Bug when filtering unsuccessful SSH logins
Posted: 08 Dec 2010, 19:15
Hi,
I've noticed something while playing with CSF that I guess could be considered as a bug. First, let me put you in situation.
- Standard CSF v5.13 installation through sh ./install.sh no Web interfaces just pure text.
- OpenSSH server on ports 22 and 6022. This is configured with following lines on sshd_config:
Port 22
Port 6022
- csf.allow with following content
tcp|in|d=22|d=xxx.xxx.xxx.xxx
When someone tries to login several times to port 22, LFD detects this issue and attempts to lockout the IP trying to login, but, it locks out requests to tcp port 6022 instead of 22 according to the result of csf.deny:
tcp|in|d=6022|s=xxx.xxx.xxx.xxx # 'lfd: 5 (sshd) login failures from xxxx (FR/France/xxxxx) in the last 300 secs' - Wed Dec 8 19:30:18 2010
I don't know the reason behind this because 6022 is not even open to Internet, it was left open in sshd_config by mistake. I guess this has to do with how lfs looks up the port ssh2 is sitting on, I can guess that if lfd is using "lsof" command to look up the port that could be the reason why it gets 6022 instead of 22.
The outcome is that lfs sends multiple messages specifying it has locked out the IP address but never gets to actually really lock it out so you keep getting tons of this messages while the aggressor is brute forcing.
Please let me know if you need further details to reproduce the scenario on my side.
P.S. CSF is a great product, keep up the level.
Regards,
Mario
I've noticed something while playing with CSF that I guess could be considered as a bug. First, let me put you in situation.
- Standard CSF v5.13 installation through sh ./install.sh no Web interfaces just pure text.
- OpenSSH server on ports 22 and 6022. This is configured with following lines on sshd_config:
Port 22
Port 6022
- csf.allow with following content
tcp|in|d=22|d=xxx.xxx.xxx.xxx
When someone tries to login several times to port 22, LFD detects this issue and attempts to lockout the IP trying to login, but, it locks out requests to tcp port 6022 instead of 22 according to the result of csf.deny:
tcp|in|d=6022|s=xxx.xxx.xxx.xxx # 'lfd: 5 (sshd) login failures from xxxx (FR/France/xxxxx) in the last 300 secs' - Wed Dec 8 19:30:18 2010
I don't know the reason behind this because 6022 is not even open to Internet, it was left open in sshd_config by mistake. I guess this has to do with how lfs looks up the port ssh2 is sitting on, I can guess that if lfd is using "lsof" command to look up the port that could be the reason why it gets 6022 instead of 22.
The outcome is that lfs sends multiple messages specifying it has locked out the IP address but never gets to actually really lock it out so you keep getting tons of this messages while the aggressor is brute forcing.
Please let me know if you need further details to reproduce the scenario on my side.
P.S. CSF is a great product, keep up the level.
Regards,
Mario