On 8/10/21 1:30 AM, Darren Tucker wrote:
> On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan <jor...@geoghegan.ca
> <mailto:jor...@geoghegan.ca>> wrote:
>
> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I
> have a number of entries in my /var/log/authlog file that look like this:
>
> Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?
>
>
> It's the attempted authentication method, and it's normal behaviour.
>
> The SSH protocol has a number of authentication methods, for example
> "password" and "publickey". The client sends a message that says "I'd like
> to authenticate via password using the password 'hunter2'" and the server
> replies with either "yes that worked", or "nope" and a list of authentication
> methods that it might accept. Publickey authentication has a couple of extra
> steps but works in a similar way.
>
> The protocol also specifies a "none" [0] authentication method, which will
> succeed if the server requires no further authentication (eg in OpenSSH, if
> PermitEmptyPassword is set and the account does not have a password). Many
> SSH clients including OpenSSH's start by asking for "none" authentication
> then, if that doesn't work, use the list of possible authentication methods
> to decide what to do next. This is what you're seeing.
>
> When I last looked, the bulk of the password guessing bots just sent a single
> "password" auth method and if it doesn't work, disconnect. Apparently the
> bots you're seeing behave a bit more like other clients.
>
> [0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2
> <https://datatracker.ietf.org/doc/html/rfc4252#section-5.2>
>
> --
> Darren Tucker (dtucker at dtucker.net <http://dtucker.net>)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
Hi Darren,
Thank you for that excellent, detailed answer - much appreciated!
Regards,
Jordan
