Re: ssh authlog: Failed none for invalid user

2021-08-10 Thread Jordan Geoghegan 



On 8/10/21 1:30 AM, Darren Tucker wrote:
> On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan  > wrote:
>
> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I 
> have a number of entries in my /var/log/authlog file that look like this:
>
>     Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I 
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?
>
>
> It's the attempted authentication method, and it's normal behaviour.
>
> The SSH protocol has a number of authentication methods, for example 
> "password" and "publickey".    The client sends a message that says "I'd like 
> to authenticate via password using the password 'hunter2'" and the server 
> replies with either "yes that worked", or "nope" and a list of authentication 
> methods that it might accept.  Publickey authentication has a couple of extra 
> steps but works in a similar way.
>
> The protocol also specifies a "none" [0] authentication method, which will 
> succeed if the server requires no further authentication (eg in OpenSSH, if 
> PermitEmptyPassword is set and the account does not have a password).  Many 
> SSH clients including OpenSSH's start by asking for "none" authentication 
> then, if that doesn't work, use the list of possible authentication methods 
> to decide what to do next.  This is what you're seeing.
>
> When I last looked, the bulk of the password guessing bots just sent a single 
> "password" auth method and if it doesn't work, disconnect.  Apparently the 
> bots you're seeing behave a bit more like other clients.
>
> [0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2 
> 
>
> -- 
> Darren Tucker (dtucker at dtucker.net )
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Hi Darren,

Thank you for that excellent, detailed answer - much appreciated!

Regards,

Jordan

Re: ssh authlog: Failed none for invalid user

2021-08-10 Thread Darren Tucker 
On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan  wrote:

> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I
> have a number of entries in my /var/log/authlog file that look like this:
>
> Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?


It's the attempted authentication method, and it's normal behaviour.

The SSH protocol has a number of authentication methods, for example
"password" and "publickey".The client sends a message that says "I'd
like to authenticate via password using the password 'hunter2'" and the
server replies with either "yes that worked", or "nope" and a list of
authentication methods that it might accept.  Publickey authentication has
a couple of extra steps but works in a similar way.

The protocol also specifies a "none" [0] authentication method, which will
succeed if the server requires no further authentication (eg in OpenSSH, if
PermitEmptyPassword is set and the account does not have a password).  Many
SSH clients including OpenSSH's start by asking for "none" authentication
then, if that doesn't work, use the list of possible authentication methods
to decide what to do next.  This is what you're seeing.

When I last looked, the bulk of the password guessing bots just sent a
single "password" auth method and if it doesn't work, disconnect.
Apparently the bots you're seeing behave a bit more like other clients.

[0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: ssh authlog: Failed none for invalid user

2021-08-09 Thread Daniel Jakots 
On Mon, 9 Aug 2021 14:52:40 -0700, Jordan Geoghegan
 wrote:

> Hello,
> 
> I was hoping somebody could set me straight here. On one of my
> machines I have a number of entries in my /var/log/authlog file that
> look like this:
> 
>     Failed none for invalid user admin from 14.239.50.255 port 51796
> 
> The machine has been being hammered with SSH bruteforce attempts and
> I noticed that "Failed none" entry popping up frequently.
> 
> What exactly does "Failed none" mean here in this in this context?
> 
> Any insight would be greatly appreciated as my Google-fu has failed
> me in my search for an answer.

I don't have any experience with ssh's code but after a quick grep, it
seems to come from
https://github.com/openbsd/src/blob/73b5c081a08ab8132aaab716c8f4da9aebb020e7/usr.bin/ssh/auth.c#L272-L282

I guess the "none" is the auth method selected by the client. Someone
with more knowledge on the ssh protocol can surely give you a more
detailed answer.

Cheers,
Danie

ssh authlog: Failed none for invalid user

2021-08-09 Thread Jordan Geoghegan 
Hello,

I was hoping somebody could set me straight here. On one of my machines I have 
a number of entries in my /var/log/authlog file that look like this:

    Failed none for invalid user admin from 14.239.50.255 port 51796

The machine has been being hammered with SSH bruteforce attempts and I noticed 
that "Failed none" entry popping up frequently.

What exactly does "Failed none" mean here in this in this context?

Any insight would be greatly appreciated as my Google-fu has failed me in my 
search for an answer.

Regards,

Jordan