Date: Tue, 10 Nov 2015 10:02:10 -0600 From: Mark Felder <feld@FreeBSD.org> To: Willem Jan Withagen <wjw@digiware.nl>, =?ISO-8859-1?Q?Dag-Erling=20Sm=F8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com> In-Reply-To: <5641D419.5090103@digiware.nl> References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:
> On 10-11-2015 12:11, Dag-Erling Sm=F8rgrav wrote:
> > Willem Jan Withagen <wjw@digiware.nl> writes:
> >> Digging in my logfiles .... , and its things like:
> >> sshd[84942]: Disconnecting: Too many authentication failures [preaut=
h]
> >>
> >> So errors/warnings without IP-nr.
> >>
> >> And I think I fixed it on one server to also write:
> >> error: maximum authentication attempts exceeded for root from
> >> 173.254.203.88 port 1042 ssh2 [preauth]
> >
> > fail2ban should catch both of these since sshd will print a message for
> > each failed authentication attempt before it prints a message about
> > reaching the limit.
>=20
> It's already too long to remember the full facts, but when I was looking=
=20
> at the parser in sshguard, I think I noticed that certain accesses=20
> weren't logged and added some more logging rules to catch those.
>=20
> What I still have lingering is this snippet:
> Index: crypto/openssh/packet.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- crypto/openssh/packet.c (revision 289060)
> +++ crypto/openssh/packet.c (working copy)
> @@ -1128,8 +1128,10 @@
> logit("Connection closed by %.200s",=20
> get_remote_ipaddr());
> cleanup_exit(255);
> }
> - if (len < 0)
> + if (len < 0) {
> + logit("Read from socket failed: %.200s",=20
> get_remote_ipaddr());
> fatal("Read from socket failed: %.100s",=20
> strerror(errno));
> + }
> /* Append it to the buffer. */
> packet_process_incoming(buf, len);
> }
>=20
> But like I said: The code I found at openssh was so totally different=20
> that I did not continued this track, but chose to start running openssh=20
> from ports. Which does not generate warnings I have questions about the=20
> originating ip-nr.
>=20
> >> Are they still willing to accept changes to the old version that is
> >> currently in base?
> >
> > No, why would they do that?
>=20
> Exactly my question....
> I guess I misinterpreted your suggestion on upstreaming patches.
>=20
> --WjW
>=20
I honestly think everyone would be better served by porting blacklistd
from NetBSD than trying to increase verbosity for log files.
--=20
Mark Felder
ports-secteam member
feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1447171330.3672217.435085401.40D8E7F2>