sshguard-users

[SSHGuard-users] Fix For Catching Postfix "submission" Log Entry Parsing?

[Jim S. <jse...@Li...>]

Hi,

I use postfix with the optional

    -o syslog_name=postfix/submission

option in its main.cf configuration.  This causes log lines to look
like (partial):

    ... postfix/submission/smtpd[24257]: warning:
    unknown[185.110.132.134]: SASL LOGIN authentication failed: ...

rather than simply "...postfix/smtpd[24257]...

sshguard's parser fails to catch these.

This can be "fixed" by removing that option from postfix' config, but
then you lose logging detail.

My lex/yacc fu is no longer very good, but I do know my way around
REs. I believe this can be fixed in sshguard by changing each
occurence of the following, in src/parser/attack_scanner.l, from

    {PROCESSNAME}("/"{PROCESSNAME})?

to either

    {PROCESSNAME}("/"{PROCESSNAME})*

or, probably better,

    {PROCESSNAME}("/"{PROCESSNAME}){0,2}

This does cause it to catch the missed log entries.  But, without
thorough analysis of the remainder of the parsing code, I don't know,
for sure, that it won't induce other regression errors.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Re: [SSHGuard-users] Fix For Catching Postfix "submission" Log Entry Parsing?

[Kevin Z. <kev...@gm...>]

Hi Jim,

On 09/13/2016 09:50, Jim Seymour wrote:
> My lex/yacc fu is no longer very good, but I do know my way around
> REs. I believe this can be fixed in sshguard by changing each
> occurence of the following, in src/parser/attack_scanner.l, from
> 
>     {PROCESSNAME}("/"{PROCESSNAME})?
> 
> to either
> 
>     {PROCESSNAME}("/"{PROCESSNAME})*
> 
> or, probably better,
> 
>     {PROCESSNAME}("/"{PROCESSNAME}){0,2}

I believe your suggested fix is correct. I'll fix it soon-ish hopefully
and make sure everything else is still working.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Fix For Catching Postfix "submission" Log Entry Parsing?

[Jim S. <jse...@Li...>]

On Wed, 14 Sep 2016 08:32:56 -0700
Kevin Zheng <kev...@gm...> wrote:

> Hi Jim,
> 
> On 09/13/2016 09:50, Jim Seymour wrote:
> > My lex/yacc fu is no longer very good, but I do know my way around
> > REs. I believe this can be fixed in sshguard by changing each
> > occurence of the following, in src/parser/attack_scanner.l, from
> > 
> >     {PROCESSNAME}("/"{PROCESSNAME})?
> > 
> > to either
> > 
> >     {PROCESSNAME}("/"{PROCESSNAME})*
> > 
> > or, probably better,
> > 
> >     {PROCESSNAME}("/"{PROCESSNAME}){0,2}  
> 
> I believe your suggested fix is correct. I'll fix it soon-ish
> hopefully and make sure everything else is still working.

Great!  Thanks.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Re: [SSHGuard-users] Fix For Catching Postfix "submission" Log Entry Parsing?

[Kevin Z. <kev...@gm...>]

On 09/13/2016 09:50, Jim Seymour wrote:
> My lex/yacc fu is no longer very good, but I do know my way around
> REs. I believe this can be fixed in sshguard by changing each
> occurence of the following, in src/parser/attack_scanner.l, from
> 
>     {PROCESSNAME}("/"{PROCESSNAME})?
> 
> to either
> 
>     {PROCESSNAME}("/"{PROCESSNAME})*
> 
> or, probably better,
> 
>     {PROCESSNAME}("/"{PROCESSNAME}){0,2}

Committed in 98ddee7, thanks!

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Fix For Catching Postfix "submission" Log Entry Parsing?

[Jim S. <jse...@Li...>]

On Mon, 19 Sep 2016 10:26:03 -0700
Kevin Zheng <kev...@gm...> wrote:

> On 09/13/2016 09:50, Jim Seymour wrote:
> > My lex/yacc fu is no longer very good, but I do know my way around
> > REs. I believe this can be fixed in sshguard by changing each
> > occurence of the following, in src/parser/attack_scanner.l, from
> > 
> >     {PROCESSNAME}("/"{PROCESSNAME})?
> > 
> > to either
> > 
> >     {PROCESSNAME}("/"{PROCESSNAME})*
> > 
> > or, probably better,
> > 
> >     {PROCESSNAME}("/"{PROCESSNAME}){0,2}  
> 
> Committed in 98ddee7, thanks!
> 

You're welcome, and thank *you* for the utility :)

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.