1onsuccess: next_stage
2#debug: true
3filter: "evt.Parsed.program in ['sshd-session', 'sshd']"
4name: crowdsecurity/sshd-logs
5description: "Parse openSSH logs"
6pattern_syntax:
7  # The IP grok pattern that ships with crowdsec is buggy and does not capture the last digit of an IP if it is the last thing it matches, and the last octet starts with a 2
8  # https://github.com/crowdsecurity/crowdsec/issues/938
9  IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
10  IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND})
11  SSHD_AUTH_FAIL: 'pam_%{DATA:pam_type}\(sshd:auth\): authentication failure; logname= uid=%{NUMBER:uid}? euid=%{NUMBER:euid}? tty=ssh ruser= rhost=%{IP_WORKAROUND:sshd_client_ip}( %{SPACE}user=%{USERNAME:sshd_invalid_user})?'
12  SSHD_MAGIC_VALUE_FAILED: 'Magic value check failed \(\d+\) on obfuscated handshake from %{IP_WORKAROUND:sshd_client_ip} port \d+'
13  SSHD_INVALID_USER: 'Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
14  SSHD_INVALID_USER_ALT: 'Failed keyboard-interactive/pam for invalid user %{USERNAME:sshd_invalid_user} from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
15  SSHD_INVALID_BANNER: 'banner exchange: Connection from %{IP_WORKAROUND:sshd_client_ip} port \d+: invalid format'
16  SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by( (authenticating|invalid) user %{USERNAME:sshd_invalid_user})? %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
17  #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
18  SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
19  SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.'
20  # in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy
21  SSHD_NOT_ALLOWED_USER: 'User %{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)? not allowed because not listed in AllowUsers'
22  SSHD_AUTH_TIMEOUT: 'Timeout before authentication for %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
23  SSHD_DISPATCH_FATAL: 'ssh_dispatch_run_fatal: Connection from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?: message authentication code incorrect \[preauth\]'
24  SSHD_REFUSED_CONN: 'refused connect from.*\((::ffff:)?%{IP_WORKAROUND:sshd_client_ip}\)'
25nodes:
26  - grok:
27      name: "SSHD_FAIL"
28      apply_on: message
29      statics:
30        - meta: log_type
31          value: ssh_failed-auth
32        - meta: target_user
33          expression: "evt.Parsed.sshd_invalid_user"
34  - grok:
35      name: "SSHD_PREAUTH_AUTHENTICATING_USER_ALT"
36      apply_on: message
37      statics:
38        - meta: log_type
39          value: ssh_failed-auth
40        - meta: target_user
41          expression: "evt.Parsed.sshd_invalid_user"
42  - grok:
43      name: "SSHD_PREAUTH_AUTHENTICATING_USER"
44      apply_on: message
45      statics:
46        - meta: log_type
47          value: ssh_failed-auth
48        - meta: target_user
49          expression: "evt.Parsed.sshd_invalid_user"
50  - grok:
51      name: "SSHD_DISC_PREAUTH"
52      apply_on: message
53  - grok:
54      name: "SSHD_BAD_VERSION"
55      apply_on: message
56  - grok:
57      name: "SSHD_INVALID_USER"
58      apply_on: message
59      statics:
60        - meta: log_type
61          value: ssh_failed-auth
62        - meta: target_user
63          expression: "evt.Parsed.sshd_invalid_user"
64  - grok:
65      name: "SSHD_INVALID_USER_ALT"
66      apply_on: message
67      statics:
68        - meta: log_type
69          value: ssh_failed-auth
70        - meta: target_user
71          expression: "evt.Parsed.sshd_invalid_user"
72  - grok:
73      name: "SSHD_NOT_ALLOWED_USER"
74      apply_on: message
75      statics:
76        - meta: log_type
77          value: ssh_failed-auth
78        - meta: target_user
79          expression: "evt.Parsed.sshd_invalid_user"
80  - grok:
81      name: "SSHD_INVALID_BANNER"
82      apply_on: message
83      statics:
84        - meta: log_type
85          value: ssh_failed-auth
86        - meta: extra_log_type
87          value: ssh_bad_banner
88  - grok:
89      name: "SSHD_USER_FAIL"
90      apply_on: message
91      statics:
92        - meta: log_type
93          value: ssh_failed-auth
94        - meta: target_user
95          expression: "evt.Parsed.sshd_invalid_user"
96  - grok:
97      name: "SSHD_AUTH_FAIL"
98      apply_on: message
99      statics:
100        - meta: log_type
101          value: ssh_failed-auth
102        - meta: target_user
103          expression: "evt.Parsed.sshd_invalid_user"
104  - grok:
105      name: "SSHD_MAGIC_VALUE_FAILED"
106      apply_on: message
107      statics:
108        - meta: log_type
109          value: ssh_failed-auth
110        - meta: target_user
111          expression: "evt.Parsed.sshd_invalid_user"
112  - grok:
113      name: "SSHD_BAD_KEY_NEGOTIATION"
114      apply_on: message
115      statics:
116        - meta: log_type
117          value: ssh_bad_keyexchange
118  - grok:
119      name: "SSHD_AUTH_TIMEOUT"
120      apply_on: message
121      statics:
122        - meta: log_type
123          value: ssh_auth_timeout
124  - grok:
125      name: "SSHD_DISPATCH_FATAL"
126      apply_on: message
127      statics:
128        - meta: log_type
129          value: ssh_dispatch_fatal
130  - grok:
131      name: "SSHD_REFUSED_CONN"
132      apply_on: message
133      statics:
134        - meta: log_type
135          value: ssh_refused_conn
136statics:
137  - meta: service
138    value: ssh
139  - meta: source_ip
140    expression: "evt.Parsed.sshd_client_ip"
141