On 2015-11-10 11:02, Mark Felder wrote: > > > On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote: >> On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: >>> Willem Jan Withagen <wjw_at_digiware.nl> writes: >>>> Digging in my logfiles .... , and its things like: >>>> sshd[84942]: Disconnecting: Too many authentication failures [preauth] >>>> >>>> So errors/warnings without IP-nr. >>>> >>>> And I think I fixed it on one server to also write: >>>> error: maximum authentication attempts exceeded for root from >>>> 173.254.203.88 port 1042 ssh2 [preauth] >>> >>> fail2ban should catch both of these since sshd will print a message for >>> each failed authentication attempt before it prints a message about >>> reaching the limit. >> >> It's already too long to remember the full facts, but when I was looking >> at the parser in sshguard, I think I noticed that certain accesses >> weren't logged and added some more logging rules to catch those. >> >> What I still have lingering is this snippet: >> Index: crypto/openssh/packet.c >> =================================================================== >> --- crypto/openssh/packet.c (revision 289060) >> +++ crypto/openssh/packet.c (working copy) >> _at__at_ -1128,8 +1128,10 _at__at_ >> logit("Connection closed by %.200s", >> get_remote_ipaddr()); >> cleanup_exit(255); >> } >> - if (len < 0) >> + if (len < 0) { >> + logit("Read from socket failed: %.200s", >> get_remote_ipaddr()); >> fatal("Read from socket failed: %.100s", >> strerror(errno)); >> + } >> /* Append it to the buffer. */ >> packet_process_incoming(buf, len); >> } >> >> But like I said: The code I found at openssh was so totally different >> that I did not continued this track, but chose to start running openssh >> from ports. Which does not generate warnings I have questions about the >> originating ip-nr. >> >>>> Are they still willing to accept changes to the old version that is >>>> currently in base? >>> >>> No, why would they do that? >> >> Exactly my question.... >> I guess I misinterpreted your suggestion on upstreaming patches. >> >> --WjW >> > > I honestly think everyone would be better served by porting blacklistd > from NetBSD than trying to increase verbosity for log files. > > I have been using HPN + NONE for a few years and find them quite useful, but it is easier to install openssh-portable and run that than to recompile the base system to enable the NONE cipher, so I have no objection to removing the patches from base. The useful logging feature that comes with the newer version of openssh, is logging which SSH key the user authenticated with. -- Allan Jude
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC