Sshd and google authenticator, parser fails?

Hi,

I’m comparing crowdsec with fail2ban and find it seems much less effective for blocking failed ssh attempts.

on my machine I use google authenticator for 2 factor authentication. Can this be the cause of the parser failing?

looking at the decisions list I see just one or maybe 2 out of hundred ip that should have been blocked.

Any hints on how to fix this?

Thanks in advance

Michael

Example:

$ grep “Disconnected from invalid user” /var/log/auth.log | sort -u | tail
Feb 19 08:47:40 myhost sshd[3228]: Disconnected from invalid user facturacion 92.255.85.135 port 20432 [preauth]
Feb 19 09:05:23 myhost sshd[3255]: Disconnected from invalid user filial76 92.255.85.237 port 25884 [preauth]
Feb 19 09:24:20 myhost sshd[3285]: Disconnected from invalid user fiscal 92.255.85.237 port 17090 [preauth]
Feb 19 09:43:26 myhost sshd[3299]: Disconnected from invalid user francis 92.255.85.237 port 34378 [preauth]
Feb 19 10:00:28 myhost sshd[3321]: Disconnected from invalid user frank 92.255.85.135 port 34530 [preauth]
Feb 19 10:19:29 myhost sshd[3336]: Disconnected from invalid user ftp 92.255.85.237 port 20680 [preauth]
Feb 19 10:38:14 myhost sshd[3355]: Disconnected from invalid user ftp 92.255.85.135 port 26138 [preauth]
Feb 19 11:05:40 myhost sshd[3386]: Disconnected from invalid user ftp1 92.255.85.135 port 60734 [preauth]
Feb 19 11:24:14 myhost sshd[3423]: Disconnected from invalid user ftp1 92.255.85.237 port 23848 [preauth]
Feb 19 11:42:42 myhost sshd[4826]: Disconnected from invalid user ftp_id 92.255.85.135 port 36104 [preauth]

$ cscli explain --file /var/log/auth.log --type sshd | head -100

line: Feb 18 18:37:15 myhost sshd[1630]: User root from 193.239.232.101 not allowed because not listed in AllowUsers
├ s00-raw
| ├ :green_circle: crowdsecurity/non-syslog (first_parser)
| └ :red_circle: crowdsecurity/syslog-logs
├ s01-parse
| ├ :red_circle: crowdsecurity/pkexec-logs
| └ :red_circle: crowdsecurity/sshd-logs
└-------- parser failure :red_circle:

line: Feb 18 19:59:47 myhost sshd[1846]: Received disconnect from 92.255.85.135 port 35308:11: Bye Bye [preauth]
├ s00-raw
| ├ :green_circle: crowdsecurity/non-syslog (first_parser)
| └ :red_circle: crowdsecurity/syslog-logs
├ s01-parse
| ├ :red_circle: crowdsecurity/pkexec-logs
| └ :red_circle: crowdsecurity/sshd-logs
└-------- parser failure :red_circle:

line: Feb 18 18:29:52 myhost sshd[1589]: pam_unix(sshd:auth): check pass; user unknown
├ s00-raw
| ├ :green_circle: crowdsecurity/non-syslog (first_parser)
| └ :red_circle: crowdsecurity/syslog-logs
├ s01-parse
| ├ :red_circle: crowdsecurity/pkexec-logs
| └ :red_circle: crowdsecurity/sshd-logs
└-------- parser failure :red_circle:

line: Feb 18 18:52:08 myhost sshd(pam_google_authenticator)[1737]: Invalid verification code for cisco
├ s00-raw
| ├ :green_circle: crowdsecurity/non-syslog (first_parser)
| └ :red_circle: crowdsecurity/syslog-logs
├ s01-parse
| ├ :red_circle: crowdsecurity/pkexec-logs
| └ :red_circle: crowdsecurity/sshd-logs
└-------- parser failure :red_circle:

line: Feb 18 21:26:09 myhost sshd[1959]: error: kex_exchange_identification: Connection closed by remote host
├ s00-raw
| ├ :green_circle: crowdsecurity/non-syslog (first_parser)
| └ :red_circle: crowdsecurity/syslog-logs
├ s01-parse
| ├ :red_circle: crowdsecurity/pkexec-logs
| └ :red_circle: crowdsecurity/sshd-logs
└-------- parser failure :red_circle:

$ cscli decisions list
±—±---------±-----------------±---------------------±-------±--------±----------------------±-------±-------------------±---------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
±—±---------±-----------------±---------------------±-------±--------±----------------------±-------±-------------------±---------+
| 1 | crowdsec | Ip:89.185.85.253 | crowdsecurity/ssh-bf | ban | RU | 39735 Permtelecom Ltd | 6 | 3h39m23.782335551s | 1 |
±—±---------±-----------------±---------------------±-------±--------±----------------------±-------±-------------------±---------+

Hello @M1ch43lk !

Thanks for your report :slight_smile:

First, $ cscli explain --file /var/log/auth.log --type sshd | head -100 here the type should be syslog (as the sshd logs are pushed via syslog). However, there is indeed a bug in the parser when using MFA and the user doesn’t exist.

I’ve opened an issue and it should be fixed very quickly :

This has been merged : fix #391 by buixor · Pull Request #392 · crowdsecurity/hub · GitHub

can you cscli hub udpate && cscli hub upgrade and report on how the fix went ?

Sorry for late answer.

It works much better now. :+1: :slightly_smiling_face:

Thanks for all help!

Michael