Menu
▾
▴
Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"
|
From: Barry M. <bmu...@ga...> - 2015-02-03 00:59:44
|
Does anyone know who's responsible for printing the "...via 10.0.1.100" in the syslog message? I presume it's there to tell me which interface the attack came in on (for multiple LAN interface machines)? Easiest work-around would be to turn off this portion of the message; I've tried various LogLevels and SyslogFacilities in sshd_config to no avail... thoughts? _-_-_-_-_-_-_-_-_-_-_-_- Barry John Muldrey Jr. Doctoral Student and Graduate Researcher, Georgia Institute of Technology www.barrymuldrey.com +1 (504) 975-7971 689 Berne St SE, Apt C Atlanta, GA 30312-3529 USA On Mon, Feb 2, 2015 at 7:52 PM, Barry Muldrey <bmu...@ga...> wrote: > Thanks, Kevin. I'll continue to poke around > ...and monitor this thread for news > > > On Mon, Feb 2, 2015 at 7:47 PM, Kevin Zheng <kev...@gm...> wrote: > >> Hi Barry, >> >> On 02/02/2015 14:52, Barry Muldrey wrote: >> > /* wrong password for valid user @ FreeBSD, Debian */ >> > "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user >> > ")?.+" from " { return SSH_LOGINERR_PAM; } >> > >> > which seems to be the appropriate pattern... >> >> Not quite. You're looking at the lexer, which is responsible for >> retrieving separable tokens. To add "via", you are interested in >> 'attack_parser.y', in particular these lines: >> >> ssh_authfail: >> SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF >> | SSH_LOGINERR_PAM addr >> ; >> >> The solution is to add a new lexer token along the lines of >> SSH_OPT_ADDR_SUFFIX and append this to this yacc rule. >> >> This should not be difficult, but isn't exactly trivial either. >> Hopefully I'll get around to this soon. >> >> Thanks, >> Kevin Zheng >> >> -- >> Kevin Zheng >> kev...@gm... | ke...@kd... | PGP: 0xC22E1090 >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > |
