Re: [Sshguard-users] Adding whitelist regex

[Mij <mi...@bi...>]

On 16/apr/07, at 19:51, Philip Kizer wrote:

> Through a series of links, I made my way to sshguard which looks
> functional enough for my systems that do not have pf(4) and its built-
> in limits available.  One of them was:
>
> 	http://hawking.nonlogic.org/#e2007-03-12T03_45_55.txt
>
> that also contains a modification to the SSHCRACK_REGEX pattern.

thank you for reporting this.
Covering *all* the possible attack patterns (they vary on different  
OSes) is tough
and I've thus provided

	http://sshguard.sourceforge.net/newattackpatt.php

for gathering and tracking them. I'm quite impressed I got more mails  
with
patches extending SSHCRACK_REGEX than example submissions to this page.

In any case, in version sshguard 1.0 (soon to be released)  
SSHCRACK_REGEX
does no longer exist (replaced by a grammar-based context-free parser).

The grammar of this parser will take into account the user-submitted  
extensions I
got for the regex.


>
> Playing with the program I also want to make sure certain hosts are
> never blocked for a variety of reasons.  Ideally I would prefer to
> match on a set of CIDR blocks/etc like I can innately with pf(4), but
> since some of my systems cannot do that I added another regex.

the whitelist thing is a very good idea for a new feature.
Anyway,a boolean function that takes the candidate IP and tells if it  
can be blocked
appears more elegant and flexible than a further parser.
White patterns could be added on the command line, e.g. with "-w  
10.11.12.0/24".


> Here is a patch that includes the one from the hawking page as well
> as a trivial white-list addition:
>
> diff -ru sshguard-0.91-orig/sshguard.c sshguard-0.91/sshguard.c
> --- sshguard-0.91-orig/sshguard.c	2007-02-10 09:40:17.000000000 -0600
> +++ sshguard-0.91/sshguard.c	2007-04-16 12:41:00.000000000 -0500
> @@ -41,6 +41,7 @@
> void sighand(int sig);
> regex_t crackre;
> +regex_t whitere;
> int main(int argc, char *argv[]) {
>       char ip[IP_LEN], logline[MAX_LOGLINE_LEN];
> @@ -56,6 +57,13 @@
>           exit(1);
>       }
> +    retv = regcomp(&whitere, SSHGUARD_WHITELIST, REG_EXTENDED);
> +    if (retv != 0) {
> +        regerror(retv, &whitere, logline, MAX_LOGLINE_LEN);
> +        fprintf(stderr, "%s\n", logline);
> +        exit(1);
> +    }
> +
>       list_init(&limbo);
>       list_init(&hell);
> @@ -107,13 +115,19 @@
>           /* extract the IP address */
>           extractIP(logline, ip, pmatch[REGEXIPENTRY].rm_so, pmatch
> [REGEXIPENTRY].rm_eo);
>           sshguard_log(LOG_DEBUG, "Matched IP address %s\n", ip);
> -
> +
> +        if ( regexec(&whitere, ip, 0, NULL, 0) == 0 ) {
> +            sshguard_log(LOG_DEBUG, "Ignoring IP address, matched
> whitelist: %s\n", ip);
> +            continue;
> +        }
> +
>           /* report IP */
>           reportIP(ip);
>       }
>       /* cleanup */
>       regfree(&crackre);
> +    regfree(&whitere);
>       if (fw_fin() != 0) sshguard_log(LOG_ERR, "Cound not finalize
> firewall.");
>       sshguard_log_fin();
> @@ -228,6 +242,7 @@
>       closelog();
>       regfree(&crackre);
> +    regfree(&whitere);
>       exit(0);
> }
> diff -ru sshguard-0.91-orig/sshguard.h sshguard-0.91/sshguard.h
> --- sshguard-0.91-orig/sshguard.h	2007-02-10 09:00:47.000000000 -0600
> +++ sshguard-0.91/sshguard.h	2007-04-16 12:41:15.000000000 -0500
> @@ -17,8 +17,10 @@
>    *
>    */
> /* regex for log entries representing brute force trials */
> -#define SSHCRACK_REGEX      "sshd\\[[0-9]+\\]: (Failed|Illegal user|
> Invalid user|User) .+from ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]
> ([0-9])?)(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3})
> ( not allowed)?"
> +#define SSHCRACK_REGEX	"sshd\\[[0-9]+\\]: (Failed|Illegal user|
> Invalid user|User|pam_unix\\(sshd:auth\\): authentication failure;).+
> (from |rhost=)((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\\.(25
> [0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3})( not allowed)?"
> /* field number in SSHCRACK_REGEX containing the attacker IP  
> address */
> -#define REGEXIPENTRY        2
> +#define REGEXIPENTRY        3
> +
> +#define SSHGUARD_WHITELIST	"ADD\\.SOME\\.IP\\.HERE|OR\\.SUBNET\
> \.BLOCK\\."
> #endif
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users