Date: Tue, 12 Jun 2001 08:19:52 -0400 From: Daniel Hagan <dhagan@colltech.com> To: aeonflux99@hushmail.com, FreeBSD-Audit@FreeBSD.org, FreeBSD-Security@FreeBSD.org Subject: Re: resubmitting fix (/etc/security ssh awareness) Message-ID: <3B2608E8.611D1669@colltech.com> References: <200106112104.OAA16071@user7.hushmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This probably belongs more on -security than -audit, so I'm cross
posting it to both with follow-ups set to -security.
aeonflux99@hushmail.com wrote:
>
> I first submitted this patch to this mailing list in the month of January,
> unfortunately it was largely ignored. As it stands ssh failures are not
> audited, they're not even logged in the default configuration.
>
> Obviously we need to make some changes so that repeated failures, get logged.
> Likewise people connecting to our sshd port to look for a banner version
> should also be logged. As it stands the only way to really do this properly
> is to use tcpwrappers, or packet filtering. However, I believe there needs
> to be some logging higher up in the ladder too.
>
> I'm resubmitting this patch. In order to get it to work properly, you're
> going to need to modify syslog.conf
>
> security.*;auth.info /var/log/security
>
> adding auth.info (the facility ssh uses) to the security log. Likewise
> the patch is extremely simple.
It seems that adding auth and authpriv to /var/log/security would be the
'right thing to do' in the POLA sense.
> -
> --- /etc/security Mon Jun 11 15:45:02 2001
> +++ /etc/security Mon Jun 11 15:48:29 2001
> @@ -44,6 +44,7 @@
> sort -t. -r -n +1 -2 |
> xargs zcat -f
> [ -f $LOG/messages ] && cat $LOG/messages
> + [ -f $LOG/security ] && cat $LOG/security
> }
>
> sflag=FALSE ignore=
> @@ -188,6 +189,12 @@
> separator
> echo "${host} login failures:"
> n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr |
> wc -l)
> +[ $n -gt 0 -a $rc -lt 1 ] && rc=1
> +
> +# Show "${host} SSH login failures:"
> +separator
> +echo "${host} login failures:"
This should probably be echo "${host} SSH login failures:", right?
> +n=$(catmsgs | grep -i "^$yesterday.*failed password" | tee /dev/stderr
> | wc -l)
> [ $n -gt 0 -a $rc -lt 1 ] && rc=1
>
> # Show tcp_wrapper warning messages
While I agree that this is a Good Idea, I'm not entirely sure that your
implementation is sufficient. Does .*failed password match only sshd
entries and does it match all of the cases you mention above (failed
logins, port scanning; what about failed RSAAuthentication attempts)?
Daniel
--
Consultant, Collective Technologies http://www.collectivetech.com/
Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/
Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B2608E8.611D1669>