Menu
▾
▴
Re: [Sshguard-users] Adding whitelist regex
|
From: Mij <mi...@bi...> - 2007-04-16 19:08:06
|
On 16/apr/07, at 19:51, Philip Kizer wrote: > Through a series of links, I made my way to sshguard which looks > functional enough for my systems that do not have pf(4) and its built- > in limits available. One of them was: > > http://hawking.nonlogic.org/#e2007-03-12T03_45_55.txt > > that also contains a modification to the SSHCRACK_REGEX pattern. thank you for reporting this. Covering *all* the possible attack patterns (they vary on different OSes) is tough and I've thus provided http://sshguard.sourceforge.net/newattackpatt.php for gathering and tracking them. I'm quite impressed I got more mails with patches extending SSHCRACK_REGEX than example submissions to this page. In any case, in version sshguard 1.0 (soon to be released) SSHCRACK_REGEX does no longer exist (replaced by a grammar-based context-free parser). The grammar of this parser will take into account the user-submitted extensions I got for the regex. > > Playing with the program I also want to make sure certain hosts are > never blocked for a variety of reasons. Ideally I would prefer to > match on a set of CIDR blocks/etc like I can innately with pf(4), but > since some of my systems cannot do that I added another regex. the whitelist thing is a very good idea for a new feature. Anyway,a boolean function that takes the candidate IP and tells if it can be blocked appears more elegant and flexible than a further parser. White patterns could be added on the command line, e.g. with "-w 10.11.12.0/24". > Here is a patch that includes the one from the hawking page as well > as a trivial white-list addition: > > diff -ru sshguard-0.91-orig/sshguard.c sshguard-0.91/sshguard.c > --- sshguard-0.91-orig/sshguard.c 2007-02-10 09:40:17.000000000 -0600 > +++ sshguard-0.91/sshguard.c 2007-04-16 12:41:00.000000000 -0500 > @@ -41,6 +41,7 @@ > void sighand(int sig); > regex_t crackre; > +regex_t whitere; > int main(int argc, char *argv[]) { > char ip[IP_LEN], logline[MAX_LOGLINE_LEN]; > @@ -56,6 +57,13 @@ > exit(1); > } > + retv = regcomp(&whitere, SSHGUARD_WHITELIST, REG_EXTENDED); > + if (retv != 0) { > + regerror(retv, &whitere, logline, MAX_LOGLINE_LEN); > + fprintf(stderr, "%s\n", logline); > + exit(1); > + } > + > list_init(&limbo); > list_init(&hell); > @@ -107,13 +115,19 @@ > /* extract the IP address */ > extractIP(logline, ip, pmatch[REGEXIPENTRY].rm_so, pmatch > [REGEXIPENTRY].rm_eo); > sshguard_log(LOG_DEBUG, "Matched IP address %s\n", ip); > - > + > + if ( regexec(&whitere, ip, 0, NULL, 0) == 0 ) { > + sshguard_log(LOG_DEBUG, "Ignoring IP address, matched > whitelist: %s\n", ip); > + continue; > + } > + > /* report IP */ > reportIP(ip); > } > /* cleanup */ > regfree(&crackre); > + regfree(&whitere); > if (fw_fin() != 0) sshguard_log(LOG_ERR, "Cound not finalize > firewall."); > sshguard_log_fin(); > @@ -228,6 +242,7 @@ > closelog(); > regfree(&crackre); > + regfree(&whitere); > exit(0); > } > diff -ru sshguard-0.91-orig/sshguard.h sshguard-0.91/sshguard.h > --- sshguard-0.91-orig/sshguard.h 2007-02-10 09:00:47.000000000 -0600 > +++ sshguard-0.91/sshguard.h 2007-04-16 12:41:15.000000000 -0500 > @@ -17,8 +17,10 @@ > * > */ > /* regex for log entries representing brute force trials */ > -#define SSHCRACK_REGEX "sshd\\[[0-9]+\\]: (Failed|Illegal user| > Invalid user|User) .+from ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9] > ([0-9])?)(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3}) > ( not allowed)?" > +#define SSHCRACK_REGEX "sshd\\[[0-9]+\\]: (Failed|Illegal user| > Invalid user|User|pam_unix\\(sshd:auth\\): authentication failure;).+ > (from |rhost=)((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\\.(25 > [0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3})( not allowed)?" > /* field number in SSHCRACK_REGEX containing the attacker IP > address */ > -#define REGEXIPENTRY 2 > +#define REGEXIPENTRY 3 > + > +#define SSHGUARD_WHITELIST "ADD\\.SOME\\.IP\\.HERE|OR\\.SUBNET\ > \.BLOCK\\." > #endif > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
