On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: > Willem Jan Withagen <wjw_at_digiware.nl> writes: >> Digging in my logfiles .... , and its things like: >> sshd[84942]: Disconnecting: Too many authentication failures [preauth] >> >> So errors/warnings without IP-nr. >> >> And I think I fixed it on one server to also write: >> error: maximum authentication attempts exceeded for root from >> 173.254.203.88 port 1042 ssh2 [preauth] > > fail2ban should catch both of these since sshd will print a message for > each failed authentication attempt before it prints a message about > reaching the limit. It's already too long to remember the full facts, but when I was looking at the parser in sshguard, I think I noticed that certain accesses weren't logged and added some more logging rules to catch those. What I still have lingering is this snippet: Index: crypto/openssh/packet.c =================================================================== --- crypto/openssh/packet.c (revision 289060) +++ crypto/openssh/packet.c (working copy) _at__at_ -1128,8 +1128,10 _at__at_ logit("Connection closed by %.200s", get_remote_ipaddr()); cleanup_exit(255); } - if (len < 0) + if (len < 0) { + logit("Read from socket failed: %.200s", get_remote_ipaddr()); fatal("Read from socket failed: %.100s", strerror(errno)); + } /* Append it to the buffer. */ packet_process_incoming(buf, len); } But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr. >> Are they still willing to accept changes to the old version that is >> currently in base? > > No, why would they do that? Exactly my question.... I guess I misinterpreted your suggestion on upstreaming patches. --WjWReceived on Tue Nov 10 2015 - 10:25:58 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC