Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Barry,

On 02/02/2015 14:52, Barry Muldrey wrote:
>  /* wrong password for valid user @ FreeBSD, Debian */
> "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
> ")?.+" from "            { return SSH_LOGINERR_PAM; }
>  
> which seems to be the appropriate pattern... 

Not quite. You're looking at the lexer, which is responsible for
retrieving separable tokens. To add "via", you are interested in
'attack_parser.y', in particular these lines:

ssh_authfail:
    SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
    | SSH_LOGINERR_PAM addr
    ;

The solution is to add a new lexer token along the lines of
SSH_OPT_ADDR_SUFFIX and append this to this yacc rule.

This should not be difficult, but isn't exactly trivial either.
Hopefully I'll get around to this soon.

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"