Bug#626112: openssh-server: ssh doesn't log some failed authentications to auth.log anymore
severity 626112 important
thanks
On Wed, Jul 27, 2011 at 10:38:26PM +0200, Christoph Anton Mitterer wrote:
> On Sun, 2011-07-24 at 11:02 +0100, Colin Watson wrote:
> > If you use 'LogLevel VERBOSE', does that help?
> >
> > Can you provide some examples of log messages that fail2ban is noticing
> > and banning?
> The problem isn't fail2ban,... it's that sshd doesn't log these attempts
> at all...
You misunderstood me; I was asking for examples of the messages that
*were* logged, since you said that some addresses did get successfully
banned. But never mind now.
> But your idea (don't know why I didn't come up with this myself) with
> LogLevel helped!
>
> Now (with VERBOSE) messages like the following get logged to auth.log:
> Jul 27 22:33:29 hilbert sshd[4542]: Set /proc/self/oom_score_adj to 0
> Jul 27 22:33:29 hilbert sshd[4542]: Connection from 129.187.131.203 port
> 33023
> Jul 27 22:33:30 hilbert sshd[4542]: Failed publickey for root from
> 129.187.131.203 port 33023 ssh2
> Jul 27 22:33:30 hilbert sshd[4544]: Set /proc/self/oom_score_adj to 0
> Jul 27 22:33:30 hilbert sshd[4544]: Connection from 129.187.131.203 port
> 33024
> Jul 27 22:33:31 hilbert sshd[4544]: Failed publickey for root from
> 129.187.131.203 port 33024 ssh2
>
> fail2ban also detects them now (I guess it goes for the "Failed
> pub..")...
>
> So the problem seems to be, that those messages are no longer logged in
> the default LogLevel.
The rules are that authentication results are logged at the default
level if any of the following is true:
* the authentication was successful
* the authentication attempt was for an invalid user
* the number of failures on this connection >= MaxAuthTries/2
* the authentication method was "password"
As far as I can tell, nothing relevant has changed in OpenSSH at all
recently. Before MaxAuthTries was introduced, the required number of
failures was simply hardcoded to the same value. Prior to that, the
rules have remained essentially unchanged since November 1999:
revno: 142
committer: damien
timestamp: Wed 1999-11-24 13:26:21 +0000
message:
- Merged very large OpenBSD source code reformat
- OpenBSD CVS updates
- [channels.c cipher.c compat.c log-client.c scp.c serverloop.c]
[ssh.h sshd.8 sshd.c]
syslog changes:
* Unified Logmessage for all auth-types, for success and for failed
* Standard connections get only ONE line in the LOG when level==LOG:
Auth-attempts are logged only, if authentication is:
a) successfull or
b) with passwd or
c) we had more than AUTH_FAIL_LOG failues
* many log() became verbose()
* old behaviour with level=VERBOSE
Given how long this behaviour has been in place, and that there's a
straightforward workaround by changing LogLevel, I don't think it's
reasonable to regard this bug as release-critical, so I'm downgrading
it. You may have only started to notice this recently due to external
factors; for example, perhaps your attackers have started to use
authentication methods other than password?
Regards,
--
Colin Watson [cjwatson@debian.org]
Reply to: