From owner-freebsd-stable@FreeBSD.ORG Sat Feb 1 05:34:20 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1979315D for ; Sat, 1 Feb 2014 05:34:20 +0000 (UTC) Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CD1721FA7 for ; Sat, 1 Feb 2014 05:34:19 +0000 (UTC) Received: by mail-ig0-f174.google.com with SMTP id hl1so865764igb.1 for ; Fri, 31 Jan 2014 21:34:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition; bh=noDCEGnLBabZ7ba4Jc9inAAdMdDbHd522p5IBvZU7ds=; b=G5EHxpidooSfn1Mw8la530LiyuMQOyXJvddE0j8jE2xQlT8FB1xghRjZv5tsNIJWbW +zZhUHoGXtVrKN9fk/t6gdN8oqqjK0ptm38ILc2itM8SjhicoN8mQ/sj9Mx67R+1Z44J 2+aXDDbc6WmEx17vFU1CMzRop2dw/tVnmDvGs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-type:content-disposition; bh=noDCEGnLBabZ7ba4Jc9inAAdMdDbHd522p5IBvZU7ds=; b=cxwwWX1lWJ7lhBVOkEBKkrPvNRs4rn/iign0/75umUrtgYIVNNK+Yg5kuC2IIHw94C 6JHePdfzM+QSE58Ro55gbknUiv2OyAqfNRV6+RpMkeuS/fcYvgkV3xy14FdNFYZUopkk urOpFz82EWIeIhi5iMVfwnhzcEk4xBwuK5s1t02x6a8mtJKBE3JDz54iMy8WmVWVKa+q HKq064Qs0p44v9+8OCLy0BtPIpT6AmgL10pB270sM0H7TzIFGn0yKm/gqYrQq2m2i8u7 PrqNcSvGB67IJjoOIg5EudW2DcJZkitcv8mNGGudmXm60Oc84Ixjp7aInD6G5a+q4ETY qI8g== X-Gm-Message-State: ALoCoQmIAxyLbaCRGuBRzuGITCH2NNPChY4OypgRwroOinr11mJ3s05f4ukM28OGPxpboL7cnZeJ X-Received: by 10.43.98.202 with SMTP id cp10mr18480238icc.28.1391232859188; Fri, 31 Jan 2014 21:34:19 -0800 (PST) Received: from DataIX.local (75-128-101-59.dhcp.sgnw.mi.charter.com. [75.128.101.59]) by mx.google.com with ESMTPSA id f2sm5003660igt.6.2014.01.31.21.34.18 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Jan 2014 21:34:18 -0800 (PST) Received: from DataIX.local (localhost [127.0.0.1]) by DataIX.local (8.14.7/8.14.7) with ESMTP id s115YFiD008102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 1 Feb 2014 00:34:16 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.local (8.14.7/8.14.7/Submit) id s115YFMZ008095 for freebsd-stable@freebsd.org; Sat, 1 Feb 2014 00:34:15 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Date: Sat, 1 Feb 2014 00:34:15 -0500 From: jhellenthal@dataix.net To: freebsd-stable@freebsd.org Subject: FreeBSD 10-STABLE periodic/security/800-loginfail Message-ID: <20140201053415.GA26828@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Feb 2014 05:34:20 -0000 It seems that AFAIK is missing a pattern to match "not allowed" entries in auth.log I would like to propose the following channges upon this subject... Initially I would like to see patterns be more specific and case sensitive. * This is due to many pattern matching problems like invalid_userauth_request matching case insensitive pattern "invalid" that was meant to catch "Invalid login" but does not provide any useful information when relayed to the user. I would like to see the egrep statement inturn changed to (grep -E). * This is just a nit-pick for portability sake. Also move away from storing the pattern matching statically in the 800-loginfail file directly. * Store somewhere else like /etc/periodic/security/loginpatterns * Include the ability to allow users to pattern match on /etc/userpatterns (whatever you wanna call it...) * If may be used further by other user aided scripts to parse logs too. I would suggest the following patterns to match on to begin with. * "User.*.from.*.not.allowed" * "Invalid.user.*.from." * "authentication.error.for.illegal.user.*.from" * "Did.not.receive.identification.string.from" I am sure there are plenty of other patterns to match on but this takes care of sshd and most system level logs AFAIA Wrapping this up though my main concern is getting rid of what is not useful to someone or anyone in the form of an email like the input_useraut_request messages. I personally would rather see where it started at along with the ip-address and parse the logs later if I am concerned about one of those entries. -- - (2^(N-1)) JJH48-ARIN