On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan <jordan@geoghegan.ca> wrote:
> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I
> have a number of entries in my /var/log/authlog file that look like this:
>
> Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?
It's the attempted authentication method, and it's normal behaviour.
The SSH protocol has a number of authentication methods, for example
"password" and "publickey". The client sends a message that says "I'd
like to authenticate via password using the password 'hunter2'" and the
server replies with either "yes that worked", or "nope" and a list of
authentication methods that it might accept. Publickey authentication has
a couple of extra steps but works in a similar way.
The protocol also specifies a "none" [0] authentication method, which will
succeed if the server requires no further authentication (eg in OpenSSH, if
PermitEmptyPassword is set and the account does not have a password). Many
SSH clients including OpenSSH's start by asking for "none" authentication
then, if that doesn't work, use the list of possible authentication methods
to decide what to do next. This is what you're seeing.
When I last looked, the bulk of the password guessing bots just sent a
single "password" auth method and if it doesn't work, disconnect.
Apparently the bots you're seeing behave a bit more like other clients.
[0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
No comments:
Post a Comment