I'm having trouble generating an email notice when someone is trying to do an ssh bruteforce attack on my server with Bro (v2.4.1). I have a Bro script like this which redefines the max login attemps to 5 per 24 hours:
@load protocols/ssh/detect-bruteforcing
redef SSH::password_guesses_limit=5;
redef SSH::guessing_timeout=1440 mins;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && /192\.168\.178\.16/ in n$sub )
add n$actions[Notice::ACTION_EMAIL];
}
where 192.168.178.16 is the local ip of my server and I've made sure the script gets loaded by including it in $PREFIX/site/local.bro. The output of broctl scripts shows that the script is loaded just fine on startup. However, I never receive any email notice of ssh bruteforcing attacks.
Connection summaries, dropped packets and invalid ssl certificate notices are emailed just fine, so it's not an email configuration issue. When I check the ssh log output like so:
sudo cat /opt/bro/logs/current/ssh.log | bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success direction client server cipher_alg
The 6 failed login attemps (that I generated for testing this) are logged just fine in /opt/bro/logs/current/ssh.log:
2016-11-11T14:45:08+0100 CRoENl2L4n5RIkMd0l 84.241.*.* 43415 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:13+0100 CMflWI2ESA7KVZ3Cmk 84.241.*.* 43416 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:17+0100 CZuyQO2NxvmpsmsWwg 84.241.*.* 43417 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:20+0100 CC86Fi3IGZIFCoot2l 84.241.*.* 43418 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:25+0100 CHqcJ93qRhONQC1bm4 84.241.*.* 43419 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:28+0100 CdV0xh1rI4heYaFDH2 84.241.*.* 43420 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
However I never get any email notice of this happening. The only reason I can think of is I have password login over ssh disabled, so maybe the login attemps without a private key are not firing the ssh_failed_login events in Bro? The auth_success column in above table shows a "-" for the failed login attemps whereas a succesfull login shows a "T", so maybe that should be a "F" in order for the event to fire?
Any help or suggestions is greatly appreciated!
Due to SSH being encrypted, we've had to resort to heuristics for detection of successful and unsuccessful authentications. Those heuristics have improved through time but are still far from perfect. If the "auth_success" column is unset like it is in the examples you provided it means that Bro was unable to make the guess if the login was successful or not.
The reason that the bruteforce detection script isn't working is because it's never detecting an unsuccessful login. Your suspicion at the end of your question is correct.