Bug 2199 - "Too many authentication failures for root" does not log IP
Summary: "Too many authentication failures for root" does not log IP
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 6.4p1
Hardware: All Linux
: P5 enhancement
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_6_7
  Show dependency treegraph
 
Reported: 2014-02-04 19:38 AEDT by sshbugzilla.apriori
Modified: 2014-10-08 08:00 AEDT (History)
4 users (show)

See Also:

Attachments
Log authentication tries exceeded in similar format to success/failure (2.06 KB, patch)
2014-07-03 14:05 AEST, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sshbugzilla.apriori 2014-02-04 19:38:41 AEDT 
It would be useful if all log messages relating to authentication failures would include the IP of the remote host.

In particular, the remote host is currently missing for the following message:
> Disconnecting: Too many authentication failures for root [preauth]

Including the remote host would enable countermeasures against the flooding of the logs, e.g. by employing a filter for fail2ban, which is currently not possible because no IP address can be correlated with the auth failures.
Comment 1 Darren Tucker 2014-03-06 22:00:48 AEDT 
I think what you want is in 6.5:

auth.c in 6.5 has:

revision 1.160
date: 2013-06-02 07:41:51 +1000;  author: dtucker;  state: Exp;  lines: +26 -4;
   - djm@cvs.openbsd.org 2013/05/19 02:42:42
     [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
     Standardise logging of supplemental information during userauth. Keys
     and ruser is now logged in the auth success/failure message alongside
     the local username, remote host/port and protocol in use. Certificates
     contents and CA are logged too.
     Pushing all logging onto a single line simplifies log analysis as it is
     no longer necessary to relate information scattered across multiple log
     entries. "I like it" markus@


I don't think the exact line you're quoting has an IP address (it's a copy of the disconnection message sent to the client) but all of the details you want should be available in other messages.
Comment 2 sshbugzilla.apriori 2014-03-08 03:34:28 AEDT 
Hi! I observed this behaviour on 6.5, so the revision you quoted should be incorporated.

We discussed the idea of combining information from multiple log messages in https://github.com/fail2ban/fail2ban/pull/45 . In particular, one would have to combine the info from the IP-less “too many auth failures” message with the subsequent “disconnecting” message. However, it appeared as if correlating the two messages can’t be done out of the box because the PIDs are not identical.

Someone suggested that setting the log level to verbose would produce “connection from” messages, which include the remote host’s IP, and whose PID matches the one from the “too many auth failures” message. So this might be a way to get a hold of the desired information.
Comment 3 Roland Friedwagner 2014-04-03 22:24:24 AEDT 
Confirm this Bug for openssh version 6.6p1
Comment 4 Damien Miller 2014-07-03 14:05:30 AEST 
Created attachment 2449 [details]
Log authentication tries exceeded in similar format to success/failure

This patch logs the tries-exceeded message using a similar format to the success/failure messages:

Jul  3 14:02:12 haru sshd[1334]: Disconnecting: Too many authentication failures for djm from 127.0.0.1 port 27781 ssh2 [preauth]

and for invalid users:

Jul  3 14:03:02 haru sshd[6474]: Disconnecting: Too many authentication failures for invalid user xxx from 127.0.0.1 port 34633 ssh2 [preauth]
Comment 5 Damien Miller 2014-07-03 21:18:42 AEST 
patch applied - will be in openssh-6.7
Comment 6 Damien Miller 2014-10-08 08:00:45 AEDT 
Close all bugs left open from 6.6 and 6.7 releases.