ssh event dont block

Allan Patrick

unread,

Jul 25, 2023, 5:22:48 AM7/25/23

to Wazuh mailing list

Hello. It is possible to get the IP and block:
client:
/var/log/auth.log
Jul 25 05:41:54 fw sshd[30550]: Corrupted MAC on input. [preauth]

client:
/var/log/auth.log
Jul 25 05:51:15 fw sshd[30707]: Unable to negotiate with 218.92.10.3
port 43690: no matching MAC found. Their offer:
hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160,hmac-ri...@openssh.com
[preauth]

Wazuh dashboard event:
ruleid: 5748
full_log
Jul 25 05:41:54 fw sshd[30550]: Corrupted MAC on input. [preauth]

Event 05:51 dont register

Thanks.

John Ebuka Onyejegbu

unread,

Jul 25, 2023, 6:40:19 AM7/25/23

to Wazuh mailing list

Hi Allan,

I think this is an incomplete ssh authentication caused by cipher mismatch.

We can get the details by using the custom decoder.

Original Decoder below.

<rule id="5748" level="6">
<if_sid>5700</if_sid>
<match>Corrupted MAC on input.</match>
<description>sshd: corrupted MAC on input</description>
<group>pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Custom decoder below.

<rule id="5748" level="6"> <if_sid>5700</if_sid> <same_user /> <same_srcip /> <description> sshd: corrupted MAC on input: IP:$(srcip) failed to connect with user: $(dstuser).</description>

<group>pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group> </rule>

Allan Patrick

unread,

Jul 25, 2023, 7:57:58 AM7/25/23

to John Ebuka Onyejegbu, Wazuh mailing list

Thanks. Wazuh not running after

systemctl restart wazuh-manager

I adjust /var/ossec/ruleset/rules/0095-sshd_rules.xml

<rule id="5748" level="6">
    <if_sid>5700</if_sid>
    <same_user />
    <same_srcip />
    <description> sshd: corrupted MAC on input: IP:$(srcip) failed to connect with user: $(dstuser).</description>
    <group>pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Return error:

Jul 25 08:52:46 siem env[10190]: 2023/07/25 08:52:46 wazuh-analysisd: ERROR: Invalid use of frequency/context options. Missing if_matched on rule '5748'.
Jul 25 08:52:46 siem env[10190]: 2023/07/25 08:52:46 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/0095-sshd_rules.xml'.
Jul 25 08:52:46 siem env[10163]: wazuh-analysisd: Configuration error. Exiting
Jul 25 08:52:46 siem systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Jul 25 08:52:46 siem systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/394ea1a2-3336-428b-a925-1a9092a6b898n%40googlegroups.com.

John Ebuka Onyejegbu

unread,

Jul 31, 2023, 8:22:38 AM7/31/23

to Wazuh mailing list

Hi Allen, sorry for the late reply.

Still facing the issue?

Allan Patrick

unread,

Jul 31, 2023, 11:33:02 AM7/31/23

to Wazuh mailing list, John Ebuka Onyejegbu

Hi, don't worry about the delay.

Event does not match, example:
In the client:

/var/log/auth.log

Jul 31 06:42:47 fw sshd[24423]: Unable to negotiate with 218.92.0.4 port 15586: no matching MAC found. Their offer: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160,hmac-ri...@openssh.com [preauth]
Jul 31 10:12:44 fw sshd[28412]: Unable to negotiate with 218.92.0.4 port 18938: no matching MAC found. Their offer: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160,hmac-ri...@openssh.com [preauth]

In siem dashboard does not generate alert ou block.

Follows rule:

<if_matched_sid>5700</if_matched_sid>

    <same_user />
    <same_srcip />
    <description> sshd: corrupted MAC on input: IP:$(srcip) failed to connect with user: $(dstuser).</description>
    <group>pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

-------- Mensagem encaminhada --------

Assunto:	Re: ssh event dont block
Data:	Mon, 31 Jul 2023 05:22:38 -0700 (PDT)
De:	'John Ebuka Onyejegbu' via Wazuh mailing list <wa...@googlegroups.com>
Responder a:	John Ebuka Onyejegbu <john.on...@wazuh.com>
Para:	Wazuh mailing list <wa...@googlegroups.com>

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dec157ff-8904-485f-a4df-4eb69885cd66n%40googlegroups.com.

John Ebuka Onyejegbu

unread,

Jul 31, 2023, 12:49:57 PM7/31/23

to Wazuh mailing list

Hello Allen,

what about successful authentications? are you able to get the IP address of the user?.

For unsuccessful authentications the same rule as a bruteforce attempt detection rule is used.

the below bruteforce attempt detection rule works for failed login attempts as well.

<rule id="150020" level="12" frequency="3" timeframe="3600"> <if_matched_sid>5716</if_matched_sid> <same_user /> <same_srcip /> <description>SSH failed detection: IP:$(srcip) failed 3 times in less than 1h to connect with user: $(dstuser).</description> </rule>

you can change the frequency to tally with the number of failed login attempts you wish to flag.

the cause of the failed login attempt may differ which in your case it is caused as a result of a cipher suite mismatch.

you can further confirm if the sshd logs captured that preauth activity, if it did then wazuh can extract the information.

Regards.

Reply all

Reply to author

Forward