Menu
▾
▴
sshguard-users
|
From: David H. <dho...@gm...> - 2008-09-18 23:56:42
|
A few minor bugs with sshguard 1.1 on FreeBSD-7-RELEASE: 1) When used with IPv6, the program "/sbin/ip6fw" no longer exists. The ip6fw(8) packet filter has been removed in FreeBSD 7. Since ipfw(4) has gained IPv6 support, it should be used instead. Please note that some rules might need to be adjusted. (as per 7.0 Release notes) Of course the fix is fairly simple (in src/fwalls/ipfw.c, update the appropriate lines to ipfw instead of ip6fw #ifdef'd as appropriate for >= FreeBSD 7) Is this something that should/will be fixed in the base source, or should we just fix in the FreeBSD ports system ? 2) When used with FreeBSD 7 OpenSSH (using both sshd base 4.5p1, and ports version of sshd 5.0p1 has same results), the syslog entries apparently confuse sshguard when a valid username (e.g. root), but invalid password is used. Example Syslog entries: Sep 19 01:28:35 dhorn-bsd sshd[32346]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:35 dhorn-bsd last message repeated 2 times Sep 19 01:28:36 dhorn-bsd sshd[32351]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:37 dhorn-bsd last message repeated 2 times Sep 19 01:28:38 dhorn-bsd sshd[32356]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:38 dhorn-bsd last message repeated 2 times Sep 19 01:28:39 dhorn-bsd sshd[32361]: error: PAM: authentication error for root from 192.168.0.109 Sep 19 01:28:40 dhorn-bsd last message repeated 2 times Sep 19 01:28:41 dhorn-bsd sshd[32366]: error: PAM: authentication error for root from 192.168.0.109 This does NOT flag sshguard at all right now. I am just assuming that it is the authentication error string portion that is probably causing the issue (not matching in attack_parser/attack_scanner) I hacked up a version that supports this new error string (and it works fine), but I may not have done it in the most efficient way. In any case, I have already reported the authentication error strings to the web site: http://sshguard.sourceforge.net/newattackpatt.php Anyone else seeing these issues ? Apologies if this has been covered in the mailing list before, but I could not find the archives for this listserv. --Thanks! --_Dave Horn |
|
From: Hans F. N. <Han...@hi...> - 2008-09-19 00:04:24
|
Have you read https://sourceforge.net/project/shownotes.php?release_id=627038 Hans - who normally don't top-post. * David Horn <dho...@gm...> [2008-09-19]: > A few minor bugs with sshguard 1.1 on FreeBSD-7-RELEASE: > > 1) When used with IPv6, the program "/sbin/ip6fw" no longer exists. > The ip6fw(8) packet filter has been removed in FreeBSD 7. Since > ipfw(4) has gained IPv6 support, it should be used instead. Please > note that some rules might need to be adjusted. (as per 7.0 Release > notes) > > Of course the fix is fairly simple (in src/fwalls/ipfw.c, update the > appropriate lines to ipfw instead of ip6fw #ifdef'd as appropriate for > >= FreeBSD 7) Is this something that should/will be fixed in the base > source, or should we just fix in the FreeBSD ports system ? > > 2) When used with FreeBSD 7 OpenSSH (using both sshd base 4.5p1, and > ports version of sshd 5.0p1 has same results), the syslog entries > apparently confuse sshguard when a valid username (e.g. root), but > invalid password is used. > > Example Syslog entries: > > Sep 19 01:28:35 dhorn-bsd sshd[32346]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:35 dhorn-bsd last message repeated 2 times > Sep 19 01:28:36 dhorn-bsd sshd[32351]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:37 dhorn-bsd last message repeated 2 times > Sep 19 01:28:38 dhorn-bsd sshd[32356]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:38 dhorn-bsd last message repeated 2 times > Sep 19 01:28:39 dhorn-bsd sshd[32361]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:40 dhorn-bsd last message repeated 2 times > Sep 19 01:28:41 dhorn-bsd sshd[32366]: error: PAM: authentication > error for root from 192.168.0.109 > > > This does NOT flag sshguard at all right now. I am just assuming that > it is the authentication error string portion that is probably causing > the issue (not matching in attack_parser/attack_scanner) > > I hacked up a version that supports this new error string (and it > works fine), but I may not have done it in the most efficient way. In > any case, I have already reported the authentication error strings to > the web site: http://sshguard.sourceforge.net/newattackpatt.php > > Anyone else seeing these issues ? > > Apologies if this has been covered in the mailing list before, but I > could not find the archives for this listserv. > > --Thanks! > > --_Dave Horn |
|
From: David H. <dho...@gm...> - 2008-09-23 16:11:54
Attachments:
patch
|
This is a little stale, but it just bounced (probably due to the sourceforge changes to move mailing lists around. If it bounces again, I will open a ticket with sf. On Fri, Sep 19, 2008 at 2:56 AM, David Horn <dho...@gm...> wrote: > A few minor bugs with sshguard 1.1 on FreeBSD-7-RELEASE: > > 1) When used with IPv6, the program "/sbin/ip6fw" no longer exists. > The ip6fw(8) packet filter has been removed in FreeBSD 7. Since > ipfw(4) has gained IPv6 support, it should be used instead. Please > note that some rules might need to be adjusted. (as per 7.0 Release > notes) > > Of course the fix is fairly simple (in src/fwalls/ipfw.c, update the > appropriate lines to ipfw instead of ip6fw #ifdef'd as appropriate for >>= FreeBSD 7) Is this something that should/will be fixed in the base > source, or should we just fix in the FreeBSD ports system ? > Unfortunately, it looks like this issue (in ipfw.c) still exists in sshguard 1.2, and in SVN source. I have attached my proposed patch to ipfw.c and configure.ac (tested on 1.1 and 1.2) I also fixed an issue of exceeding the command length for ipfw (60 total bytes is not enough with IPv6, so I upped it to 90 since the IPv6 addr alone can be 39 bytes as a string) patch <patch autoconf ./configure -with-firewall=ipfw make configure will autodetect if ip6fw exists, and if it does not, will use ipfw for IPv6 instead. > 2) When used with FreeBSD 7 OpenSSH (using both sshd base 4.5p1, and > ports version of sshd 5.0p1 has same results), the syslog entries > apparently confuse sshguard when a valid username (e.g. root), but > invalid password is used. > I looked at the source for sshguard 1.2, and it looks like the fix for this new sshd PAM string is there. Thanks Hans for the pointer to https://sourceforge.net/project/shownotes.php?release_id=627038 There is still however a bug related to using the new PAM string in 1.2, and IPv6 addresses (in other words, it works for IPv4, but not for IPv6.) I tried to find the problem, but so far no luck tracking it down. The string in question is as follows: Sep 19 17:47:05 dhorn-bsd sshd[72678]: error: PAM: authentication error for root from 2001:4830:1698:0:21d:6eff:fed5:8cfa > Example Syslog entries: > > Sep 19 01:28:35 dhorn-bsd sshd[32346]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:35 dhorn-bsd last message repeated 2 times > Sep 19 01:28:36 dhorn-bsd sshd[32351]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:37 dhorn-bsd last message repeated 2 times > Sep 19 01:28:38 dhorn-bsd sshd[32356]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:38 dhorn-bsd last message repeated 2 times > Sep 19 01:28:39 dhorn-bsd sshd[32361]: error: PAM: authentication > error for root from 192.168.0.109 > Sep 19 01:28:40 dhorn-bsd last message repeated 2 times > Sep 19 01:28:41 dhorn-bsd sshd[32366]: error: PAM: authentication > error for root from 192.168.0.109 > > > This does NOT flag sshguard at all right now. I am just assuming that > it is the authentication error string portion that is probably causing > the issue (not matching in attack_parser/attack_scanner) > > I hacked up a version that supports this new error string (and it > works fine), but I may not have done it in the most efficient way. In > any case, I have already reported the authentication error strings to > the web site: http://sshguard.sourceforge.net/newattackpatt.php > > Anyone else seeing these issues ? > > Apologies if this has been covered in the mailing list before, but I > could not find the archives for this listserv. > > --Thanks! > > --_Dave Horn > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X