Date: Tue, 10 Nov 2015 11:12:35 -0500 From: Allan Jude <allanjude@freebsd.org> To: freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <56421773.6030101@freebsd.org> In-Reply-To: <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com> References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl> <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On 2015-11-10 11:02, Mark Felder wrote:
>
>
> On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:
>> On 10-11-2015 12:11, Dag-Erling Smørgrav wrote:
>>> Willem Jan Withagen <wjw@digiware.nl> writes:
>>>> Digging in my logfiles .... , and its things like:
>>>> sshd[84942]: Disconnecting: Too many authentication failures [preauth]
>>>>
>>>> So errors/warnings without IP-nr.
>>>>
>>>> And I think I fixed it on one server to also write:
>>>> error: maximum authentication attempts exceeded for root from
>>>> 173.254.203.88 port 1042 ssh2 [preauth]
>>>
>>> fail2ban should catch both of these since sshd will print a message for
>>> each failed authentication attempt before it prints a message about
>>> reaching the limit.
>>
>> It's already too long to remember the full facts, but when I was looking
>> at the parser in sshguard, I think I noticed that certain accesses
>> weren't logged and added some more logging rules to catch those.
>>
>> What I still have lingering is this snippet:
>> Index: crypto/openssh/packet.c
>> ===================================================================
>> --- crypto/openssh/packet.c (revision 289060)
>> +++ crypto/openssh/packet.c (working copy)
>> @@ -1128,8 +1128,10 @@
>> logit("Connection closed by %.200s",
>> get_remote_ipaddr());
>> cleanup_exit(255);
>> }
>> - if (len < 0)
>> + if (len < 0) {
>> + logit("Read from socket failed: %.200s",
>> get_remote_ipaddr());
>> fatal("Read from socket failed: %.100s",
>> strerror(errno));
>> + }
>> /* Append it to the buffer. */
>> packet_process_incoming(buf, len);
>> }
>>
>> But like I said: The code I found at openssh was so totally different
>> that I did not continued this track, but chose to start running openssh
>> from ports. Which does not generate warnings I have questions about the
>> originating ip-nr.
>>
>>>> Are they still willing to accept changes to the old version that is
>>>> currently in base?
>>>
>>> No, why would they do that?
>>
>> Exactly my question....
>> I guess I misinterpreted your suggestion on upstreaming patches.
>>
>> --WjW
>>
>
> I honestly think everyone would be better served by porting blacklistd
> from NetBSD than trying to increase verbosity for log files.
>
>
I have been using HPN + NONE for a few years and find them quite useful,
but it is easier to install openssh-portable and run that than to
recompile the base system to enable the NONE cipher, so I have no
objection to removing the patches from base.
The useful logging feature that comes with the newer version of openssh,
is logging which SSH key the user authenticated with.
--
Allan Jude
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJWQhd2AAoJEBmVNT4SmAt+YxoP/jwrMC+6tER+hf1KS5r2MGje
sAI2ZzEPGbVMtFTN/IkOyHfLWSce1L+iTByAfDWN7B6tgNOdX3P7CGgE0h1KfHKh
Xzi9N/cBAMiw6tAkX5vFPXGjguGNYb1GsUlX/J48gtnvW9Fy++weHohZkUSNggaX
5SwmB0jlkmX7kSbHJZQR1kFvtiTk3Keofx77O2kwi/VdnN9twIjRS03gBxArxJvZ
MC8ZjlKXqKCdEor7SVMGKYp59IxYmEzLy+0Ox2XELv//92hr7s2JXOHVtv737FKx
Lga4mhtD1Ee69d5pxPBEh6RaxfjBbYI5FzkoYuOOCA25NNslgZkW4nYjF93ystqh
hixTtfHDV94QoY4wHCiT/XzljQbVhpva7+vl7OTfaZqgl5IkH8qwx/q9CPnUw7Rl
PnEBeLi/Eo4FF87XVzUVHvLkbDmIYRkNeTLLKk4YWbnyIGdl5l/t9P3JhNG29apn
kjP1nXUMjotbiMZgJrYTE08Q3Y/oaEaYTr9Ke7RR031IcyPaB6ecQAGH7UvKqsWY
rR3CiVqiyEYV4G6Jtj96SntJndVNi/Zh68WRppqWbw/PEsUCNNLjV1m/d8YDLxy7
HApMVhcq5+i2zRGflyBqdrHShoSoVMnz2Im5q0nb0mlARGAgBI7vOiEJD/rYWvgU
nHwqtSA1j0hVKwPctSGR
=y+Vi
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56421773.6030101>