Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian Bookworm has slightly different connection attempt log for sshd #1169

Open
alacham opened this issue Nov 19, 2024 · 0 comments · May be fixed by #1168
Open

Debian Bookworm has slightly different connection attempt log for sshd #1169

alacham opened this issue Nov 19, 2024 · 0 comments · May be fixed by #1168

Comments

@alacham
Copy link

alacham commented Nov 19, 2024
edited
Loading

Describe the bug
In debian bookworm I have lots of failed sshd attempts but crowdsec ignores it:

# journalctl -u ssh -n 20
Nov 19 22:22:50 vpscheap.redacted.com sshd[60259]: Connection closed by 118.27.24.104 port 58574 [preauth]
Nov 19 22:25:49 vpscheap.redacted.com sshd[60262]: Connection closed by 118.27.24.104 port 48380 [preauth]
Nov 19 22:28:47 vpscheap.redacted.com sshd[60264]: Connection closed by 118.27.24.104 port 38176 [preauth]
Nov 19 22:31:45 vpscheap.redacted.com sshd[60267]: Connection closed by 118.27.24.104 port 56208 [preauth]
Nov 19 22:34:42 vpscheap.redacted.com sshd[60269]: Connection closed by 118.27.24.104 port 46004 [preauth]

# cscli metrics | cat
Acquisition Metrics:
+-------------------------------------------------+------------+--------------+----------------+------------------------+-------------------+
| Source                                          | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket | Lines whitelisted |
+-------------------------------------------------+------------+--------------+----------------+------------------------+-------------------+
| journalctl:journalctl-_SYSTEMD_UNIT=ssh.service | 39         | -            | 39             | -                      | -                 |
+-------------------------------------------------+------------+--------------+----------------+------------------------+-------------------+
....
Parser Metrics:
+---------------------------------+------+--------+----------+
| Parsers                         | Hits | Parsed | Unparsed |
+---------------------------------+------+--------+----------+
| child-crowdsecurity/sshd-logs   | 546  | -      | 546      |
| child-crowdsecurity/syslog-logs | 39   | 39     | -        |
| crowdsecurity/sshd-logs         | 39   | -      | 39       |
| crowdsecurity/syslog-logs       | 39   | 39     | -        |
+---------------------------------+------+--------+----------+

To Reproduce
Run current Debian Bookworm?

Expected behavior
the attacker should be stopped

Screenshots

Additional context
I attempted to create a PR to fix this:
#1168
@alacham alacham linked a pull request Nov 19, 2024 that will close this issue
Open
@alacham alacham changed the title Debian Bookworm has slightly different connection attempt log Debian Bookworm has slightly different connection attempt log for sshd Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sshd-logs parser should match 'Connection closed by' lines even without 'invalid user' alacham/hub
1 participant
@alacham