Menu
▾
▴
Re: [Sshguard-users] sshguard hostname parsing
|
From: Mij <mi...@ss...> - 2010-07-05 11:09:41
|
Nice to hear this sort of test cases :) Committed (r202), thanks! On May 21, 2010, at 10:16 , Johan Bergström wrote: > Hey, > > While trying to figure out why sshguard never blocked any users I found an issue that perhaps some other users has run into - sshguard seems to disregard log lines with one-letter hostnames (verified in sshguard 1.4, 1.5rc3 and r199). I'm at a Gentoo box if that should matter, with syslog-ng 3.0.4 > > I use a fictive hostname in style with a.com, and since syslog-ng defaults to options { use_fqdn(no); } the actual log stamp will be something like: > May 21 09:06:35 a sshguard[20427]: Run command "iptables -L": exited 0. > > Here's a debug session with the hostname "a": > > May 21 09:23:37 a sshd[24341]: Invalid user asd from 123.123.123.123 > Checking to refresh sources... > Refreshing sources showed 0 changes. > Checking to refresh sources... > Refreshing sources showed 0 changes. > Read line from '-'. > Starting parse > Entering state 0 > Reading a token: --accepting rule at line 206 ("May 21 09:23:37") > Next token is token TIMESTAMP_SYSLOG () > Cleanup: discarding lookahead token TIMESTAMP_SYSLOG () > Stack now 0 > > > > Here's a hostname with two characters: > > May 21 09:23:37 ab sshd[24341]: Invalid user asd from 123.123.123.123 > Checking to refresh sources... > Refreshing sources showed 0 changes. > Checking to refresh sources... > Refreshing sources showed 0 changes. > Read line from '-'. > Starting parse > Entering state 0 > Reading a token: --accepting rule at line 113 ("May 21 09:23:37 ab sshd[24341]:") > Next token is token SYSLOG_BANNER_PID () > Shifting token SYSLOG_BANNER_PID () > Entering state 1 > Reading a token: --accepting rule at line 214 (" ") > --accepting rule at line 132 ("Invalid user asd from ") > Next token is token SSH_INVALUSERPREF () > Shifting token SSH_INVALUSERPREF () > Entering state 6 > Reading a token: --accepting rule at line 194 ("123.123.123.123") > Next token is token IPv4 () > Shifting token IPv4 () > Entering state 50 > Reducing stack by rule 23 (line 203): > $1 = token IPv4 () > -> $$ = nterm addr () > Stack now 0 1 6 > Entering state 53 > Reducing stack by rule 31 (line 272): > $1 = token SSH_INVALUSERPREF () > $2 = nterm addr () > -> $$ = nterm ssh_illegaluser () > Stack now 0 1 > Entering state 31 > Reducing stack by rule 26 (line 262): > $1 = nterm ssh_illegaluser () > -> $$ = nterm sshmsg () > Stack now 0 1 > Entering state 30 > Reducing stack by rule 11 (line 169): > $1 = nterm sshmsg () > -> $$ = nterm msg_single () > Stack now 0 1 > Entering state 28 > Reducing stack by rule 9 (line 163): > $1 = nterm msg_single () > -> $$ = nterm logmsg () > Stack now 0 1 > Entering state 46 > Reducing stack by rule 5 (line 138): > $1 = token SYSLOG_BANNER_PID () > $2 = nterm logmsg () > -> $$ = nterm syslogent () > Stack now 0 > Entering state 24 > Reducing stack by rule 1 (line 122): > $1 = nterm syslogent () > -> $$ = nterm text () > Stack now 0 > Entering state 23 > Reading a token: --(end of buffer or a NUL) > --accepting rule at line 214 (" > ") > --(end of buffer or a NUL) > --EOF (start condition 0) > Now at end of input. > Shifting token $end () > Entering state 70 > Stack now 0 23 70 > Cleanup: popping token $end () > Cleanup: popping nterm text () > Matched address 123.123.123.123:4 attacking service 100, dangerousness 10. > Purging stale attackers. > > > Not sure if this really is a bug or intentional; but since you can set your hostname to one letter I guess sshguard at least should know about it. > > Cheers, > Johan > ------------------------------------------------------------------------------ > > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
