Menu
▾
▴
[Sshguard-users] sshguard 1.1 with IPFW (FreeBSD 7)
|
From: David H. <dho...@gm...> - 2008-09-18 23:56:42
|
A few minor bugs with sshguard 1.1 on FreeBSD-7-RELEASE: 1) When used with IPv6, the program "/sbin/ip6fw" no longer exists. The ip6fw(8) packet filter has been removed in FreeBSD 7. Since ipfw(4) has gained IPv6 support, it should be used instead. Please note that some rules might need to be adjusted. (as per 7.0 Release notes) Of course the fix is fairly simple (in src/fwalls/ipfw.c, update the appropriate lines to ipfw instead of ip6fw #ifdef'd as appropriate for >= FreeBSD 7) Is this something that should/will be fixed in the base source, or should we just fix in the FreeBSD ports system ? 2) When used with FreeBSD 7 OpenSSH (using both sshd base 4.5p1, and ports version of sshd 5.0p1 has same results), the syslog entries apparently confuse sshguard when a valid username (e.g. root), but invalid password is used. Example Syslog entries: Sep 19 01:28:35 dhorn-bsd sshd[32346]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:35 dhorn-bsd last message repeated 2 times Sep 19 01:28:36 dhorn-bsd sshd[32351]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:37 dhorn-bsd last message repeated 2 times Sep 19 01:28:38 dhorn-bsd sshd[32356]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:38 dhorn-bsd last message repeated 2 times Sep 19 01:28:39 dhorn-bsd sshd[32361]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:40 dhorn-bsd last message repeated 2 times Sep 19 01:28:41 dhorn-bsd sshd[32366]: error: PAM: authentication error for root from 192.168.0.109 This does NOT flag sshguard at all right now. I am just assuming that it is the authentication error string portion that is probably causing the issue (not matching in attack_parser/attack_scanner) I hacked up a version that supports this new error string (and it works fine), but I may not have done it in the most efficient way. In any case, I have already reported the authentication error strings to the web site: http://sshguard.sourceforge.net/newattackpatt.php Anyone else seeing these issues ? Apologies if this has been covered in the mailing list before, but I could not find the archives for this listserv. --Thanks! --_Dave Horn |
