conf/120263: [patch] 800.loginfail misses relevant security
information after upgrade from 6.2-RELEASE
Michael Grimm
trashcan at odo.in-berlin.de
Mon Feb 4 10:20:01 PST 2008
>Number: 120263
>Category: conf
>Synopsis: [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 04 18:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Michael Grimm
>Release: FreeBSD 6.3-RELEASE i386
>Organization:
none
>Environment:
FreeBSD troi.scotty.invalid 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Sat Jan 26 02:49:42 CET 2008 root at troi.scotty.invalid:/usr/obj/usr/src/sys/VIA-C7 i386
>Description:
The following entries in /var/log/auth.log should be triggered in the daily security report
(xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ):
Jan 26 08:10:30 troi sshd[68360]: Invalid user gary from xxx.xxx.xxx.xxx
Jan 26 16:09:32 troi sshd[76566]: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT!
800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE
only recognizes the second entry.
The relevant 6.2-regex-part of 6.2-800.loginfail is:
egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)"
and in 6.3 is has been changed to:
egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)"
Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal"
and tried to modify the regex accordingly.
Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)"
The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO
this should be added as well:
Jan 26 23:16:52 troi sshd[87777]: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers
>How-To-Repeat:
>Fix:
apply patch
Patch attached with submission follows:
--- /usr/src/etc/periodic/security/800.loginfail 2007-03-06 19:29:19.000000000 +0100
+++ 800.loginfail 2008-02-04 19:06:17.000000000 +0100
@@ -59,7 +59,7 @@
[Yy][Ee][Ss])
echo ""
echo "${host} login failures:"
- n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" |
+ n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal|not allowed)" |
tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;;
*) rc=0;;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list