[Bug 1534340] [NEW] openssh server 6.6 does not report max auth failures

Kees Cook Thu, 14 Jan 2016 14:11:14 -0800

Public bug reported:

Brute force attacks against openssh on Trusty will not log "max auth"
key-based attempts, leaving their brute forcing invisible to the logs
and anything that consumes logs, like fail2ban. Version 6.7 introduced
the logging, but it's missing in Trusty. Since Trusty is LTS, it would
seem sensible to have this feature backported.


[Impact] Bruce force attempts using private keys are invisible to logs,
which renders defenses like fail2ban useless.

[Test case] Create 20 SSH keys, try to log in over SSH, note lack of
logging the failures.

[Regression Potential] Very unlikely regression potential as the "max
auth" condition is already handled in code, it just wasn't logging. The
change only adds the missing logging.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: openssh (Ubuntu Trusty)
     Importance: Undecided
     Assignee: Kees Cook (kees)
         Status: New

** Also affects: openssh (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: openssh (Ubuntu)
       Status: New => Fix Released

** Changed in: openssh (Ubuntu Trusty)
     Assignee: (unassigned) => Kees Cook (kees)

** Description changed:

  Brute force attacks against openssh on Trusty will not log "max auth"
  key-based attempts, leaving their brute forcing invisible to the logs
  and anything that consumes logs, like fail2ban. Version 6.7 introduced
  the logging, but it's missing in Trusty. Since Trusty is LTS, it would
  seem sensible to have this feature backported.
+ 
+ [Impact] Bruce force attempts using private keys are invisible to logs,
+ which renders defenses like fail2ban useless.
+ 
+ [Test case] Create 20 SSH keys, try to log in over SSH, note lack of
+ logging the failures.
+ 
+ [Regression Potential] Very unlikely regression potential as the "max
+ auth" condition is already handled in code, it just wasn't logging. The
+ change only adds the missing logging.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1534340

Title:
  openssh server 6.6 does not report max auth failures

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1534340] [NEW] openssh server 6.6 does not report max auth failures

Reply via email to