Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Nov 2015 12:25:13 +0100
From:      Willem Jan Withagen <wjw@digiware.nl>
To:        =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>
Cc:        freebsd-security@freebsd.org, freebsd-current@freebsd.org
Subject:   Re: OpenSSH HPN
Message-ID:  <5641D419.5090103@digiware.nl>
In-Reply-To: <86611a9kj6.fsf@desk.des.no>
References:  <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 10-11-2015 12:11, Dag-Erling Smørgrav wrote:
> Willem Jan Withagen <wjw@digiware.nl> writes:
>> Digging in my logfiles .... , and its things like:
>>   sshd[84942]: Disconnecting: Too many authentication failures [preauth]
>>
>> So errors/warnings without IP-nr.
>>
>> And I think I fixed it on one server to also write:
>> error: maximum authentication attempts exceeded for root from
>> 173.254.203.88 port 1042 ssh2 [preauth]
>
> fail2ban should catch both of these since sshd will print a message for
> each failed authentication attempt before it prints a message about
> reaching the limit.

It's already too long to remember the full facts, but when I was looking 
at the parser in sshguard, I think I noticed that certain accesses 
weren't logged and added some more logging rules to catch those.

What I still have lingering is this snippet:
Index: crypto/openssh/packet.c
===================================================================
--- crypto/openssh/packet.c     (revision 289060)
+++ crypto/openssh/packet.c     (working copy)
@@ -1128,8 +1128,10 @@
                         logit("Connection closed by %.200s", 
get_remote_ipaddr());
                         cleanup_exit(255);
                 }
-               if (len < 0)
+               if (len < 0) {
+                       logit("Read from socket failed: %.200s", 
get_remote_ipaddr());
                         fatal("Read from socket failed: %.100s", 
strerror(errno));
+               }
                 /* Append it to the buffer. */
                 packet_process_incoming(buf, len);
         }

But like I said: The code I found at openssh was so totally different 
that I did not continued this track, but chose to start running openssh 
from ports. Which does not generate warnings I have questions about the 
originating ip-nr.

>> Are they still willing to accept changes to the old version that is
>> currently in base?
>
> No, why would they do that?

Exactly my question....
I guess I misinterpreted your suggestion on upstreaming patches.

--WjW

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5641D419.5090103>