auth.log indicates error with JSchException?

Question

I have a fairly minimal setup server, and it doesn't allow password authentication, only using keys. And it definitely doesn't have Java installed. Normally I don't pay any attention to the thousands of attempts a day of script kiddies to guess my passwords - I figure the time they waste on my system is time they're not wasting on systems that do allow password authentication. But I am seeing this message in /var/log/auth.log:

Dec 7 13:43:43 hostname sshd[7412]: Received disconnect from 189.203.240.57: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]

Is that mention of what looks like a Java exception coming from the attacker, or is that from something on my side?

I was also surprised to find a Java classname in my sshd log, on an Ubuntu 14.04 instance on EC2. Is that similar to your environment? — Alex Nauda, Jan 22 '15 at 15:32

score 19 · Accepted Answer · edited Sep 14 '16 at 11:51

19

It looks like openssh server passes through the last message from the client in its "Received disconnect" error message, so it appears that this is a zombie login attempt from a botnet that is authored in Java.

See this code example from openssh's packet.c:

            case SSH2_MSG_DISCONNECT:
                if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
                    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
                    return r;
                /* Ignore normal client exit notifications */
                do_log2(ssh->state->server_side &&
                    reason == SSH2_DISCONNECT_BY_APPLICATION ?
                    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
                    "Received disconnect from %s: %u: %.400s",
                    ssh_remote_ipaddr(ssh), reason, msg);
                free(msg);
                return SSH_ERR_DISCONNECTED;

edited Sep 14 '16 at 11:51

ckujau

642
4
13

answered Jan 22 '15 at 17:34

Alex Nauda

436
4
7

"The server passes through a client string" - is this a "safe" thing to do? Or could this be a problem from a [security standpoint](https://en.wikipedia.org/wiki/Data_validation#Validation_and_security)? – ckujau Sep 14 '16 at 06:18
If you believe the code in packet.c is vulnerable to some sort of exploit, you might consider reporting that to the openssh maintainers. In general though, I don't think that passing a string through to the logs in this manner presents a security problem. – Alex Nauda Sep 14 '16 at 18:47
1

I considered that, but I wanted to ask here first, maybe it was obvious from the code snippet that it's indeed "safe". But yeah, I asked about this on [openssh-unix-dev](https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035373.html "com.jcraft.jsch.JSchException: Auth fail") and the OpenSSH maintainer thinks it's not a problem. – ckujau Sep 14 '16 at 22:12

auth.log indicates error with JSchException?

1 Answers1