Re: OpenSSH HPN

From: Allan Jude <allanjude_at_freebsd.org>
Date: Tue, 10 Nov 2015 11:12:35 -0500
On 2015-11-10 11:02, Mark Felder wrote:
> 
> 
> On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:
>> On 10-11-2015 12:11, Dag-Erling Smørgrav wrote:
>>> Willem Jan Withagen <wjw_at_digiware.nl> writes:
>>>> Digging in my logfiles .... , and its things like:
>>>>   sshd[84942]: Disconnecting: Too many authentication failures [preauth]
>>>>
>>>> So errors/warnings without IP-nr.
>>>>
>>>> And I think I fixed it on one server to also write:
>>>> error: maximum authentication attempts exceeded for root from
>>>> 173.254.203.88 port 1042 ssh2 [preauth]
>>>
>>> fail2ban should catch both of these since sshd will print a message for
>>> each failed authentication attempt before it prints a message about
>>> reaching the limit.
>>
>> It's already too long to remember the full facts, but when I was looking 
>> at the parser in sshguard, I think I noticed that certain accesses 
>> weren't logged and added some more logging rules to catch those.
>>
>> What I still have lingering is this snippet:
>> Index: crypto/openssh/packet.c
>> ===================================================================
>> --- crypto/openssh/packet.c     (revision 289060)
>> +++ crypto/openssh/packet.c     (working copy)
>> _at__at_ -1128,8 +1128,10 _at__at_
>>                          logit("Connection closed by %.200s", 
>> get_remote_ipaddr());
>>                          cleanup_exit(255);
>>                  }
>> -               if (len < 0)
>> +               if (len < 0) {
>> +                       logit("Read from socket failed: %.200s", 
>> get_remote_ipaddr());
>>                          fatal("Read from socket failed: %.100s", 
>> strerror(errno));
>> +               }
>>                  /* Append it to the buffer. */
>>                  packet_process_incoming(buf, len);
>>          }
>>
>> But like I said: The code I found at openssh was so totally different 
>> that I did not continued this track, but chose to start running openssh 
>> from ports. Which does not generate warnings I have questions about the 
>> originating ip-nr.
>>
>>>> Are they still willing to accept changes to the old version that is
>>>> currently in base?
>>>
>>> No, why would they do that?
>>
>> Exactly my question....
>> I guess I misinterpreted your suggestion on upstreaming patches.
>>
>> --WjW
>>
> 
> I honestly think everyone would be better served by porting blacklistd
> from NetBSD than trying to increase verbosity for log files.
> 
> 

I have been using HPN + NONE for a few years and find them quite useful,
but it is easier to install openssh-portable and run that than to
recompile the base system to enable the NONE cipher, so I have no
objection to removing the patches from base.

The useful logging feature that comes with the newer version of openssh,
is logging which SSH key the user authenticated with.

-- 
Allan Jude


Received on Tue Nov 10 2015 - 15:12:28 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC