Estoy obteniendo muchos intentos de inicio de sesión ssh fallidos por una dirección IP específica con un error extraño. No puedo entender la información que se encuentra en Google, por lo que pensé que tal vez es una nueva forma de ataque.
Básicamente, cada 25 segundos obtengo las siguientes dos filas en mi registro de diario (la longitud del paquete difiere cada vez):
Jun 01 08:35:14 k002271d sshd[10615]: Bad packet length 516882381. [preauth]
Jun 01 08:35:25 k002271d sshd[10540]: Connection closed by 62.210.XXX.XXX [preauth]
No tengo problemas para iniciar sesión con una clave. Estoy usando la última versión de OpenSSH ( OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1k 8 Jan 2015
), pero he habilitado algunos cifrados adicionales para habilitar las conexiones de un servidor anterior utilizando la cadena propuesta desde aquí :
Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Actualización, 2016-06-21:
Según lo propuesto por @Castaglia I eliminé los métodos de intercambio de claves diffie-hellman-group1
y diffie-hellman-group14
(mencionados en libssh-0.7.3 notas de publicación ) resultantes de esta cadena:
KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
Los mensajes de error se detuvieron para aparecer, aún no estoy 100% seguro de que haya sido la solución debido a la rara ocurrencia de los errores. Por ahora estoy dejando la pregunta sin respuesta.
Actualización, 2016-06-06:
Finalmente, después de casi una semana, pude detectar el mismo ataque y registrarme con LogLevel DEBUG3
según lo sugerido por Jakuje. El siguiente registro muestra dos intentos consecutivos por un servidor diferente al de la primera vez:
Jun 06 07:16:29 server sshd[565]: debug3: fd 5 is not O_NONBLOCK
Jun 06 07:16:29 server sshd[565]: debug1: Forked child 15573.
Jun 06 07:16:29 server sshd[565]: debug3: send_rexec_state: entering fd = 10 config len 1263
Jun 06 07:16:29 server sshd[565]: debug3: ssh_msg_send: type 0
Jun 06 07:16:29 server sshd[565]: debug3: send_rexec_state: done
Jun 06 07:16:29 server sshd[15573]: debug3: oom_adjust_restore
Jun 06 07:16:29 server sshd[15573]: Set /proc/self/oom_score_adj to 0
Jun 06 07:16:29 server sshd[15573]: debug1: rexec start in 5 out 5 newsock 5 pipe 9 sock 10
Jun 06 07:16:29 server sshd[15573]: debug1: inetd sockets after dupping: 3, 3
Jun 06 07:16:29 server sshd[15573]: Connection from 125.212.XXX.XXX port 46328 on XXX.XXX.XXX.XXX port 22
Jun 06 07:16:29 server sshd[15573]: debug1: Client protocol version 2.0; client software version libssh-0.2
Jun 06 07:16:29 server sshd[15573]: debug1: no match: libssh-0.2
Jun 06 07:16:29 server sshd[15573]: debug1: Enabling compatibility mode for protocol 2.0
Jun 06 07:16:29 server sshd[15573]: debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
Jun 06 07:16:29 server sshd[15573]: debug2: fd 3 setting O_NONBLOCK
Jun 06 07:16:29 server sshd[15573]: debug2: Network child is on pid 15574
Jun 06 07:16:29 server sshd[15573]: debug3: preauth child monitor started
Jun 06 07:16:29 server sshd[15573]: debug3: privsep user:group 104:65534 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: permanently_set_uid: 104/65534 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: SSH2_MSG_KEXINIT received [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected] [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected] [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: ssh-rsa [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: 3des-cbc [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: 3des-cbc [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: hmac-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: hmac-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: none [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: none [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: mac_setup: setup hmac-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: kex: client->server 3des-cbc hmac-sha1 none [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: mac_setup: setup hmac-sha1 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: kex: server->client 3des-cbc hmac-sha1 none [preauth]
Jun 06 07:16:29 server sshd[15573]: debug2: bits set: 505/1024 [preauth]
Jun 06 07:16:29 server sshd[15573]: debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
Jun 06 07:16:30 server sshd[15573]: debug2: bits set: 506/1024 [preauth]
Jun 06 07:16:30 server sshd[15573]: debug3: mm_key_sign entering [preauth]
Jun 06 07:16:30 server sshd[15573]: debug3: mm_request_send entering: type 6 [preauth]
Jun 06 07:16:30 server sshd[15573]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
Jun 06 07:16:30 server sshd[15573]: debug3: mm_request_receive_expect entering: type 7 [preauth]
Jun 06 07:16:30 server sshd[15573]: debug3: mm_request_receive entering [preauth]
Jun 06 07:16:30 server sshd[15573]: debug3: mm_request_receive entering
Jun 06 07:16:30 server sshd[15573]: debug3: monitor_read: checking request 6
Jun 06 07:16:30 server sshd[15573]: debug3: mm_answer_sign
Jun 06 07:16:30 server sshd[15573]: debug3: mm_answer_sign: signature 0x7ff127ec8ce0(271)
Jun 06 07:16:30 server sshd[15573]: debug3: mm_request_send entering: type 7
Jun 06 07:16:30 server sshd[15573]: debug2: monitor_read: 6 used once, disabling now
Jun 06 07:16:30 server sshd[15573]: debug2: kex_derive_keys [preauth]
Jun 06 07:16:30 server sshd[15573]: debug2: set_newkeys: mode 1 [preauth]
Jun 06 07:16:30 server sshd[15573]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Jun 06 07:16:30 server sshd[15573]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Jun 06 07:16:30 server sshd[15573]: debug2: set_newkeys: mode 0 [preauth]
Jun 06 07:16:30 server sshd[15573]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Jun 06 07:16:30 server sshd[15573]: debug1: KEX done [preauth]
Jun 06 07:16:30 server sshd[15573]: Bad packet length 2295582317. [preauth]
Jun 06 07:16:34 server sshd[15498]: Connection closed by 125.212.XXX.XXX [preauth]
Jun 06 07:16:34 server sshd[15498]: debug1: do_cleanup [preauth]
Jun 06 07:16:34 server sshd[15498]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Jun 06 07:16:34 server sshd[15498]: debug1: monitor_read_log: child log fd closed
Jun 06 07:16:34 server sshd[15498]: debug3: mm_request_receive entering
Jun 06 07:16:34 server sshd[15498]: debug1: do_cleanup
Jun 06 07:16:34 server sshd[15498]: debug3: PAM: sshpam_thread_cleanup entering
Jun 06 07:16:34 server sshd[15498]: debug1: Killing privsep child 15499
Jun 06 07:16:57 server sshd[565]: debug3: fd 5 is not O_NONBLOCK
Jun 06 07:16:57 server sshd[565]: debug1: Forked child 15611.
Jun 06 07:16:57 server sshd[565]: debug3: send_rexec_state: entering fd = 10 config len 1263
Jun 06 07:16:57 server sshd[565]: debug3: ssh_msg_send: type 0
Jun 06 07:16:57 server sshd[565]: debug3: send_rexec_state: done
Jun 06 07:16:57 server sshd[15611]: debug3: oom_adjust_restore
Jun 06 07:16:57 server sshd[15611]: Set /proc/self/oom_score_adj to 0
Jun 06 07:16:57 server sshd[15611]: debug1: rexec start in 5 out 5 newsock 5 pipe 9 sock 10
Jun 06 07:16:57 server sshd[15611]: debug1: inetd sockets after dupping: 3, 3
Jun 06 07:16:57 server sshd[15611]: Connection from 125.212.XXX.XXX port 49390 on XXX.XXX.XXX.XXX port 22
Jun 06 07:16:57 server sshd[15611]: debug1: Client protocol version 2.0; client software version libssh-0.2
Jun 06 07:16:57 server sshd[15611]: debug1: no match: libssh-0.2
Jun 06 07:16:57 server sshd[15611]: debug1: Enabling compatibility mode for protocol 2.0
Jun 06 07:16:57 server sshd[15611]: debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
Jun 06 07:16:57 server sshd[15611]: debug2: fd 3 setting O_NONBLOCK
Jun 06 07:16:57 server sshd[15611]: debug2: Network child is on pid 15612
Jun 06 07:16:57 server sshd[15611]: debug3: preauth child monitor started
Jun 06 07:16:57 server sshd[15611]: debug3: privsep user:group 104:65534 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: permanently_set_uid: 104/65534 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: SSH2_MSG_KEXINIT received [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected] [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected] [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: none,[email protected] [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: ssh-rsa [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: 3des-cbc [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: 3des-cbc [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: hmac-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: hmac-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: none [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: none [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: kex_parse_kexinit: reserved 0 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: mac_setup: setup hmac-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: kex: client->server 3des-cbc hmac-sha1 none [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: mac_setup: setup hmac-sha1 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: kex: server->client 3des-cbc hmac-sha1 none [preauth]
Jun 06 07:16:57 server sshd[15611]: debug2: bits set: 511/1024 [preauth]
Jun 06 07:16:57 server sshd[15611]: debug1: expecting SSH2_MSG_KEXDH_INIT [preauth]
Jun 06 07:16:58 server sshd[15611]: debug2: bits set: 516/1024 [preauth]
Jun 06 07:16:58 server sshd[15611]: debug3: mm_key_sign entering [preauth]
Jun 06 07:16:58 server sshd[15611]: debug3: mm_request_send entering: type 6 [preauth]
Jun 06 07:16:58 server sshd[15611]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
Jun 06 07:16:58 server sshd[15611]: debug3: mm_request_receive_expect entering: type 7 [preauth]
Jun 06 07:16:58 server sshd[15611]: debug3: mm_request_receive entering [preauth]
Jun 06 07:16:58 server sshd[15611]: debug3: mm_request_receive entering
Jun 06 07:16:58 server sshd[15611]: debug3: monitor_read: checking request 6
Jun 06 07:16:58 server sshd[15611]: debug3: mm_answer_sign
Jun 06 07:16:58 server sshd[15611]: debug3: mm_answer_sign: signature 0x7fb75f3b5690(271)
Jun 06 07:16:58 server sshd[15611]: debug3: mm_request_send entering: type 7
Jun 06 07:16:58 server sshd[15611]: debug2: monitor_read: 6 used once, disabling now
Jun 06 07:16:58 server sshd[15611]: debug2: kex_derive_keys [preauth]
Jun 06 07:16:58 server sshd[15611]: debug2: set_newkeys: mode 1 [preauth]
Jun 06 07:16:58 server sshd[15611]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Jun 06 07:16:58 server sshd[15611]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Jun 06 07:16:58 server sshd[15611]: debug2: set_newkeys: mode 0 [preauth]
Jun 06 07:16:58 server sshd[15611]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Jun 06 07:16:58 server sshd[15611]: debug1: KEX done [preauth]
Jun 06 07:16:58 server sshd[15611]: Bad packet length 1877023791. [preauth]
Jun 06 07:17:02 server sshd[15535]: Connection closed by 125.212.XXX.XXX [preauth]
Jun 06 07:17:02 server sshd[15535]: debug1: do_cleanup [preauth]
Jun 06 07:17:02 server sshd[15535]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Jun 06 07:17:02 server sshd[15535]: debug1: monitor_read_log: child log fd closed
Jun 06 07:17:02 server sshd[15535]: debug3: mm_request_receive entering
Jun 06 07:17:02 server sshd[15535]: debug1: do_cleanup
Jun 06 07:17:02 server sshd[15535]: debug3: PAM: sshpam_thread_cleanup entering
Jun 06 07:17:02 server sshd[15535]: debug1: Killing privsep child 15536