Bug 2327

Summary: sshd to log one unique string or prefix after connection failure, no matter why.
Product: Portable OpenSSH Reporter: octavsly
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: dtucker, karl
Priority: P5    
Version: 6.7p1   
Hardware: All   
OS: Linux   

Description octavsly 2014-12-14 09:45:49 AEDT 
To allow fail2ban to correctly ban some sshd attacks, more information would be needed to be logged:

More is discussed at: https://github.com/fail2ban/fail2ban/issues/864


==Quote=====
It make more sense, if at last sshd would log one unique string or prefix after connection failure, no matter why.
Something like:

Nov 25 01:33:13 srv sshd[...]: Failure from <HOST>: <here can be a reason why ...>

Or if sshd gets a system callback (like call_if_fails) with address of failed connection. Then we can self produce a failure for fail2ban.
====================
Comment 1 Karl Schmidt 2016-08-02 00:14:14 AEST 
This poorly titled bug has been around a long time.  The key is the IP address is missing. 

This bug is alive at Cisco
https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv42794

It is also listed as a bug in Debian 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726579


Having the IP address on the same line - with info log level is obviously needed for identifying attackers..

From /var/log/auth.log

Jul 28 08:37:27 hostname sshd[12053]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server aes256-ctr,aes192-ctr,aes128-ctr [preauth]

Jul 28 08:58:38 hostname sshd[12512]: fatal: Unable to negotiate a key exchange method [preauth]

I think more examples of the missing IP address exist.
Comment 2 Darren Tucker 2016-08-02 00:43:11 AEST 
(In reply to Karl Schmidt from comment #1)
[...]
> Jul 28 08:58:38 hostname sshd[12512]: fatal: Unable to negotiate a
> key exchange method [preauth]

These ones have been fixed for a while:

$ ssh -p 2022 -o kexalgorithms=diffie-hellman-group1-sha1 localhost

ssh_dispatch_run_fatal: Connection to 127.0.0.1: no matching key exchange method found [preauth]

$ ssh -p 2022 -o ciphers=3des-cbc localhost

ssh_dispatch_run_fatal: Connection to 127.0.0.1: no matching cipher found [preauth]
Comment 3 Karl Schmidt 2016-08-02 05:17:53 AEST 
I'm running 6.7p1  - at which version fixed this?  (No backport for Debian stable )

If fixed, we should close these bugs..
Comment 4 Darren Tucker 2016-08-02 15:15:07 AEST 
It varies depending on exactly which bit you are looking at.

Remote IP addresses: bug#2257 since at least 6.9:
https://anongit.mindrot.org/openssh.git/commit/?id=639d6bc5

Remote port numbers: bug#2503, first in 7.2
https://anongit.mindrot.org/openssh.git/commit/?id=a4b9e0f4
Comment 5 Damien Miller 2021-04-23 15:03:58 AEST 
closing resolved bugs as of 8.6p1 release