From owner-freebsd-audit Mon Jun 11 14: 5:52 2001 Delivered-To: freebsd-audit@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 40AFB37B401 for ; Mon, 11 Jun 2001 14:05:41 -0700 (PDT) (envelope-from aeonflux99@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id F37332FDB for ; Mon, 11 Jun 2001 14:04:48 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id OAA16071; Mon, 11 Jun 2001 14:04:48 -0700 From: aeonflux99@hushmail.com Message-Id: <200106112104.OAA16071@user7.hushmail.com> Date: Mon, 11 Jun 2001 17:00:29 -0500 (EDT) To: audit@freebsd.org Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_gQQcmEdPjxDApVXthILMXEglluHAfwLk" Subject: resubmitting fix Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Hushpart_boundary_gQQcmEdPjxDApVXthILMXEglluHAfwLk Content-type: text/plain I first submitted this patch to this mailing list in the month of January, unfortunately it was largely ignored. As it stands ssh failures are not audited, they're not even logged in the default configuration. Obviously we need to make some changes so that repeated failures, get logged. Likewise people connecting to our sshd port to look for a banner version should also be logged. As it stands the only way to really do this properly is to use tcpwrappers, or packet filtering. However, I believe there needs to be some logging higher up in the ladder too. I'm resubmitting this patch. In order to get it to work properly, you're going to need to modify syslog.conf security.*;auth.info /var/log/security adding auth.info (the facility ssh uses) to the security log. Likewise the patch is extremely simple. - --- /etc/security Mon Jun 11 15:45:02 2001 +++ /etc/security Mon Jun 11 15:48:29 2001 @@ -44,6 +44,7 @@ sort -t. -r -n +1 -2 | xargs zcat -f [ -f $LOG/messages ] && cat $LOG/messages + [ -f $LOG/security ] && cat $LOG/security } sflag=FALSE ignore= @@ -188,6 +189,12 @@ separator echo "${host} login failures:" n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l) +[ $n -gt 0 -a $rc -lt 1 ] && rc=1 + +# Show "${host} SSH login failures:" +separator +echo "${host} login failures:" +n=$(catmsgs | grep -i "^$yesterday.*failed password" | tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 # Show tcp_wrapper warning messages - Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_gQQcmEdPjxDApVXthILMXEglluHAfwLk Content-Disposition: attachment Content-type: application/octet-stream; name="securitynew.diff" Content-Transfer-Encoding: base64 LS0tIC9ldGMvc2VjdXJpdHkJTW9uIEp1biAxMSAxNTo0NTowMiAyMDAxCisrKyAvZXRj L3NlY3VyaXR5CU1vbiBKdW4gMTEgMTU6NDg6MjkgMjAwMQpAQCAtNDQsNiArNDQsNyBA QAogCSAgICBzb3J0IC10LiAtciAtbiArMSAtMiB8CiAJICAgIHhhcmdzIHpjYXQgLWYK IAlbIC1mICRMT0cvbWVzc2FnZXMgXSAmJiBjYXQgJExPRy9tZXNzYWdlcworCVsgLWYg JExPRy9zZWN1cml0eSBdICYmIGNhdCAkTE9HL3NlY3VyaXR5CiB9CiAKIHNmbGFnPUZB TFNFIGlnbm9yZT0KQEAgLTE4OCw2ICsxODksMTIgQEAKIHNlcGFyYXRvcgogZWNobyAi JHtob3N0fSBsb2dpbiBmYWlsdXJlczoiCiBuPSQoY2F0bXNncyB8IGdyZXAgLWkgIl4k eWVzdGVyZGF5Lipsb2dpbiBmYWlsdXJlIiB8IHRlZSAvZGV2L3N0ZGVyciB8IHdjIC1s KQorWyAkbiAtZ3QgMCAtYSAkcmMgLWx0IDEgXSAmJiByYz0xCisKKyMgU2hvdyAiJHto b3N0fSBTU0ggbG9naW4gZmFpbHVyZXM6Igorc2VwYXJhdG9yCitlY2hvICIke2hvc3R9 IGxvZ2luIGZhaWx1cmVzOiIKK249JChjYXRtc2dzIHwgZ3JlcCAtaSAiXiR5ZXN0ZXJk YXkuKmZhaWxlZCBwYXNzd29yZCIgfCB0ZWUgL2Rldi9zdGRlcnIgfCB3YyAtbCkKIFsg JG4gLWd0IDAgLWEgJHJjIC1sdCAxIF0gJiYgcmM9MQogCiAjIFNob3cgdGNwX3dyYXBw ZXIgd2FybmluZyBtZXNzYWdlcwo= --Hushpart_boundary_gQQcmEdPjxDApVXthILMXEglluHAfwLk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message