Menu
▾
▴
[Sshguard-users] sshguard hostname parsing
|
From: Johan B. <jo...@be...> - 2010-05-21 08:36:48
|
Hey, While trying to figure out why sshguard never blocked any users I found an issue that perhaps some other users has run into - sshguard seems to disregard log lines with one-letter hostnames (verified in sshguard 1.4, 1.5rc3 and r199). I'm at a Gentoo box if that should matter, with syslog-ng 3.0.4 I use a fictive hostname in style with a.com, and since syslog-ng defaults to options { use_fqdn(no); } the actual log stamp will be something like: May 21 09:06:35 a sshguard[20427]: Run command "iptables -L": exited 0. Here's a debug session with the hostname "a": May 21 09:23:37 a sshd[24341]: Invalid user asd from 123.123.123.123 Checking to refresh sources... Refreshing sources showed 0 changes. Checking to refresh sources... Refreshing sources showed 0 changes. Read line from '-'. Starting parse Entering state 0 Reading a token: --accepting rule at line 206 ("May 21 09:23:37") Next token is token TIMESTAMP_SYSLOG () Cleanup: discarding lookahead token TIMESTAMP_SYSLOG () Stack now 0 Here's a hostname with two characters: May 21 09:23:37 ab sshd[24341]: Invalid user asd from 123.123.123.123 Checking to refresh sources... Refreshing sources showed 0 changes. Checking to refresh sources... Refreshing sources showed 0 changes. Read line from '-'. Starting parse Entering state 0 Reading a token: --accepting rule at line 113 ("May 21 09:23:37 ab sshd[24341]:") Next token is token SYSLOG_BANNER_PID () Shifting token SYSLOG_BANNER_PID () Entering state 1 Reading a token: --accepting rule at line 214 (" ") --accepting rule at line 132 ("Invalid user asd from ") Next token is token SSH_INVALUSERPREF () Shifting token SSH_INVALUSERPREF () Entering state 6 Reading a token: --accepting rule at line 194 ("123.123.123.123") Next token is token IPv4 () Shifting token IPv4 () Entering state 50 Reducing stack by rule 23 (line 203): $1 = token IPv4 () -> $$ = nterm addr () Stack now 0 1 6 Entering state 53 Reducing stack by rule 31 (line 272): $1 = token SSH_INVALUSERPREF () $2 = nterm addr () -> $$ = nterm ssh_illegaluser () Stack now 0 1 Entering state 31 Reducing stack by rule 26 (line 262): $1 = nterm ssh_illegaluser () -> $$ = nterm sshmsg () Stack now 0 1 Entering state 30 Reducing stack by rule 11 (line 169): $1 = nterm sshmsg () -> $$ = nterm msg_single () Stack now 0 1 Entering state 28 Reducing stack by rule 9 (line 163): $1 = nterm msg_single () -> $$ = nterm logmsg () Stack now 0 1 Entering state 46 Reducing stack by rule 5 (line 138): $1 = token SYSLOG_BANNER_PID () $2 = nterm logmsg () -> $$ = nterm syslogent () Stack now 0 Entering state 24 Reducing stack by rule 1 (line 122): $1 = nterm syslogent () -> $$ = nterm text () Stack now 0 Entering state 23 Reading a token: --(end of buffer or a NUL) --accepting rule at line 214 (" ") --(end of buffer or a NUL) --EOF (start condition 0) Now at end of input. Shifting token $end () Entering state 70 Stack now 0 23 70 Cleanup: popping token $end () Cleanup: popping nterm text () Matched address 123.123.123.123:4 attacking service 100, dangerousness 10. Purging stale attackers. Not sure if this really is a bug or intentional; but since you can set your hostname to one letter I guess sshguard at least should know about it. Cheers, Johan |
