Menu
▾
▴
Re: [Sshguard-users] sshguard 1.1 with IPFW (FreeBSD 7)
|
From: Hans F. N. <Han...@hi...> - 2008-09-19 00:04:24
|
Have you read https://sourceforge.net/project/shownotes.php?release_id=627038 Hans - who normally don't top-post. * David Horn <dho...@gm...> [2008-09-19]: > A few minor bugs with sshguard 1.1 on FreeBSD-7-RELEASE: > > 1) When used with IPv6, the program "/sbin/ip6fw" no longer exists. > The ip6fw(8) packet filter has been removed in FreeBSD 7. Since > ipfw(4) has gained IPv6 support, it should be used instead. Please > note that some rules might need to be adjusted. (as per 7.0 Release > notes) > > Of course the fix is fairly simple (in src/fwalls/ipfw.c, update the > appropriate lines to ipfw instead of ip6fw #ifdef'd as appropriate for > >= FreeBSD 7) Is this something that should/will be fixed in the base > source, or should we just fix in the FreeBSD ports system ? > > 2) When used with FreeBSD 7 OpenSSH (using both sshd base 4.5p1, and > ports version of sshd 5.0p1 has same results), the syslog entries > apparently confuse sshguard when a valid username (e.g. root), but > invalid password is used. > > Example Syslog entries: > > Sep 19 01:28:35 dhorn-bsd sshd[32346]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:35 dhorn-bsd last message repeated 2 times > Sep 19 01:28:36 dhorn-bsd sshd[32351]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:37 dhorn-bsd last message repeated 2 times > Sep 19 01:28:38 dhorn-bsd sshd[32356]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:38 dhorn-bsd last message repeated 2 times > Sep 19 01:28:39 dhorn-bsd sshd[32361]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:40 dhorn-bsd last message repeated 2 times > Sep 19 01:28:41 dhorn-bsd sshd[32366]: error: PAM: authentication > error for root from 192.168.0.109 > > > This does NOT flag sshguard at all right now. I am just assuming that > it is the authentication error string portion that is probably causing > the issue (not matching in attack_parser/attack_scanner) > > I hacked up a version that supports this new error string (and it > works fine), but I may not have done it in the most efficient way. In > any case, I have already reported the authentication error strings to > the web site: http://sshguard.sourceforge.net/newattackpatt.php > > Anyone else seeing these issues ? > > Apologies if this has been covered in the mailing list before, but I > could not find the archives for this listserv. > > --Thanks! > > --_Dave Horn |
