Menu
▾
▴
Re: [SSHGuard-users] OpenSMTPd lexer/parser broken
|
From: Kevin Z. <kev...@gm...> - 2023-04-01 16:07:05
|
Hi there, On 4/1/23 2:15 AM, B. Atticus Grobe via sshguard-users wrote: > The lexer/parser for OpenSMTPd in sshguard is rather broken. It doesn't > seem to recognize anything at all from /var/log/maillog. I have verified > this using `/usr/local/libexec/sshg-parser -a' as mentioned in the man > pages. > > This is all on OpenBSD 7.2 with the up-to-date syspatches and packages, > with sshguard being reported as v2.4.2, although I have confirmed that > even with HEAD the issue remains. This is because OpenSMTPD changed their logging format since we first added them, and we haven't updated our attack signatures since. Part of the reason why we've been slow to update the attack signature is that the log output is now split across two lines. SSHGuard's parser understands "one line, one attack." OpenSMTPD developers have also expressed that we should be using the smtpd-filters API: https://man.openbsd.org/smtpd-filters.7 This is supposed to offer a stable output format. I haven't taken a look yet, but may do so soon. If you're able to look at this as a head start and write back with what it might take for SSHGuard to support this, please do let me know. Thanks for reporting and for the log examples. Regards, Kevin |
