Upgrade Gliderlabs SSH to 0.3.3 and add FailedConnectionCallback (#16278)

* Upgrade Gliderlabs SSH to 0.3.3 and add FailedConnectionCallback Following the merging of https://github.com/gliderlabs/ssh/pull/143 we can now report connections to the ssh server that have failed before public key exchange has completed using the standard fail2ban message. This PR updates Gliderlabs SSH and adds a callback that will provide this logging. Signed-off-by: Andrew Thornton <art27@cantab.net> * move the callback to its own function to make the logging appear little nicer Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-06-28 18:05:27 +01:00 · 2021-06-28 18:05:27 +01:00 · f825f20d49
commit f825f20d49
parent 5c80ecc2f7
31 changed files with 368 additions and 31 deletions
--- a/modules/ssh/ssh.go
+++ b/modules/ssh/ssh.go
@ -12,6 +12,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@ -239,6 +240,15 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
 	return true
 }

+// sshConnectionFailed logs a failed connection
+// -  this mainly exists to give a nice function name in logging
+func sshConnectionFailed(conn net.Conn, err error) {
+	// Log the underlying error with a specific message
+	log.Warn("Failed connection from %s with error: %v", conn.RemoteAddr(), err)
+	// Log with the standard failed authentication from message for simpler fail2ban configuration
+	log.Warn("Failed authentication attempt from %s", conn.RemoteAddr())
+}
+
 // Listen starts a SSH server listens on given port.
 func Listen(host string, port int, ciphers []string, keyExchanges []string, macs []string) {
 	srv := ssh.Server{
@ -252,6 +262,7 @@ func Listen(host string, port int, ciphers []string, keyExchanges []string, macs
 			config.Ciphers = ciphers
 			return config
 		},
+		ConnectionFailedCallback: sshConnectionFailed,
 		// We need to explicitly disable the PtyCallback so text displays
 		// properly.
 		PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {