Tuesday, August 10, 2021

Re: ssh authlog: Failed none for invalid user

On 8/10/21 1:30 AM, Darren Tucker wrote:
> On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan <jordan@geoghegan.ca <mailto:jordan@geoghegan.ca>> wrote:
>
> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I have a number of entries in my /var/log/authlog file that look like this:
>
>     Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?
>
>
> It's the attempted authentication method, and it's normal behaviour.
>
> The SSH protocol has a number of authentication methods, for example "password" and "publickey".    The client sends a message that says "I'd like to authenticate via password using the password 'hunter2'" and the server replies with either "yes that worked", or "nope" and a list of authentication methods that it might accept.  Publickey authentication has a couple of extra steps but works in a similar way.
>
> The protocol also specifies a "none" [0] authentication method, which will succeed if the server requires no further authentication (eg in OpenSSH, if PermitEmptyPassword is set and the account does not have a password).  Many SSH clients including OpenSSH's start by asking for "none" authentication then, if that doesn't work, use the list of possible authentication methods to decide what to do next.  This is what you're seeing.
>
> When I last looked, the bulk of the password guessing bots just sent a single "password" auth method and if it doesn't work, disconnect.  Apparently the bots you're seeing behave a bit more like other clients.
>
> [0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2 <https://datatracker.ietf.org/doc/html/rfc4252#section-5.2>
>
> --
> Darren Tucker (dtucker at dtucker.net <http://dtucker.net>)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Hi Darren,

Thank you for that excellent, detailed answer - much appreciated!

Regards,

Jordan

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)