Skip to content

Commit 156d2cb

Browse files
zeripathzeripath
committed
Standardise failed authentication attempt logging
Continuing on from go-gitea#13953 continue to improve and standardise logging from internal SSH. Also updates the fail2ban setup Signed-off-by: Andrew Thornton <[email protected]>
1 parent 1837e64 commit 156d2cb

File tree

2 files changed

+62
-8
lines changed

2 files changed

+62
-8
lines changed

docs/content/doc/usage/fail2ban-setup.en-us.md

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,27 @@ on a bad authentication from the web or CLI using SSH or HTTP respectively:
2525
```log
2626
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
2727
```
28+
29+
```log
30+
2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
31+
```
32+
33+
```log
34+
2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
35+
```
36+
2837
```log
29-
2020/10/15 16:05:09 modules/ssh/ssh.go:188:publicKeyHandler() [E] SearchPublicKeyByContent: public key does not exist [id: 0] Failed authentication attempt from xxx.xxx.xxx.xxx
38+
2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
3039
```
40+
41+
```log
42+
2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
43+
```
44+
45+
```log
46+
2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
47+
```
48+
3149
```log
3250
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
3351
```

modules/ssh/ssh.go

Lines changed: 43 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -134,14 +134,25 @@ func sessionHandler(session ssh.Session) {
134134
}
135135

136136
func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
137+
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if neccesary
138+
log.Debug("Handle Public Key: Fingerprint: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())
139+
}
140+
137141
if ctx.User() != setting.SSH.BuiltinServerUser {
138-
log.Warn("Permission Denied: Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
142+
log.Warn("Invalid SSH username %s - must use %s for all git operations via ssh", ctx.User(), setting.SSH.BuiltinServerUser)
143+
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
139144
return false
140145
}
141146

142147
// check if we have a certificate
143148
if cert, ok := key.(*gossh.Certificate); ok {
149+
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if neccesary
150+
log.Debug("Handle Certificate: %s Fingerprint: %s is a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
151+
}
152+
144153
if len(setting.SSH.TrustedUserCAKeys) == 0 {
154+
log.Warn("Certificate Rejected: No trusted certificate authorities for this server")
155+
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
145156
return false
146157
}
147158

@@ -151,7 +162,7 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
151162
pkey, err := models.SearchPublicKeyByContentExact(principal)
152163
if err != nil {
153164
if models.IsErrKeyNotExist(err) {
154-
log.Debug("Principal Rejected: Unknown Principal: %s", principal)
165+
log.Debug("Principal Rejected: %s Unknown Principal: %s", ctx.RemoteAddr(), principal)
155166
continue principalLoop
156167
}
157168
log.Error("SearchPublicKeyByContentExact: %v", err)
@@ -172,33 +183,58 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
172183

173184
// check the CA of the cert
174185
if !c.IsUserAuthority(cert.SignatureKey) {
175-
log.Debug("Principal Rejected: Untrusted Authority Signature Fingerprint %s for Principal: %s", gossh.FingerprintSHA256(cert.SignatureKey), principal)
186+
if log.IsDebug() {
187+
log.Debug("Principal Rejected: %s Untrusted Authority Signature Fingerprint %s for Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(cert.SignatureKey), principal)
188+
}
176189
continue principalLoop
177190
}
178191

179192
// validate the cert for this principal
180193
if err := c.CheckCert(principal, cert); err != nil {
181-
// User is presenting an invalid cerficate - STOP any further processing
182-
log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal)
194+
// User is presenting an invalid certificate - STOP any further processing
195+
if log.IsError() {
196+
log.Error("Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s from %s", cert.KeyId, gossh.FingerprintSHA256(cert.SignatureKey), principal, ctx.RemoteAddr())
197+
}
198+
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
199+
183200
return false
184201
}
185202

203+
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if neccesary
204+
log.Debug("Successfully authenticated: %s Certificate Fingerprint: %s Principal: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key), principal)
205+
}
186206
ctx.SetValue(giteaKeyID, pkey.ID)
187207

188208
return true
189209
}
210+
211+
if log.IsWarn() {
212+
log.Warn("From %s Fingerprint: %s is a certificate, but no valid principals found", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
213+
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
214+
}
215+
return false
216+
}
217+
218+
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if neccesary
219+
log.Debug("Handle Public Key: %s Fingerprint: %s is not a certificate", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
190220
}
191221

192222
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key))))
193223
if err != nil {
194224
if models.IsErrKeyNotExist(err) {
195-
log.Warn("Permission Denied: Unknown public key : %s", gossh.FingerprintSHA256(key))
225+
if log.IsWarn() {
226+
log.Warn("Unknown public key: %s from %s", gossh.FingerprintSHA256(key), ctx.RemoteAddr())
227+
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
228+
}
196229
return false
197230
}
198-
log.Error("SearchPublicKeyByContent: %v Failed authentication attempt from %s", err, ctx.RemoteAddr())
231+
log.Error("SearchPublicKeyByContent: %v", err)
199232
return false
200233
}
201234

235+
if log.IsDebug() { // <- FingerprintSHA256 is kinda expensive so only calculate it if neccesary
236+
log.Debug("Successfully authenticated: %s Public Key Fingerprint: %s", ctx.RemoteAddr(), gossh.FingerprintSHA256(key))
237+
}
202238
ctx.SetValue(giteaKeyID, pkey.ID)
203239

204240
return true

0 commit comments

Comments
 (0)