I’ve just had a genuine user banned because they couldn’t remember their username twice, when I thought I had it configured to require more than 5 failures to trigger a ban.
I have the collections/sshd
installed, but also have an extra scenario configured, simply so I can have it look for a capacity (still 5 before this) over a longer time period of 1 hour.
It appears that the way sshd-logs.yaml
is set up it will count each of three separate lines for the same failure as separate events. Thus two failures equates to 6 events and goes over the capacity of 5.
Specifically that parser is matching on all of: SSHD_INVALID_USER
, SSHD_PREAUTH_AUTHENTICATING_USER
and … something else? I only have the one pam-related line for SSHD_AUTH_FAIL
, and nothing seems to match on the Failed none for invalid user
lines. But given my acquis.yaml is:
#Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log
filenames:
- /var/log/auth.log
labels:
type: syslog
---
#Generated acquisition file - wizard.sh (service: mysql) / files : /var/log/mysql/error.log
filenames:
- /var/log/mysql/error.log
labels:
type: mysql
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log /var/log/messages
filenames:
- /var/log/syslog
- /var/log/kern.log
- /var/log/messages
labels:
type: syslog
---
And grep -F <ip> /var/log/auth.log /var/log/mysql/error.log /var/log/syslog /var/log/kern.log /var/log/messages | grep -Fc sshd
says 7
, there’s no double-counting of sshd lines otherwise.
Is this actually intended ? Does this mean the provided scenario’s capacity of 5 is intended to ban after only two invalid attempts ?
I can accept this is just a documentation issue, because Hub | doesn’t mention this at all, and there’s no comment in the ssh-bf.yaml scenario file to explain why it has ‘5’ in it.
For reference, the anonymised auth.log
is the following. These are the only lines for that IP (log file started at 06:25:39):
Feb 19 09:33:37 river sshd[2198583]: Invalid user user1 from A.B.C.D port 52868
Feb 19 09:34:24 river sshd[2198583]: Failed none for invalid user user1 from A.B.C.D port 52868 ssh2
Feb 19 09:34:26 river sshd[2198583]: Connection closed by invalid user user1 A.B.C.D port 52868 [preauth]
Feb 19 09:34:37 river sshd[2199400]: Invalid user user2 from A.B.C.D port 52870
Feb 19 09:34:41 river sshd[2199400]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=A.B.C.D
Feb 19 09:34:43 river sshd[2199400]: Failed password for invalid user user2 from A.B.C.D port 52870 ssh2
Feb 19 09:35:18 river sshd[2199400]: Connection closed by invalid user user2 A.B.C.D port 52870 [preauth]
and the anonymised crowdsec.log lines are:
time="19-02-2023 09:35:18" level=info msg="Ip A.B.C.D performed 'fysh/ssh-bf' (6 events over 1m41.061656148s) at 2023-02-19 09:35:18.26682107 +0000 UTC"
time="19-02-2023 09:35:18" level=info msg="(<api credential>/crowdsec) fysh/ssh-bf by ip A.B.C.D (GB/5607) : 72h ban on Ip
The installed collection is:
crowdsecurity/sshd ✔️ enabled 0.2 /etc/crowdsec/collections/sshd.yaml
And before I changed the capacity the custom scenario was:
# ssh bruteforce
type: leaky
name: fysh/ssh-bf
description: "Detect ssh bruteforce 5/1h"
filter: "evt.Meta.log_type == 'ssh_failed-auth'"
leakspeed: "1h"
references:
- http://wikipedia.com/ssh-bf-is-bad
capacity: 5
groupby: evt.Meta.source_ip
blackhole: 1m
reprocess: true
labels:
service: ssh
type: bruteforce
remediation: true
---
# ssh user-enum
type: leaky
name: fysh/ssh-bf_user-enum
description: "Detect ssh user enum bruteforce 5/1h"
filter: evt.Meta.log_type == 'ssh_failed-auth'
groupby: evt.Meta.source_ip
distinct: evt.Meta.target_user
leakspeed: "1h"
capacity: 5
blackhole: 1m
labels:
service: ssh
type: bruteforce
remediation: true