Project

General

Profile

Actions

Bug #9223

closed

SSHGUARD doesn't work as expected

Added by Joshua Sign over 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
High
Category:
Rules / NAT
Target version:
Start date:
12/26/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

Sshguard implementation in pfsense broke the way that sshguard should work.

I notice that blocking IP for a while (many hours) is not possible because of crontab tasks :

*/60   *       *       *       *       root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshguard
*/60   *       *       *       *       root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout

According to the manual, "expiretable will remove entries from the pf table specified by table with an age greater than that specified by -t age".
So all entries olders than 1h will be deleted : this is the first problem, because sshguard do not realease himself these entries it will not block again these IP since the interval time is not reached.

As sshguard do not block them again, after the cron job, many logs lines like this one appears in system logs (about IP that should ever be bloked) :

Dec 26 10:50:17    sshd    13972    Unable to negotiate with 218.92.1.172 port 10899: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Dec 26 10:50:13    sshd    47006   Unable to negotiate with 218.92.1.172 port 56425: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Dec 26 10:50:10    sshd    70133   Unable to negotiate with 218.92.1.172 port 63321: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

That makes logs grow and grow...

Sshguard works correctly using backends to block/release IP.
These cron jobs are not required and broke the sshguard interval timings.

But, the main error is certainly this unexpected behavior : if sshguard block your IP for a services, it will not block it again for another service.
Just try to connect to https with a bad login/password :

Dec 26 10:55:45    sshguard    55911    Blocking "10.0.0.10/32" for 2400 secs (1 attacks in 0 secs, after 3 abuses over 34151 secs.)
Dec 26 10:55:45    sshguard    55911    Attack from "10.0.0.10" on service 380 with danger 10.
Dec 26 10:55:45    php-fpm     20430    /index.php: webConfigurator authentication error for user 'toto' from: 10.0.0.10

Now we are blocked over https... ok but what about ssh ?
Lets try :

Dec 26 10:57:24    sshd    82837    Disconnecting invalid user titi 10.0.0.10 port 51346: Too many authentication failures [preauth]
Dec 26 10:57:24    sshd    82837    error: maximum authentication attempts exceeded for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:24    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:24    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:22    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:22    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:22    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:22    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:21    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:21    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:21    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:21    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:21    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:21    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:21    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:21    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:20    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:20    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:20    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:20    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:19    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:19    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:19    sshd    82837    Failed keyboard-interactive/pam for invalid user titi from 10.0.0.10 port 51346 ssh2
Dec 26 10:57:19    sshd    82837    error: PAM: authentication error for illegal user titi from 10.0.0.10
Dec 26 10:57:18    sshd    82837    Postponed keyboard-interactive for invalid user titi from 10.0.0.10 port 51346 ssh2 [preauth]
Dec 26 10:57:18    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:18    sshd    82837    user NOUSER login class [preauth]
Dec 26 10:57:18    sshd    82837    Invalid user titi from 10.0.0.10 port 51346
Dec 26 10:57:12    sshd    39027    Disconnecting invalid user test 10.0.0.10 port 51327: Too many authentication failures [preauth]
Dec 26 10:57:12    sshd    39027    error: maximum authentication attempts exceeded for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:12    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:12    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:11    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:11    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:11    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:11    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:10    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:10    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:10    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:10    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:09    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:09    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:09    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:09    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:08    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:08    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:08    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:08    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:06    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:06    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:06    sshd    39027    Failed keyboard-interactive/pam for invalid user test from 10.0.0.10 port 51327 ssh2
Dec 26 10:57:06    sshd    39027    error: PAM: authentication error for illegal user test from 10.0.0.10
Dec 26 10:57:05    sshd    39027    Postponed keyboard-interactive for invalid user test from 10.0.0.10 port 51327 ssh2 [preauth]
Dec 26 10:57:05    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:05    sshd    39027    user NOUSER login class [preauth]
Dec 26 10:57:05    sshd    39027    Invalid user test from 10.0.0.10 port 51327
Dec 26 10:56:15    sshd    12848    Fssh_packet_write_poll: Connection from user root 10.0.0.10 port 49560: Permission denied

Ssh is not blocked!!

I show many attacks like that, so it is possible that some hackers understand how to bypass sshguard protection using this trick to bruteforce.

For now, and as a minimal workaround, i suggest to remove or comments crontabs lines : that solve many problems and make sshguard works as expected

I need to investigate more about the service blocking bypass, but this is a real problem.
During this time, maybe it should be more secure to block both services at once...

I'am using :

2.4.4-RELEASE-p1 (amd64) 
built on Mon Nov 26 11:40:26 EST 2018 
FreeBSD 11.2-RELEASE-p4 


Files

sshguad_by_service_filtering.patch (7.91 KB) sshguad_by_service_filtering.patch Joshua Sign, 01/20/2019 04:32 PM
Actions

Also available in: Atom PDF