Public bug reported: I observe that sshguard 1.7.1-1 in bionic doesn't block SSH bruteforce attacks which are trying to log in as nonexistent accounts.
Whilst it blocks attacks which result in auth.log messages like: Jan 15 08:51:19 io sshd[18965]: Failed password for root from 223.223.200.14 port 48974 ssh2 it doesn't block attacks which result in: Jan 15 11:31:15 io sshd[11997]: Failed password for invalid user guest from 58.186.196.223 port 21715 ssh2 Matching log lines which include "invalid user" was added in sshguard 2.1.0 (https://sourceforge.net/p/sshguard/mailman/message/36109171/). I consider this a security issue since sshguard is not performing its function -- it looks at first glance like it is working and it does block *some* attacks, but it misses the majority. Could this or a later version be backported to bionic? ** Affects: sshguard (Ubuntu) Importance: Undecided Status: New ** Description changed: I observe that sshguard 1.7.1-1 in bionic doesn't block SSH bruteforce attacks which are trying to log in as nonexistent accounts. Whilst it blocks attacks which result in auth.log messages like: - Jan 15 08:51:19 io sshd[18965]: Failed password for root from 223.223.200.14 port 48974 ssh2 + Jan 15 08:51:19 io sshd[18965]: Failed password for root from 223.223.200.14 port 48974 ssh2 it doesn't block attacks which result in: - Jan 15 11:31:15 io sshd[11997]: Failed password for invalid user guest from 58.186.196.223 port 21715 ssh2 + Jan 15 11:31:15 io sshd[11997]: Failed password for invalid user guest from 58.186.196.223 port 21715 ssh2 Matching log lines which include "invalid user" was added in sshguard 2.1.0 (https://sourceforge.net/p/sshguard/mailman/message/36109171/). I consider this a security issue since sshguard is not performing its - function -- it looks at first glance like it is working (it does block - *some* attacks) but it misses the majority. + function -- it looks at first glance like it is working and it does + block *some* attacks, but it misses the majority. Could this or a later version be backported to bionic? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859809 Title: sshguard <2.1.0 doesn't match "Failed password for invalid user ..." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sshguard/+bug/1859809/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
