After hardening my ssh server I am now seeing quite a lot of the following messages:
Mar 13 10:16:41 XXXXXXX sshd[8349]: Unable to negotiate with X.X.X.X port 58623: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
After reading the documentation I see that system.auth.ssh.event currently only have "Accepted", "Failed" or "Invalid" as possible values.
I'm not sure if this failure to negotiate error belongs in exactly this event but it would be nice to get that parsed so we can alert on these attempts/errors.
Yeah, we'd need to add support to parse these messages. At the moment it seems that we take Accepted/Failed values from the message itself, we would need to do some additional processing to select one of these options for this case. Or to add a new possible value like NegotiationError.
Is there any additional information you think it'd be interesting to parse from these lines?
It may be good to have some example lines that we are not currently parsing and the expected parsed fields. With this we can open a new enhancement request.
From my point of view I think that NegotiationError could work quite nicely. That'd then be able to populate the same visualisation/dashboard as the two Accepted/Failed ones that's already there.
Getting the IP from those lines for GeoIP would be a good one from a information and security point of view.
From a sysadmin point of view it might also be of interest to see what KEX methods the other side is offering? From the example above it would be:
I'll see if I can formulate what's missing and what's wanted eloquently enough and then get it into a Enhancement Request. Edited: Not sure if it's eloquent enough, but here's the RFE: https://github.com/elastic/beats/issues/11233
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
