Re: [Sshguard-maintainers] [Sshguard-users] SSHGuard 1.6.1 release announcement

[Willem J. W. <wj...@di...>]

On 1-8-2015 03:07, Kevin Zheng wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Greetings,
>
> I am pleased to announce the release of SSHGuard 1.6.1 [1]. This
> release is primarily a bugfix release that fixes a few late-breaking
> issues from 1.6.0 while incorporating a few feature improvements. This
> release was slightly delayed by a recent SourceForge outage.
>
> Changes in this release include:
>
> - - Accept "Received disconnect" with optional prefix
> - - Add support for socklog entries
> - - Fix 'ipfw-rules-range' option in configure script
> - - Fix build for 'ipfw' and 'hosts' backends
> - - Fix integer comparisons of different types
> - - Match attacks when syslog debugging is enabled
>
> Many thanks to the contributors who reported issues or sent in patches
> to fix them. Special thanks to the FreeBSD community for reporting and
> fixing a number of problems amended in this release.
>
> As usual, please report any bugs, build failures, or other issues to
> the mailing list or the Bitbucket tracker [2].

Hi,

I added some code on FreeBSD to libssh to make some errors actually log 
the the ip-number, because this is usualy abuse as well....

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202055

And it changes the log like:
fatal: Read from socket failed: Connection reset by peer [preauth]

Which is rather useless for tools like sshguard and/or fail2ban

But this patch changes this info to:
Aug  2 19:37:32 zfs sshd[19444]: Read from socket failed: 218.2.22.36 
[preauth]
Aug  2 19:37:32 zfs sshd[19444]:fatal: Read from socket failed: 
Connection reset by peer [preauth]

But then again this needs to be picked upt by sshguard with an extra 
parser rule...

--WjW

patch:
Index: crypto/openssh/packet.c
===================================================================
--- crypto/openssh/packet.c     (revision 286222)
+++ crypto/openssh/packet.c     (working copy)
@@ -1128,8 +1128,10 @@
                         logit("Connection closed by %.200s", 
get_remote_ipaddr());
                         cleanup_exit(255);
                 }
-               if (len < 0)
+               if (len < 0) {
+                       logit("Read from socket failed: %.200s", 
get_remote_ipaddr());
                         fatal("Read from socket failed: %.100s", 
strerror(errno));
+               }
                 /* Append it to the buffer. */
                 packet_process_incoming(buf, len);
         }