Logging SSH attempts with nftables

whitehorsesoft · 2017-11-22 20:04:23

Question

What is the best way to set up logging SSH attempts with SSH public-key authentication and nftables? Also, what is the best way to test this?

I'd like to do this without installing a package that 'just takes care of it' because this is a learning exercise for me.

Description

I've set up a fairly blank new system to test and learn networking concepts on. nftables is up and running, and I'm able to log into this system with SSH public key auth. The test system is also using sshd.socket, for what it's worth.

However, I've noticed that one of the nftable rules doesn't seem to be logging out as expected:

log prefix "REJECTED" reject with icmpx type port-unreachable

This rule is at the bottom of the input chain in my nftables.conf, so all rejected input traffic should hit this (I think).

Perhaps I'm testing this wrongly, but when I run journalctl -k | grep "REJECTED" I don't see any entries after attempting to log in through a different machine.

Also, I'll note I can see successfull SSH logins with this nftable rule (placed above the reject rule above):

tcp dport ssh limit rate 2/minute log prefix "SSH connection" accept

Running journalctl -k | grep "SSH" shows these connections as expected.

Forgive me for the newbie question - I am attempting to learn. Two resources I've already looked at (besides the links above) are:
https://home.regit.org/netfilter-en/nft … ick-howto/
https://wiki.archlinux.org/index.php/Iptables#Logging

cfr · 2017-11-24 03:34:32

Please post the output of

iptables-save

Slithery · 2017-11-24 13:20:36

cfr wrote:

Please post the output of
iptables-save

How is this going to help when the OP isn't using iptables?

progandy · 2017-11-24 14:24:40

I think nftables won't ever see when ssh rejects a connection. SSH accepts the tcp connection in order to receive and verify the key and then closes it if the key is invalid. For nftables that should look like a normal connection.

If I understand the given nft rule correctly, then it does the following:

# log prefix "REJECTED" reject with icmpx type port-unreachable
-> match all packages that haven't been allowed when reaching this rule
-> write to log with the prefix "REJECTED"
-> reject the package and send an ICMP port-unreachable notification to the sender of the package

# tcp dport ssh limit rate 2/minute log prefix "SSH connection" accept
-> Allow two connection attempts per ip on the ssh port per minute
-> write that to the log 
Edit: or maybe it means accept connections on the ssh port and only log 2 attempts per ip per minute ?

Last edited by progandy (2017-11-24 14:42:22)

cfr · 2017-11-24 17:14:38

slithery wrote:

cfr wrote:
Please post the output of
iptables-save
How is this going to help when the OP isn't using iptables?

Sorry. I thought nftables was a wrapper for iptables, but it seems that the wiki table matching nftables families to iptables utilities cannot mean this at all. Thanks for pointing this out.

whitehorsesoft · 2017-11-24 20:15:49

progandy wrote:

I think nftables won't ever see when ssh rejects a connection. SSH accepts the tcp connection in order to receive and verify the key and then closes it if the key is invalid. For nftables that should look like a normal connection.
If I understand the given nft rule correctly, then it does the following:
# log prefix "REJECTED" reject with icmpx type port-unreachable
-> match all packages that haven't been allowed when reaching this rule
-> write to log with the prefix "REJECTED"
-> reject the package and send an ICMP port-unreachable notification to the sender of the package
# tcp dport ssh limit rate 2/minute log prefix "SSH connection" accept
-> Allow two connection attempts per ip on the ssh port per minute
-> write that to the log 
Edit: or maybe it means accept connections on the ssh port and only log 2 attempts per ip per minute ?

I can confirm that SSH rejects are logged out, at least when I exceed the 2 connection attempts.

Arch Linux

#1 2017-11-22 20:04:23