Skip to content

refactor(sshd-logs): split ssh_failed-auth into distinct log_types #1650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
LaurenceJJones wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

refactor(sshd-logs): split ssh_failed-auth into distinct log_types #1650

LaurenceJJones wants to merge 1 commit into from

Conversation

@LaurenceJJones
Copy link
Member

@LaurenceJJones LaurenceJJones commented Jan 21, 2026

Description

The ssh-time-based-bf scenario was incorrectly triggering because a single SSH login attempt generates multiple log lines (Invalid user, pam_unix auth failure, Failed password, Connection closed), all previously tagged as ssh_failed-auth. This caused 1 real attempt to be counted as 3-4 events, inflating the count and skewing the MedianInterval calculation.

Split ssh_failed-auth into distinct log_types per event category:

  • ssh_password_fail: actual auth failures (Failed password for)
  • ssh_invalid_user: username probing (Invalid user from)
  • ssh_pam_failure: PAM notification (duplicate signal, unused)
  • ssh_preauth_close: connection lifecycle (Connection closed [preauth])
  • ssh_not_allowed: AllowUsers blocks
  • ssh_bad_banner, ssh_bad_keyexchange, ssh_magic_failed: protocol anomalies

Added new scenarios for complete coverage (one per bucket):

  • ssh-invalid-user: detect username probing
  • ssh-preauth-scan: detect preauth disconnect scanning
  • ssh-not-allowed: detect blocked user attempts
  • ssh-scanner: detect protocol anomalies

Updated existing scenarios (ssh-bf, ssh-slow-bf, ssh-time-based-bf) to use ssh_password_fail for accurate 1:1 counting of actual auth attempts.

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

@LaurenceJJones @claude
refactor(sshd-logs): split ssh_failed-auth into distinct log_types
e517a32 
The ssh-time-based-bf scenario was incorrectly triggering because a single
SSH login attempt generates multiple log lines (Invalid user, pam_unix auth
failure, Failed password, Connection closed), all previously tagged as
ssh_failed-auth. This caused 1 real attempt to be counted as 3-4 events,
inflating the count and skewing the MedianInterval calculation.

Split ssh_failed-auth into distinct log_types per event category:
- ssh_password_fail: actual auth failures (Failed password for)
- ssh_invalid_user: username probing (Invalid user from)
- ssh_pam_failure: PAM notification (duplicate signal, unused)
- ssh_preauth_close: connection lifecycle (Connection closed [preauth])
- ssh_not_allowed: AllowUsers blocks
- ssh_bad_banner, ssh_bad_keyexchange, ssh_magic_failed: protocol anomalies

Added new scenarios for complete coverage (one per bucket):
- ssh-invalid-user: detect username probing
- ssh-preauth-scan: detect preauth disconnect scanning
- ssh-not-allowed: detect blocked user attempts
- ssh-scanner: detect protocol anomalies

Updated existing scenarios (ssh-bf, ssh-slow-bf, ssh-time-based-bf) to use
ssh_password_fail for accurate 1:1 counting of actual auth attempts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LaurenceJJones