I noticed the usual Core 164 IPS page with “please wait”
So I logged in with SSH from a local PC to clear any locks in /TMP
Right after login I got timed out.
I can’t use SSH, WUI or even ping the firewal.
Other local PC’s got banned as well, can’t connect to Internet at all.
no ping. Other PC’s are working fine.
I rebooted IPfire and everything seems to be OK,
Then I noticed Guardian Log banned the IP’s.
This has never happened before, suddenly, for no reason , it bans
is this something new to core 164?
No, not that I am aware of. Guardian is quite stable and to my understanding nearly feature-complete.
Also, Core Update 164 did not update an SSH-related component on IPFire. What SSH client did you use? Are there any log messages (especially interesting would be authentication failures) related to SSH if you logon to IPFire?
that is odd indeed then. For special or homemade SSH clients (most notably custom things built on top of libssh), sometimes the IPS complains as well, or the SSH daemon logs some messages interpreted by Guardian as a brute-force attempt.
What log messages does
grep -i sshd /var/log/messages
print if you try to log in to your IPFire machine by SSH?
Guardian blocked me again. Right after update to 167,
It seems to be pattern since 164…167
1 - update
2 - reboot
3 - try to login to SSH
4 - get banned for 100 days
Mar 23 10:54:36 IPFIRE sshd[15339]: Server listening on 0.0.0.0 port 222.
Mar 23 10:54:36 IPFIRE sshd[15339]: Received signal 15; terminating.
Mar 23 10:54:36 IPFIRE sshd[15346]: Server listening on 0.0.0.0 port 222.
Mar 23 10:59:54 IPFIRE sshd[15984]: Accepted password for root from 192.168.0.89 port 52191 ssh2
Mar 23 10:59:54 IPFIRE sshd[15990]: Received disconnect from 192.168.0.89 port 52192:11: Unsupported cipher [preauth]
Mar 23 10:59:54 IPFIRE sshd[15990]: Disconnected from 192.168.0.89 port 52192 [preauth]
Mar 23 11:27:59 IPFIRE sshd[19415]: Server listening on 0.0.0.0 port 222.
Mar 23 11:27:59 IPFIRE sshd[19415]: Received signal 15; terminating.
Mar 23 11:27:59 IPFIRE sshd[19422]: Server listening on 0.0.0.0 port 222.
Mar 23 11:28:15 IPFIRE apcupsd[15874]: 000.0,000.0,121.0,00.00,00.00,03.0,00.0,000.0,000.0,121.0,100.0,0
Mar 23 11:28:15 IPFIRE sshd[19486]: Accepted password for root from 10.10.10.15 port 63819 ssh2
Mar 23 11:28:16 IPFIRE sshd[19493]: Received disconnect from 10.10.10.15 port 63820:11: Unsupported cipher [preauth]
Mar 23 11:09:41 IPFIRE sshd[15346]: Received signal 15; terminating.
Mar 23 11:27:59 IPFIRE sshd[19415]: Server listening on 0.0.0.0 port 222.
Mar 23 11:27:59 IPFIRE sshd[19415]: Received signal 15; terminating.
Mar 23 11:27:59 IPFIRE sshd[19422]: Server listening on 0.0.0.0 port 222.
Mar 23 11:29:26 IPFIRE sshd[19486]: Timeout, client not responding from user root 10.10.10.15 port 63819
grep -i Guardian /var/log/messages
May 3 12:08:39 IPFIRE guardian[17662]: <info> Shutting down...
May 3 12:15:17 IPFIRE guardian[17272]: <info> Guardian 2.0.2 successfully started...
May 3 12:16:02 IPFIRE monit[17291]: 'messageLog' content match: May 3 00:08:39 IPFIRE guardian[17662]: <info> Shutting down... May 3 00:15:17 IPFIRE guardian[17272]: <info> Guardian 2.0.2 successfully started...
May 3 12:23:02 IPFIRE guardian[17272]: <info> Blocking 192.168.0.89 for 8640000 seconds...
May 3 12:23:02 IPFIRE guardian[17272]: <info> port - 61904:11 SSH Possible SSH-Bruteforce Attack - failed preauth.
May 3 12:23:11 IPFIRE monit[17291]: 'messageLog' content match: May 3 00:23:02 IPFIRE guardian[17272]: <info> Blocking 192.168.0.89 for 8640000 seconds... May 3 00:23:02 IPFIRE guardian[17272]: <info> port - 61904:11 SSH Possible SSH-Bruteforce Attack - failed preauth.
May 3 12:25:23 IPFIRE guardian[17272]: <info> Socket - User-requested action.
May 3 12:25:36 IPFIRE guardian[17272]: <info> Reloading ignore list...
May 3 12:26:16 IPFIRE monit[17291]: 'messageLog' content match: May 3 00:25:23 IPFIRE guardian[17272]: <info> Socket - User-requested action. May 3 00:25:36 IPFIRE guardian[17272]: <info> Reloading ignore list...
[root@IPFIRE ~]#
The messages show the reason for the block.
Your client 10.10.10.15 establishes a SSH connection, which is accepted by IPFire’s sshd.
Then sshd receives a disconnect from the client, with error ‘Unsupported cipher [preauth]’.
This message is interpreted by guardian as ‘SSH brute-force attack’.
Remain two questions
Why refuses the client the SSH connection?
Why is the disconnect by the client ( not sshd ) rated as brute-force attack?
Also client 192.168.0.89 had the same message at 10:59:54.
In both case I would look at the ssh logs on those client machines to see what they say.
You can also increase the debugging level on your client machine by adding -v or -vv or -vvv to your ssh command. These give you increasing debugging levels.
