Date: Tue, 27 Jun 2023 18:13:43 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 272249] security/sshguard: not detecting log entries containing hostnames Message-ID: <bug-272249-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272249 Bug ID: 272249 Summary: security/sshguard: not detecting log entries containing hostnames Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: martin@lispworks.com CC: kevinz5000@gmail.com CC: kevinz5000@gmail.com Flags: maintainer-feedback?(kevinz5000@gmail.com) sshguard is not detecting log entries like this: Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for ro= ot from ns2.tilbd.net because it gets a "Could not resolve" error: $ echo ' Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication err= or for root from ns2.tilbd.net' | /usr/local/libexec/sshg-parser -a Could not resolve 'ns2.tilbd.net' to address Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for = root from ns2.tilbd.net $=20 I am running sshguard 2.4.2_2,1 on FreeBSD 12.4-RELEASE-p2. I think the problem is that sshg-parser calls cap_enter (in sandbox_init) w= hich makes the kernel block things needed for DNS lookup in attack_from_hostname. The output from truss shows: cap_enter() =3D 0 (0x0) fstat(0,{ mode=3Dp--------- ,inode=3D355787,size=3D97,blksize=3D4096 }) =3D= 0 (0x0) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437029= 3760 (0x800a11000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437029= 7856 (0x800a12000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437030= 1952 (0x800a13000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437030= 6048 (0x800a14000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437031= 0144 (0x800a15000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437031= 4240 (0x800a16000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437031= 8336 (0x800a17000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437032= 2432 (0x800a18000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437032= 6528 (0x800a19000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437033= 0624 (0x800a1a000) read(0," Jun 27 10:13:54 ext1 sshd[8435"...,4096) =3D 97 (0x61) mmap(0x0,28672,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343703= 34720 (0x800a1b000) mmap(0x0,20480,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343703= 63392 (0x800a22000) fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permi= tted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343703= 83872 (0x800a27000) mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343704= 53504 (0x800a38000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437052= 3136 (0x800a49000) gettimeofday({ 1687889156.834461 },0x0) =3D 0 (0x0) getpid() =3D 87455 (0x1559f) gettimeofday({ 1687889156.835202 },0x0) =3D 0 (0x0) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437052= 7232 (0x800a4a000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437053= 1328 (0x800a4b000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 3437053= 5424 (0x800a4c000) issetugid() =3D 0 (0x0) open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' __sysctl("kern.hostname",2,0x7fffffffd040,0x7fffffffcd58,0x0,0) =3D 0 (0x0) issetugid() =3D 0 (0x0) mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) =3D 343705= 39520 (0x800a4d000) gettimeofday({ 1687889156.839494 },0x0) =3D 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permi= tted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' clock_gettime(12,{ 2948703.216701665 }) =3D 0 (0x0) fstatat(AT_FDCWD,"/etc/resolv.conf",0x7fffffffd370,0x0) ERR#94 'Not permitt= ed in capability mode' gettimeofday({ 1687889156.846809 },0x0) =3D 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) =3D 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) =3D 0 (0x0) Could not resolve 'ns2.tilbd.net' to address write(2,"Could not resolve 'ns2.tilbd.net"...,45) =3D 45 (0x2d) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272249-7788>