search

Jsitech / JShielder

Hardening Script for Linux Servers/ Secure LAMP-LEMP Deployer/ CIS Benchmark
GNU General Public License v3.0
758 stars 241 forks source link

kex_exchange_identification invalid characters fatal error Ubuntu 18.04 #49

Closed Noket closed 3 years ago

Noket commented 3 years ago

There's a problem running the script on Ubuntu 18.04.5 within Microsoft Azure's VM. I was able to encrypt the grub (as well as enable all other options), and still boot the system with success and eventually gain root access.

However, the issue comes with trying to ssh into the vm via the user account that gets generated.

I've tried every ..

noket@noket:~/.ssh$ ssh -o PasswordAuthentication=yes -vvv -o User=dbparent -o EnableSSHKeysign=no -o AddKeysToAgent=yes -o PreferredAuthentications=password xx.xxx.xx.xx OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname xx.xxx.xx.xx is address debug2: ssh_connect_direct debug1: Connecting to xx.xxx.xx.xx [xx.xxx.xxx.xx] port 22. debug1: Connection established. debug1: identity file /home/noket/.ssh/id_rsa type -1 debug1: identity file /home/noket/.ssh/id_rsa-cert type -1 debug1: identity file /home/noket/.ssh/id_dsa type -1 debug1: identity file /home/noket/.ssh/id_dsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519 type -1 debug1: identity file /home/noket/.ssh/id_ed25519-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_xmss type -1 debug1: identity file /home/noket/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 kex_exchange_identification: banner line contains invalid characters single ..

noket@noket:~/.ssh$ ssh -o PasswordAuthentication=yes -vvv -o User=azureuser xx.xxx.xx.xx OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname xx.xxx.xx.xx is address debug2: ssh_connect_direct debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xx.xx] port 22. debug1: Connection established. debug1: identity file /home/noket/.ssh/id_rsa type -1 debug1: identity file /home/noket/.ssh/id_rsa-cert type -1 debug1: identity file /home/noket/.ssh/id_dsa type -1 debug1: identity file /home/noket/.ssh/id_dsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519 type -1 debug1: identity file /home/noket/.ssh/id_ed25519-cert type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/noket/.ssh/id_xmss type -1 debug1: identity file /home/noket/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: kex_exchange_identification: banner line 0: \344\250\324\300<\013\251\342.#\351]e\360N>\356\277\224\242\2039\252!\264\253$ kex_exchange_identification: banner line contains invalid characters noket@noket:~/.ssh$ .. variation

noket@noket:~/.ssh$ ssh -vvv -o CertificateFile=./dbparent@cdx-hardened-publicsqlserver.pem dbparent@xx.xxx.xx.xx OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolve_canonicalize: hostname xx.xxx.xx.xxx is address debug2: ssh_connect_direct debug1: Connecting to xx.xxx.xx.xx [xx.xxx.xx.xx] port 22. debug1: Connection established. debug1: identity file /home/noket/.ssh/id_rsa type -1 debug1: identity file /home/noket/.ssh/id_dsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa type -1 debug1: identity file /home/noket/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/noket/.ssh/id_ed25519 type -1 debug1: identity file /home/noket/.ssh/id_ed25519_sk type -1 debug1: identity file /home/noket/.ssh/id_xmss type -1 debug1: certificate file ./dbparent@cdx-hardened-publicsqlserver.pem type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 kex_exchange_identification: banner line contains invalid characters

.. but no matter what I do .. no matter how grossly permissive I made the settings (ie: setting fail2ban's limit to 250 attempts, or setting sshd's limits to 250 attempts and active sessions) .. I keep getting hit with this problem

I've tried ssh-add -D .. I've tried rebooting both systems several times .. I've tried clearing out all my private keys .. I've tried reinstalling the daemon .. Nothing has worked.

I kind of need a hardened azure vm for a production setting. Any help you can offer would be appreciated; ideally with a proper bug-fix and maybe a quick fix .. ie: "oh, the problem is module xyz, don't use it when you run hardening" (because the 30 links I've investigated on Google have all been dead ends)

Noket commented 3 years ago

And of course, after trying to troubleshoot this for hours, I figure it out fifteen minutes after submitting the ticket ..

Other Azure VM admins: