当PAM找到用户时，BRO不会记录ssh

Question

Hydra使用hydra -L ~/Documents/wordlists/Aliases.txt -P ~/Documents/wordlists/shortlist.txt -M servers.txt ssh -t 4 -V的输出

  

sharp67是PAM中的用户，而aaron1不是PAM中的用户。

[ATTEMPT] target 172.xx.x.12 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 1]
[ATTEMPT] target 172.xx.x.34 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 3]
[ATTEMPT] target 172.xx.x.40 - login "sharp67" - pass "aaaaaaay" - 25 of 390364 [child 12]
[ATTEMPT] target 172.xx.x.12 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 13]
[ATTEMPT] target 172.xx.x.40 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 18]
[ATTEMPT] target 172.xx.x.12 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 19]
[ATTEMPT] target 172.xx.x.40 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 0]
[ATTEMPT] target 172.xx.x.34 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 15]
[ATTEMPT] target 172.xx.x.33 - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 14]
[ATTEMPT] target 172.xx.x.40 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 6]
[ATTEMPT] target brotest-01.xxxxxx.edu- login "sharp67" - pass "aaaaaaay" - 25 of 390364 [child 16]
[ATTEMPT] target 172.xx.x.33 - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 8]
[ATTEMPT] target 172.xx.x.34 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 9]
[ATTEMPT] target 172.xx.x.33 - login "aaron1" - pass "aaaaaaab" - 28 of 390364 [child 20]
[ATTEMPT] target brotest-01.xxxxx.edu - login "sharp67" - pass "aaaaaaaz" - 26 of 390364 [child 22]
[ATTEMPT] target brotest-01.xxxxx.edu - login "aaron1" - pass "aaaaaaaa" - 27 of 390364 [child 10]

下面是notice.log的摘录，Syslog::Password_Guessing试图绕过我当前的问题。 Syslog::Password_Guessing包含直接从/usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro复制的代码，并且仅记录是否在syslog.log中多次注意到AUTH_PRIV。但是，尽管可以使用，但它没有使用正确的orig_h IP。它使用本地IP而不是我的IP，如默认SSH::Password_Guessing所示。

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude

1533049771.315720    -    -    -    -    -    -    -    -    -    Syslog::Password_Guessing    172.xx.x.34 appears to be guessing SSH passwords (seen in 6 connections).    Syslog Sampled servers:  128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx, 128.xxx.xxx.xx   172.xx.x.34    -    -    -    worker-4-13    Notice::ACTION_LOG    3600.000000    F    -    -    -    -    -
1533050443.932235    -    -    -    -    -    -    -    -    -    SSH::Password_Guessing    10.xxx.xx.81 appears to be guessing SSH passwords (seen in 6 connections).    Sampled servers:  172.xx.x.34, 172.xx.x.34, 172.xx.x.34, 172.xx.x.33, 172.xx.x.33    10.xxx.xx.81    --    -    worker-0-1    Notice::ACTION_LOG    3600.000000    F    -    -    -    -    -

当前，除非用户收到SSH::Password_Guessing的PAM错误，否则默认的user unknown不起作用。

  

/var/logs/secure from brotest-01 while using sharp67

Jul 31 11:20:38 brotest-01 sshd[40996]: Failed password for sharp67 from 10.186.13.81 port 39590 ssh2
Jul 31 11:20:38 brotest-01 sshd[40996]: error: maximum authentication attempts exceeded for sharp67 from 10.xxx.xx.81 port 39590 ssh2 [preauth]
Jul 31 11:20:38 brotest-01 sshd[40996]: Disconnecting: Too many authentication failures [preauth]
Jul 31 11:20:38 brotest-01 sshd[40997]: Failed password for sharp67 from 10.xxx.xx.81 port 39602 ssh2
Jul 31 11:20:38 brotest-01 sshd[40997]: error: maximum authentication attempts exceeded for sharp67 from 10.xxx.xx.81 port 39602 ssh2 [preauth]
Jul 31 11:20:38 brotest-01 sshd[40997]: Disconnecting: Too many authentication failures [preauth] 

  

这是/var/log/secure on brotest-01 for aaron1

Jul 31 11:21:06 brotest-01 sshd[41008]: pam_unix(sshd:auth): check pass; user unknown
Jul 31 11:21:08 brotest-01 sshd[41007]: Failed password for invalid user aaron1 from 10.xxx.xx.81 port 39664 ssh2
Jul 31 11:21:08 brotest-01 sshd[41007]: error: maximum authentication attempts exceeded for invalid user aaron1 from 10.xxx.xx.81 port 39664 ssh2 [preauth]
Jul 31 11:21:08 brotest-01 sshd[41007]: Disconnecting: Too many authentication failures [preauth]

在ssh.log中，如果用户不存在于PAM中，则auth_success字段几乎立即从-变为F，而如果用户存在，则{ {1}}字段将以auth_success的形式保留更长时间，我相信这就是为什么它无法生成-的原因。

我真不知道为什么会这样。 PAM有问题吗？ PAM是否会丢弃连接，从而不允许Bro将其记录为SSH失败尝试？我是否需要停止PAM断开连接，还是应该找到一种使用SSH连接的IP而不是生成系统日志的IP的方法？谢谢您的任何帮助或投入。

[EDIT]：以下是我对`/usr/local/bro/share/bro/base/protocols/syslog/main.bro

所做的更改

SSH::Password_Guessing