Project

General

Profile

Bug #9223

SSHGUARD doesn't work as expected

Added by Joshua Sign 28 days ago. Updated 3 days ago.

Status:
New
Priority:
High
Category:
Rules/NAT
Target version:
Start date:
12/26/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4_1
Affected Architecture:

Description

Sshguard implementation in pfsense broke the way that sshguard should work.

I notice that blocking IP for a while (many hours) is not possible because of crontab tasks :

*/60   *       *       *       *       root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshguard
*/60   *       *       *       *       root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout

According to the manual, "expiretable will remove entries from the pf table specified by table with an age greater than that specified by -t age".
So all entries olders than 1h will be deleted : this is the first problem, because sshguard do not realease himself these entries it will not block again these IP since the interval time is not reached.

As sshguard do not block them again, after the cron job, many logs lines like this one appears in system logs (about IP that should ever be bloked) :

Dec 26 10:50:17    sshd    13972    Unable to negotiate with 218.92.1.172 port 10899: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Dec 26 10:50:13    sshd    47006   Unable to negotiate with 218.92.1.172 port 56425: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Dec 26 10:50:10    sshd    70133   Unable to negotiate with 218.92.1.172 port 63321: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

That makes logs grow and grow...

Sshguard works correctly using backends to block/release IP.
These cron jobs are not required and broke the sshguard interval timings.

But, the main error is certainly this unexpected behavior : if sshguard block your IP for a services, it will not block it again for another service.
Just try to connect to https with a bad login/password :

Dec 26 10:55:45    sshguard    55911    Blocking "10.0.0.10/32" for 2400 secs (1 attacks in 0 secs, after 3 abuses over 34151 secs.)
Dec 26 10:55:45    sshguard    55911    Attack from "10.0.0.10" on service 380 with danger 10.
Dec 26 10:55:45    php-fpm     20430    /index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.10

Now we are blocked over https... ok but what about ssh ?
Lets try :

Dec 26 10:57:24    sshd    82837    Disconnecting invalid user titi 10.0.0.10 port 51346: Too many authentication failures [preauth]
Dec 26 10:57:24    sshd    82837    error: maximum authentication attempts exceeded for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:24    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:24    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:22    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:22    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:22    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:22    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:21    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:21    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:21    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:21    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:21    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:21    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:21    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:21    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:20    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:20    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:20    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:20    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:19    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:19    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:19    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:19    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:18    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:18    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:18    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:18    sshd    82837    Invalid user titi from 10.0.0.10 port 51346
Dec 26 10:57:12    sshd    39027    Disconnecting invalid user test 10.0.0.10 port 51327: Too many authentication failures [preauth]
Dec 26 10:57:12    sshd    39027    error: maximum authentication attempts exceeded for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:12    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:12    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:11    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:11    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:11    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:11    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:10    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:10    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:10    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:10    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:09    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:09    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:09    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:09    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:08    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:08    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:08    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:08    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:06    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:06    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:06    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:06    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:05    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:05    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:05    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:05    sshd    39027    Invalid user test from 10.0.0.10 port 51327
Dec 26 10:56:15    sshd    12848    Fssh_packet_write_poll: Connection from user root 10.0.0.10 port 49560: Permission denied

Ssh is not blocked!!

I show many attacks like that, so it is possible that some hackers understand how to bypass sshguard protection using this trick to bruteforce.

For now, and as a minimal workaround, i suggest to remove or comments crontabs lines : that solve many problems and make sshguard works as expected

I need to investigate more about the service blocking bypass, but this is a real problem.
During this time, maybe it should be more secure to block both services at once...

I'am using :

2.4.4-RELEASE-p1 (amd64) 
built on Mon Nov 26 11:40:26 EST 2018 
FreeBSD 11.2-RELEASE-p4 

sshguad_by_service_filtering.patch (7.91 KB) sshguad_by_service_filtering.patch Joshua Sign, 01/20/2019 04:32 PM

History

#1 Updated by Jim Pingle 28 days ago

  • Category set to Rules/NAT
  • Assignee set to Renato Botelho
  • Target version set to 2.4.5
  • Affected Version set to 2.4.4_1

#2 Updated by Danilo Zrenjanin 26 days ago

I have reproduced the bug on SG-3100:

2.4.4-RELEASE-p1 (arm)
built on Thu Nov 29 14:06:34 EST 2018
FreeBSD 11.2-RELEASE-p4

I noticed if you have been locked over failed HTTPS attempts you will be able to continue with SSH attempts. But if you've been blocked due to failed SSH attempts you will be blocked over HTTPS too.

Same results on SG-3100:

2.4.5-DEVELOPMENT (arm)
built on Thu Dec 27 19:12:05 EST 2018
FreeBSD 11.2-RELEASE-p6

#3 Updated by Joshua Sign 25 days ago

Hi Danilo,

I'am not agree with your test.

I just test again to be sure about it, and i can confirm that if your are blocked due to failed SSH attempts, you ARE NOT BLOCKED over HTTPS.
Here is my test :

Dec 29 12:16:43    php-fpm       474    /index.php: webConfigurator authentication error for user 'tutu' from: 192.168.100.10
Dec 29 12:16:39    php-fpm     32814    /index.php: webConfigurator authentication error for user 'tata' from: 192.168.100.10
Dec 29 12:16:24    php-fpm     49514    /index.php: webConfigurator authentication error for user 'titi' from: 192.168.100.10
Dec 29 12:16:06    php-fpm     24638    /index.php: webConfigurator authentication error for user 'toto' from: 192.168.100.10
Dec 29 12:15:26    sshguard    88267    Blocking "192.168.100.10/32" for 600 secs (1 attacks in 0 secs, after 1 abuses over 0 secs.)
Dec 29 12:15:26    sshguard    88267    Attack from "192.168.100.10" on service 100 with danger 10.
Dec 29 12:15:26    sshd        46068    Invalid user test from 192.168.100.10 port 60692

At 12:15:26 i do ssh connexion failled and i'am blocked by sshguard.
But i can try many attempts over HTTPS...

I check tables too :
- sshguard table list got my ip address inside : good because i have failed an attempt over SSH
- webConfiguratorlockout table list dont have my ip listed inside -> my IP should be added after the first HTTPS connexion failed, but sshguard don't add/detect it

I can perform more tests if needed.

Regards.
Josh_

#4 Updated by Danilo Zrenjanin 22 days ago

Retested and got the same results as Joshua. I must have messed up something with IPs or Safari browser got stock during the first test.

Correct, if you are blocked due to failed SSH attempts, you ARE NOT BLOCKED over HTTPS.

#5 Updated by Joshua Sign 3 days ago

I investigate about this problem,

It seems that the sshguard purpose is to detect an attack and just launch a backend script to command firewall and block the attacker.
The attacker is supposed to be blocked for all services, in sshguard purpose.

As it could be very interresting to have sshguard blocking ip by services, i just worked on it.
Here is the patch. My tests looks good on debian system.

With specific backend rules we will now be able to block only on HTTPS, and/or on SSH, and/or on openvpn, and/or ...

This patch :
- add the service number to the backend script arguments
- make attackers blocking/unblocking by services
- message log when unblocking (before it was LOG_DEBUG only)

Also available in: Atom PDF