssh bruteforce type: leaky name: fysh/ssh-bf description: "Detect ssh bruteforce 5/1h" filter: "evt.Meta.log_type == 'ssh_failed-auth'" leakspeed: "1h" references: - http://wikipedia.com/ssh-bf-is-bad capacity: 5 groupby: evt.Meta.source_ip blackhole: 1m reprocess: true labels: service: ssh type: bruteforce remediation: true --- # ssh user-enum type: leaky name: fysh/ssh-bf_user-enum description: "Detect ssh user enum bruteforce 5/1h" filter: evt.Meta.log_type == 'ssh_failed-auth' groupby: evt.Meta.source_ip distinct: evt.Meta.target_user leakspeed: "1h" capacity: 5 blackhole: 1m labels: service: ssh type: bruteforce remediation: true