So, I've been noticing a rash of SSH connections getting a "failed password for root" recently, and yet they're not being caught and blocked by blocklistd. Unlike those that do get blocked these all have "[preauth]" tacked onto the end of all but the "Failed" entry. sshd[1340]: SSH: Server;Ltype: Kex;Remote: 177.22.113.74-44680;Enc: aes128-ctr;MAC: hmac-sha2-256-etm%openssh.com@localhost;Comp: none [preauth] sshd[1340]: SSH: Server;Ltype: Authname;Remote: 177.22.113.74-44680;Name: root [preauth] sshd[1340]: Failed password for root from 177.22.113.74 port 44680 ssh2 sshd[1340]: Connection closed by authenticating user root 177.22.113.74 port 44680 [preauth] I'm struggling to find where these are coming from in the code, and why they aren't being passed to blocklistd. Every place I see where the "Failed" message can be generated, there's an associated call to plfilter_notify(). I think these "preauth" messages must be coming from the code in monitor.c, but both the auth_log() calls there have pfilter_notify() calls for the "Failed" state. -- Greg A. Woods <gwoods%acm.org@localhost> Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost> Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost>
Attachment:
pgp5lSp068Ucf.pgp
Description: OpenPGP Digital Signature