Source IP missing in log when no suitable key exchange method found.

Stijn Jonker sjcjonker at sjc.nl
Tue Jan 13 06:39:11 AEDT 2015


Dear SSH Guru's,

Whilst reading the recent "Stribika" article [1] on tweaking the ssh algorithms I decided to mimic this and some other tweaks to my sshd config. Well it did one thing for sure, stopping most SSH brute force / scanners. Besides the normal User xxx from yyy not allowed because not in AllowUsers, or the failures due to public key only the logs are now filled with:

Jan 12 20:17:28 <<REMOVED>> sshd[8888]: fatal: Unable to negotiate a key exchange method [preauth]
Jan 12 20:19:16 <<REMOVED>> sshd[8890]: fatal: Unable to negotiate a key exchange method [preauth]

So the scanners don't support my selections of algorithms. Which is fine as well, but there is no source IP logged. Now I'm far from proficient in C, but reading correctly this is triggered from kex.c in the function choose_kex, which reading the various calls to this doesn't pass the source IP. This is assumed to be the reason why the IP is not logged, but maybe a good addition nevertheless?

Based on my lack of C skills, no patch from myside apologies.

Stijn

P.S. whether below algorithms make things more secure depends on each persons view / the goals to be achieved. But the lack of source IP is hindering detection and fail2ban like protection. 

[maint@<<REMOVED>> ~]$ sshd -v
unknown option -- v
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
            [-u len]
[maint@<<REMOVED>> ~]$ grep -v -e ^# -e ^$ /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 600
ServerKeyBits 2048
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
MaxStartups 10:30:60
Banner /etc/issue.net
DebianBanner no
UseDNS no
AllowTcpForwarding no
GatewayPorts no
AllowUsers <<REMOVED>>
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AuthenticationMethods publickey
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at openssh.com

[1] https://stribika.github.io/2015/01/04/secure-secure-shell.html

-- 
Yours Sincerely / Met Vriendelijke groet,
Stijn Jonker
SJCJonker at SJC.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150112/65da6c2f/attachment.bin>


More information about the openssh-unix-dev mailing list