You are not logged in.

#1 2017-11-22 20:04:23

whitehorsesoft
Member
Registered: 2017-09-20
Posts: 19

Logging SSH attempts with nftables

Question

What is the best way to set up logging SSH attempts with SSH public-key authentication and nftables? Also, what is the best way to test this?

I'd like to do this without installing a package that 'just takes care of it' because this is a learning exercise for me.

Description

I've set up a fairly blank new system to test and learn networking concepts on. nftables is up and running, and I'm able to log into this system with SSH public key auth. The test system is also using sshd.socket, for what it's worth.

However, I've noticed that one of the nftable rules doesn't seem to be logging out as expected:

log prefix "REJECTED" reject with icmpx type port-unreachable

This rule is at the bottom of the input chain in my nftables.conf, so all rejected input traffic should hit this (I think).

Perhaps I'm testing this wrongly, but when I run journalctl -k | grep "REJECTED" I don't see any entries after attempting to log in through a different machine.

Also, I'll note I can see successfull SSH logins with this nftable rule (placed above the reject rule above):

tcp dport ssh limit rate 2/minute log prefix "SSH connection" accept

Running journalctl -k | grep "SSH" shows these connections as expected.

Forgive me for the newbie question - I am attempting to learn. Two resources I've already looked at (besides the links above) are:
https://home.regit.org/netfilter-en/nft … ick-howto/
https://wiki.archlinux.org/index.php/Iptables#Logging

Offline

#2 2017-11-24 03:34:32

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: Logging SSH attempts with nftables

Please post the output of

iptables-save

CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2017-11-24 13:20:36

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: Logging SSH attempts with nftables

cfr wrote:

Please post the output of

iptables-save

How is this going to help when the OP isn't using iptables?


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#4 2017-11-24 14:24:40

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Logging SSH attempts with nftables

I think nftables won't ever see when ssh rejects a connection. SSH accepts the tcp connection in order to receive and verify the key and then closes it if the key is invalid. For nftables that should look like a normal connection.

If I understand the given nft rule correctly, then it does the following:

# log prefix "REJECTED" reject with icmpx type port-unreachable
-> match all packages that haven't been allowed when reaching this rule
-> write to log with the prefix "REJECTED"
-> reject the package and send an ICMP port-unreachable notification to the sender of the package
# tcp dport ssh limit rate 2/minute log prefix "SSH connection" accept
-> Allow two connection attempts per ip on the ssh port per minute
-> write that to the log 
Edit: or maybe it means accept connections on the ssh port and only log 2 attempts per ip per minute ?

Last edited by progandy (2017-11-24 14:42:22)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2017-11-24 17:14:38

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: Logging SSH attempts with nftables

slithery wrote:
cfr wrote:

Please post the output of

iptables-save

How is this going to help when the OP isn't using iptables?

Sorry. I thought nftables was a wrapper for iptables, but it seems that the wiki table matching nftables families to iptables utilities cannot mean this at all. Thanks for pointing this out.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#6 2017-11-24 20:15:49

whitehorsesoft
Member
Registered: 2017-09-20
Posts: 19

Re: Logging SSH attempts with nftables

progandy wrote:

I think nftables won't ever see when ssh rejects a connection. SSH accepts the tcp connection in order to receive and verify the key and then closes it if the key is invalid. For nftables that should look like a normal connection.

If I understand the given nft rule correctly, then it does the following:

# log prefix "REJECTED" reject with icmpx type port-unreachable
-> match all packages that haven't been allowed when reaching this rule
-> write to log with the prefix "REJECTED"
-> reject the package and send an ICMP port-unreachable notification to the sender of the package
# tcp dport ssh limit rate 2/minute log prefix "SSH connection" accept
-> Allow two connection attempts per ip on the ssh port per minute
-> write that to the log 
Edit: or maybe it means accept connections on the ssh port and only log 2 attempts per ip per minute ?

I can confirm that SSH rejects are logged out, at least when I exceed the 2 connection attempts.

Offline

Board footer

Powered by FluxBB