Wrong parsing of ssh username in logs from bruteforce

[wattie]

The brute force monitor is showing the following:

1631...

116.110...

invalid

1

sshd3

Sep 14 03:17:08 srv2 sshd[89172]: Failed keyboard-interactive/pam for invalid user test from 116.110... port 44658 ssh2

As you can see it incorrectly parses the username as "invalid" instead of "test".

 

[Richard G]

I don't understand what you mean. It just says the user test is an invalid user. What should it have said according to you?

 

[wattie]

In the third column DA parsed the log and said that the user is called "invalid".

 

[Richard G]

and said that the user is called "invalid".

I still don't understand the problem. Is user "test" a valid and existing user which has allowed SSH access?

 

[wattie]

The problem is that DA counts the invalid login towards user "invalid" and not user "test". Therefore the message system sends the following messages:

Subject: Brute-Force Attack detected in service log on User(s) invalid
A brute force attack has been detected in one of your service logs.

User invalid has 100431 failed login attempts: sshd3=100431

As you can see, user "invalid" becomes a "catch all" user for all failed SSH logins.