[Sshguard-users] Adding whitelist regex

[Philip K. <pc...@no...>]

Through a series of links, I made my way to sshguard which looks  
functional enough for my systems that do not have pf(4) and its built- 
in limits available.  One of them was:

	http://hawking.nonlogic.org/#e2007-03-12T03_45_55.txt

that also contains a modification to the SSHCRACK_REGEX pattern.


Playing with the program I also want to make sure certain hosts are  
never blocked for a variety of reasons.  Ideally I would prefer to  
match on a set of CIDR blocks/etc like I can innately with pf(4), but  
since some of my systems cannot do that I added another regex.


Here is a patch that includes the one from the hawking page as well  
as a trivial white-list addition:

diff -ru sshguard-0.91-orig/sshguard.c sshguard-0.91/sshguard.c
--- sshguard-0.91-orig/sshguard.c	2007-02-10 09:40:17.000000000 -0600
+++ sshguard-0.91/sshguard.c	2007-04-16 12:41:00.000000000 -0500
@@ -41,6 +41,7 @@
void sighand(int sig);
regex_t crackre;
+regex_t whitere;
int main(int argc, char *argv[]) {
      char ip[IP_LEN], logline[MAX_LOGLINE_LEN];
@@ -56,6 +57,13 @@
          exit(1);
      }
+    retv = regcomp(&whitere, SSHGUARD_WHITELIST, REG_EXTENDED);
+    if (retv != 0) {
+        regerror(retv, &whitere, logline, MAX_LOGLINE_LEN);
+        fprintf(stderr, "%s\n", logline);
+        exit(1);
+    }
+
      list_init(&limbo);
      list_init(&hell);
@@ -107,13 +115,19 @@
          /* extract the IP address */
          extractIP(logline, ip, pmatch[REGEXIPENTRY].rm_so, pmatch 
[REGEXIPENTRY].rm_eo);
          sshguard_log(LOG_DEBUG, "Matched IP address %s\n", ip);
-
+
+        if ( regexec(&whitere, ip, 0, NULL, 0) == 0 ) {
+            sshguard_log(LOG_DEBUG, "Ignoring IP address, matched  
whitelist: %s\n", ip);
+            continue;
+        }
+
          /* report IP */
          reportIP(ip);
      }
      /* cleanup */
      regfree(&crackre);
+    regfree(&whitere);
      if (fw_fin() != 0) sshguard_log(LOG_ERR, "Cound not finalize  
firewall.");
      sshguard_log_fin();
@@ -228,6 +242,7 @@
      closelog();
      regfree(&crackre);
+    regfree(&whitere);
      exit(0);
}
diff -ru sshguard-0.91-orig/sshguard.h sshguard-0.91/sshguard.h
--- sshguard-0.91-orig/sshguard.h	2007-02-10 09:00:47.000000000 -0600
+++ sshguard-0.91/sshguard.h	2007-04-16 12:41:15.000000000 -0500
@@ -17,8 +17,10 @@
   *
   */
/* regex for log entries representing brute force trials */
-#define SSHCRACK_REGEX      "sshd\\[[0-9]+\\]: (Failed|Illegal user| 
Invalid user|User) .+from ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9] 
([0-9])?)(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3}) 
( not allowed)?"
+#define SSHCRACK_REGEX	"sshd\\[[0-9]+\\]: (Failed|Illegal user| 
Invalid user|User|pam_unix\\(sshd:auth\\): authentication failure;).+ 
(from |rhost=)((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\\.(25 
[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3})( not allowed)?"
/* field number in SSHCRACK_REGEX containing the attacker IP address */
-#define REGEXIPENTRY        2
+#define REGEXIPENTRY        3
+
+#define SSHGUARD_WHITELIST	"ADD\\.SOME\\.IP\\.HERE|OR\\.SUBNET\ 
\.BLOCK\\."
#endif