[Sshguard-users] sshguard 1.1 with IPFW (FreeBSD 7)

[David H. <dho...@gm...>]

This is a little stale, but it just bounced (probably due to the
sourceforge changes to move mailing lists around.  If it bounces
again, I will open a ticket with sf.

On Fri, Sep 19, 2008 at 2:56 AM, David Horn <dho...@gm...> wrote:
> A few minor bugs with sshguard 1.1 on FreeBSD-7-RELEASE:
>
> 1)  When used with IPv6, the program "/sbin/ip6fw" no longer exists.
> The ip6fw(8) packet filter has been removed in FreeBSD 7. Since
> ipfw(4) has gained IPv6 support, it should be used instead. Please
> note that some rules might need to be adjusted. (as per 7.0 Release
> notes)
>
> Of course the fix is fairly simple (in src/fwalls/ipfw.c, update the
> appropriate lines to ipfw instead of ip6fw #ifdef'd as appropriate for
>>= FreeBSD 7)  Is this something that should/will be fixed in the base
> source, or should we just fix in the FreeBSD ports system ?
>

Unfortunately, it looks like this issue (in ipfw.c)  still exists in
sshguard 1.2, and in SVN source.

I have attached my proposed patch to ipfw.c and configure.ac (tested
on 1.1 and 1.2) I also fixed an issue of exceeding the command length
for ipfw (60 total bytes is not enough with IPv6, so I upped it to 90
since the IPv6 addr alone can be 39 bytes as a string)

patch <patch
autoconf
./configure -with-firewall=ipfw
make

configure will autodetect if ip6fw exists, and if it does not, will
use ipfw for IPv6 instead.


> 2)  When used with FreeBSD 7 OpenSSH (using both sshd base 4.5p1, and
> ports version of sshd 5.0p1 has same results), the syslog entries
> apparently confuse sshguard when a valid username (e.g. root), but
> invalid password is used.
>

I looked at the source for sshguard 1.2, and it looks like the fix for
this new sshd PAM string is there.  Thanks Hans for the pointer to
https://sourceforge.net/project/shownotes.php?release_id=627038

There is still however a bug related to using the new PAM string in
1.2, and IPv6 addresses (in other words, it works for IPv4, but not
for IPv6.)  I tried to find the problem, but so far no luck tracking
it down.  The string in question is as follows:

Sep 19 17:47:05 dhorn-bsd sshd[72678]: error: PAM: authentication
error for root from 2001:4830:1698:0:21d:6eff:fed5:8cfa


> Example Syslog entries:
>
> Sep 19 01:28:35 dhorn-bsd sshd[32346]: error: PAM: authentication
> error for root from 192.168.0.109
> Sep 19 01:28:35 dhorn-bsd last message repeated 2 times
> Sep 19 01:28:36 dhorn-bsd sshd[32351]: error: PAM: authentication
> error for root from 192.168.0.109
> Sep 19 01:28:37 dhorn-bsd last message repeated 2 times
> Sep 19 01:28:38 dhorn-bsd sshd[32356]: error: PAM: authentication
> error for root from 192.168.0.109
> Sep 19 01:28:38 dhorn-bsd last message repeated 2 times
> Sep 19 01:28:39 dhorn-bsd sshd[32361]: error: PAM: authentication
> error for root from 192.168.0.109
> Sep 19 01:28:40 dhorn-bsd last message repeated 2 times
> Sep 19 01:28:41 dhorn-bsd sshd[32366]: error: PAM: authentication
> error for root from 192.168.0.109
>
>
> This does NOT flag sshguard at all right now.  I am just assuming that
> it is the authentication error string portion that is probably causing
> the issue (not matching in attack_parser/attack_scanner)
>
> I hacked up a version that supports this new error string (and it
> works fine), but I may not have done it in the most efficient way.  In
> any case, I have already reported the authentication error strings to
> the web site:   http://sshguard.sourceforge.net/newattackpatt.php
>
> Anyone else seeing these issues ?
>
> Apologies if this has been covered in the mailing list before, but I
> could not find the archives for this listserv.
>
> --Thanks!
>
> --_Dave Horn
>