Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ssh): Support authless connection #723

Open
jinnatar opened this issue Apr 6, 2024 · 10 comments · May be fixed by #956
Open

fix(ssh): Support authless connection #723

jinnatar opened this issue Apr 6, 2024 · 10 comments · May be fixed by #956
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@jinnatar
Copy link

jinnatar commented Apr 6, 2024

Describe the feature request

A mode of the SSH check that would only check for a valid SSH connection banner. It's an upgrade from a plain TCP check but lighter weight than a full SSH check as done today.

An example of a borked OpenSSH server that passes a TCP check:

❯ nc borked.example.com 22
EHLO

... After which the connection terminates.

An example of a functioning OpenSSH server:

❯ nc fine.example.com 22
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
EHLO
Invalid SSH identification string.

... After which the connection terminates.

Why do you personally want this feature to be implemented?

While the current SSH check does allow checking an SSH endpoint it has limitations that I'd love to overcome:

  • It can only validate with authentication -> Requires exposing credentials to monitoring, even if it can be done via env variables.
  • It requires password auth -> No support for pubkey auth, requires keeping password auth enabled in sshd which is against security best practices.

How long have you been using this project?

1y

Additional information

The banner check is just the first idea I was able to confirm in a real scenario. If someone knows a bit more of the protocol then perhaps there's more quick wins a bit deeper. But, then again a quick "does the server send any banner after TCP open would already be a big improvement.
@TwiN TwiN changed the title FR: authless basic SSH checking fix(ssh): Support authless connection Apr 9, 2024
@TwiN TwiN added bug Something isn't working help wanted Extra attention is needed good first issue Good for newcomers labels Apr 9, 2024
@ImTheCurse
Copy link

if I understand correctly @jinnatar , you suggest trying to preform health checks by connecting to address and checking for a banner?
@TwiN is it supposed to deprecate ssh with authentication health checks or as an additional field in the config file?
I wouldn't mind trying to solve this issue if no one is working on it.

@jinnatar
Copy link
Author

jinnatar commented Jan 3, 2025

That was my initial idea of what would be a reasonable check if auth won't even be attempted. It could however just as well be a standlone TCP check with config options for command to send and allowlist & denylist matching for banner content.

As an example of a second use case, just now I'm trying to monitor an uppity NUT daemon that occasionally just stops communicating with the UPS which is obvious from a very basic call LIST UPS, but does require you to send, receive & text match the received data.

So long answer short, it may not make sense to modify the ssh check, but instead modify the tcp check which would solve a whole class of similar issues.

@ImTheCurse
Copy link

@jinnatar maybe it should be opened as a separate issue since it seems that a generalized solution will be more complex, however the "no auth attempt" use case might be common enough that it will be worth to implement, even if it will be removed in a different update.

@TwiN
Copy link
Owner

TwiN commented Jan 6, 2025

Hm, would it be possible to use the no-auth approach automatically if no username/password are provided?

@ImTheCurse
Copy link

@TwiN I think we could,
we would have to change the way ssh is currently validated, since no username and password would be okay.
also, we would have to change the behavior of handling SSH type, in the following block:

gatus/config/endpoint/endpoint.go

Lines 365 to 376 in b650518

} else if endpointType == TypeSSH {
var cli *ssh.Client
result.Connected, cli, err = client.CanCreateSSHConnection(strings.TrimPrefix(e.URL, "ssh://"), e.SSHConfig.Username, e.SSHConfig.Password, e.ClientConfig)
if err != nil {
result.AddError(err.Error())
return
}
result.Success, result.HTTPStatus, err = client.ExecuteSSHCommand(cli, e.Body, e.ClientConfig)
if err != nil {
result.AddError(err.Error())
return
}

since we wouldn't be connected to it, we wouldn't be able to execute commands inside the shell, meaning we would have to check for username and password early and handle a health check to the endpoint and return.

@ImTheCurse ImTheCurse linked a pull request Jan 7, 2025 that will close this issue
Open
2 tasks
@stuartskelton
Copy link

I wonder how nice this would play with something like Fail-2-Ban. You might get failures because its banned the IP you check from.

@jinnatar
Copy link
Author

A quick scan through some fail2ban discussions seems to indicate a closed connection without auth would not trip by default, but probably would trip if set to agressive mode. I'd say it would be worth a caution line in documentation that agressive fail2ban configs may be tripped by testing that does not attempt to auth.

@stuartskelton
Copy link

that said too, if the IP is also known for the Gatus checking server a white list could be added if they are in aggressive mode

@ImTheCurse
Copy link

@jinnatar @stuartskelton I wouldn't mind adding to the documentation on my PR, as I am not familiar with fail2ban, is it something that justifies a note on the docs?
also, @TwiN let me know if it falls under the documentation scope and I'll include it, I've already made a PR but I would add that.

@stuartskelton
Copy link

I think something in the docs to remind people SSH limiting and Tar pitting is a still a thing. UFW (the firewall in Ubuntu) can also apply limit on ssh connections. Something generic like, If you are using SSH brute force protection software like Fail2Ban or some firewalls (e.g. UFW in limit mode), you may encounter false negatives in some cases. To avoid this, consider reviewing and adjusting your settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
4 participants
@stuartskelton @jinnatar @TwiN @ImTheCurse