Date: Wed, 19 Dec 2012 11:42:55 GMT From: François Charlier <fcharlier@ploup.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/174571: security/sshguard 1.5 does not detect ssh invalid users logins Message-ID: <201212191142.qBJBgtgA037805@red.freebsd.org> Resent-Message-ID: <201212191150.qBJBo0EV084720@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 174571 >Category: ports >Synopsis: security/sshguard 1.5 does not detect ssh invalid users logins >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 19 11:50:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: François Charlier >Release: 9.0 >Organization: >Environment: FreeBSD stardust.ploup.net 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 >Description: sshguard >1.5 does not parse ssh invalid user logins like : Dec 18 06:23:27 redacted sshd[6294]: Invalid user aaron from 1.1.1.1 because it matches the lowercase “invalid” word only. The bug has been reported on sshguard-users mailing-list in june 2012 [1] and I submitted a patch [2] today. [1] http://sourceforge.net/mailarchive/forum.php?thread_name=20120625040417.GD4130%40nntp.AegisInfoSys.com&forum_name=sshguard-users [2] https://sourceforge.net/tracker/?func=detail&aid=3597444&group_id=188282&atid=924687 >How-To-Repeat: >Fix: See attached patch Patch attached with submission follows: diff -Naur sshguard.orig/Makefile sshguard/Makefile --- sshguard.orig/Makefile 2012-12-19 11:09:43.026352081 +0000 +++ sshguard/Makefile 2012-12-19 11:10:19.859353918 +0000 @@ -7,7 +7,7 @@ PORTNAME= sshguard PORTVERSION= 1.5 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= SF/sshguard/sshguard/sshguard-${PORTVERSION} diff -Naur sshguard.orig/files/patch-src-parser-attack_scanner.l sshguard/files/patch-src-parser-attack_scanner.l --- sshguard.orig/files/patch-src-parser-attack_scanner.l 1970-01-01 00:00:00.000000000 +0000 +++ sshguard/files/patch-src-parser-attack_scanner.l 2012-12-19 11:02:17.619357458 +0000 @@ -0,0 +1,11 @@ +--- src/parser/attack_scanner.l.orig 2012-12-19 10:58:02.992356246 +0000 ++++ src/parser/attack_scanner.l 2012-12-19 10:58:22.407356894 +0000 +@@ -127,7 +127,7 @@ + + + /* SSH: invalid or rejected user (cross platform [generated by openssh]) */ +-"Invalid user ".+" from " { return SSH_INVALUSERPREF; } ++[Ii]"nvalid user ".+" from " { return SSH_INVALUSERPREF; } + /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */ + /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */ + "User ".+" from " { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212191142.qBJBgtgA037805>