Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Jun 2001 17:00:29 -0500 (EDT)
From:      aeonflux99@hushmail.com
To:        audit@freebsd.org
Subject:   resubmitting fix
Message-ID:  <200106112104.OAA16071@user7.hushmail.com>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
I first submitted this patch to this mailing list in the month of January,
 unfortunately it was largely ignored.  As it stands ssh failures are not 
audited, they're not even logged in the default configuration.

Obviously we need to make some changes so that repeated failures, get logged. 
 Likewise people connecting to our sshd port to look for a banner version 
should also be logged.  As it stands the only way to really do this properly 
is to use tcpwrappers, or packet filtering.  However, I believe there needs 
to be some logging higher up in the ladder too.

I'm resubmitting this patch.  In order to get it to work properly, you're 
going to need to modify syslog.conf

security.*;auth.info				/var/log/security

adding auth.info (the facility ssh uses) to the security log.  Likewise 
the patch is extremely simple.
-
--- /etc/security	Mon Jun 11 15:45:02 2001
+++ /etc/security	Mon Jun 11 15:48:29 2001
@@ -44,6 +44,7 @@
 	    sort -t. -r -n +1 -2 |
 	    xargs zcat -f
 	[ -f $LOG/messages ] && cat $LOG/messages
+	[ -f $LOG/security ] && cat $LOG/security
 }
 
 sflag=FALSE ignore=
@@ -188,6 +189,12 @@
 separator
 echo "${host} login failures:"
 n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | 
wc -l)
+[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+
+# Show "${host} SSH login failures:"
+separator
+echo "${host} login failures:"
+n=$(catmsgs | grep -i "^$yesterday.*failed password" | tee /dev/stderr 
| wc -l)
 [ $n -gt 0 -a $rc -lt 1 ] && rc=1
 
 # Show tcp_wrapper warning messages
-
Free, encrypted, secure Web-based email at www.hushmail.com
[-- Attachment #2 --]
--- /etc/security	Mon Jun 11 15:45:02 2001
+++ /etc/security	Mon Jun 11 15:48:29 2001
@@ -44,6 +44,7 @@
 	    sort -t. -r -n +1 -2 |
 	    xargs zcat -f
 	[ -f $LOG/messages ] && cat $LOG/messages
+	[ -f $LOG/security ] && cat $LOG/security
 }
 
 sflag=FALSE ignore=
@@ -188,6 +189,12 @@
 separator
 echo "${host} login failures:"
 n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l)
+[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+
+# Show "${host} SSH login failures:"
+separator
+echo "${host} login failures:"
+n=$(catmsgs | grep -i "^$yesterday.*failed password" | tee /dev/stderr | wc -l)
 [ $n -gt 0 -a $rc -lt 1 ] && rc=1
 
 # Show tcp_wrapper warning messages

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106112104.OAA16071>