Re: OpenSSH HPN

From: Mark Felder <feld_at_FreeBSD.org> Date: Tue, 10 Nov 2015 10:02:10 -0600 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC

On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:
> On 10-11-2015 12:11, Dag-Erling Smørgrav wrote:
> > Willem Jan Withagen <wjw_at_digiware.nl> writes:
> >> Digging in my logfiles .... , and its things like:
> >>   sshd[84942]: Disconnecting: Too many authentication failures [preauth]
> >>
> >> So errors/warnings without IP-nr.
> >>
> >> And I think I fixed it on one server to also write:
> >> error: maximum authentication attempts exceeded for root from
> >> 173.254.203.88 port 1042 ssh2 [preauth]
> >
> > fail2ban should catch both of these since sshd will print a message for
> > each failed authentication attempt before it prints a message about
> > reaching the limit.
> 
> It's already too long to remember the full facts, but when I was looking 
> at the parser in sshguard, I think I noticed that certain accesses 
> weren't logged and added some more logging rules to catch those.
> 
> What I still have lingering is this snippet:
> Index: crypto/openssh/packet.c
> ===================================================================
> --- crypto/openssh/packet.c     (revision 289060)
> +++ crypto/openssh/packet.c     (working copy)
> _at__at_ -1128,8 +1128,10 _at__at_
>                          logit("Connection closed by %.200s", 
> get_remote_ipaddr());
>                          cleanup_exit(255);
>                  }
> -               if (len < 0)
> +               if (len < 0) {
> +                       logit("Read from socket failed: %.200s", 
> get_remote_ipaddr());
>                          fatal("Read from socket failed: %.100s", 
> strerror(errno));
> +               }
>                  /* Append it to the buffer. */
>                  packet_process_incoming(buf, len);
>          }
> 
> But like I said: The code I found at openssh was so totally different 
> that I did not continued this track, but chose to start running openssh 
> from ports. Which does not generate warnings I have questions about the 
> originating ip-nr.
> 
> >> Are they still willing to accept changes to the old version that is
> >> currently in base?
> >
> > No, why would they do that?
> 
> Exactly my question....
> I guess I misinterpreted your suggestion on upstreaming patches.
> 
> --WjW
> 

I honestly think everyone would be better served by porting blacklistd
from NetBSD than trying to increase verbosity for log files.

-- 
  Mark Felder
  ports-secteam member
  feld_at_FreeBSD.org