ports/126867: sshguard-pf 1.1 fails to detect attempted logins
freebsdports at bindone.de
Tue Aug 26 23:30:01 UTC 2008
>Synopsis: sshguard-pf 1.1 fails to detect attempted logins
>Arrival-Date: Tue Aug 26 23:30:00 UTC 2008
>Release: FreeBSD 6.3
/bin/done digital solutions
FreeBSD servername 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Fri Feb 22 01:48:25 CET 2008 root at servername:/usr/src/sys/i386/compile/GENERIC i386
After the upgrade from sshguard-pf 1.0 to 1.1 sshguard doesn't catch failed logins of valid users anymore. So basically its main purpose of preventing brute force password discovery is malfunctioning. This happens on FreeBSD 6.x and 7.x standard installs. By comparing attack_scanner.l in the old and new version I can see that the line catching these logins (it was labeled FreeBSD/MacOS X) is simply gone.
This is the log entry generated by FreeBSD on login errors of valid users (PAM):
Aug 27 00:04:05 server sshd: error: PAM: authentication error for username from 126.96.36.199
I cannot see anything that can potentially get that in the parser sources.
Since I have no expertise writing yacc/bison parsers sombody else has to look at this and fix it asap. portupgrade sshguard-pf basically leaves your system unprotected without any indication.
I assume that this affects all sshguard* ports.
I will also contact the author about this.
Someone has to fix the parser.
More information about the freebsd-ports-bugs