[Sshguard-users] sshguard on Mountain Lion

[Mike L. <ml...@gm...>]

Hacking around in the code, it looks like there are a couple of things
mangling the scanner:

1) It chokes on the "<Error>:" term and doesn't scan the rest of the line.
2) It use the word "via" instead of "from".

I don't much know my way around lex, so I'm pretty much shooting in the
dark.

This patch at least recognizes an attack, but it seems to attribute it to
*MY* IP address.  It seesm to grab the address after the "via" instead of
the "from" and think that is the attacker.

diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 45e7c22..1123bf3 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -107,7 +107,7 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
   */

  /* handle entries with PID and without PID from processes other than
sshguard */
-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"] "{SOLARIS_MSGID_TAG}? {
         /* extract PID */
         yylval.num = getsyslogpid(yytext, yyleng);
         return SYSLOG_BANNER_PID;
@@ -145,6 +145,9 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
  /* wrong password for valid user @ FreeBSD, Debian */
 "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
")?.+" from "            { return SSH_LOGINERR_PAM; }

+ /* wrong password for valid user @ OS X 10.8.x */
+"<Error>: error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal
user ")?.+" via "            { return SSH_LOGINERR_PAM; }
+
  /* SSH: reverse mapping "possible break-in attempt!" */
 "reverse mapping checking getaddrinfo for "[^\[]*"["            {
BEGIN(ssh_reversemap); return SSH_REVERSEMAP_PREF; }
 <ssh_reversemap>"] ".*"POSSIBLE BREAK-IN ATTEMPT!"              {
BEGIN(INITIAL); return SSH_REVERSEMAP_SUFF; }