Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Kevin Z. <kev...@gm...>]

On 02/02/2015 14:20, Willem Jan Withagen wrote:
> The parsing trace tells you that it accepts the ipnr as ipnr, but then
> then next word is unexpected in the grammar.
> So the via 10.0.1.100 is creating a "syntax error"
> 
> This is inherent to the way the syntax rules are build.
> And the syntax rules are only modifiable at compile time.
> And need to be written 101% matching, otherwise the line will be skipped.

Willem's analysis is correct. The solution is to add rules to parse the
"via" message correctly. I'll get around to this eventually, but anyone
is welcome to submit a patch here as well.

> I'm still not very shure if this is really a desired concept for logfile
> parsing. E.g. openssh changes its log format, and "all of a sudden" log
> output is no longer generating desired reactions.
> 
> It requires "flexible" ways of specifying scanner and parser input,
> which is not really a trivial thing.

This is a tricky issue. Several other (non-SSHGuard) log parsers have
had significant "log-injection" vulnerabilities due to weak regular
expressions or inadequate sanity checking.

SSHGuard's decision has generally been to enforce strong rules, since
the alternative is somewhat risky (i.e. root compromise).

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090