ports/126867: sshguard-pf 1.1 fails to detect attempted logins

grem freebsdusb at bindone.de
Wed Aug 27 00:01:30 UTC 2008


Forgot How-To-Repeat:

cd /usr/ports/security/sshguard-pf
make install

tail -F /var/log/auth.log | sshguard

Login to your system using an invalid/non existing username: You'll get 
locked out as expected.

Login how many times you feel like using an existing user but a wrong 
password, your IP will never be blacklisted.


Michael wrote:
>> Number:         126867
>> Category:       ports
>> Synopsis:       sshguard-pf 1.1 fails to detect attempted logins
>> Confidential:   no
>> Severity:       critical
>> Priority:       high
>> Responsible:    freebsd-ports-bugs
>> State:          open
>> Quarter:        
>> Keywords:       
>> Date-Required:
>> Class:          sw-bug
>> Submitter-Id:   current-users
>> Arrival-Date:   Tue Aug 26 23:30:00 UTC 2008
>> Closed-Date:
>> Last-Modified:
>> Originator:     Michael
>> Release:        FreeBSD 6.3
>> Organization:
> /bin/done digital solutions
>> Environment:
> FreeBSD servername 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Fri Feb 22 01:48:25 CET 2008     root at servername:/usr/src/sys/i386/compile/GENERIC  i386
>> Description:
> After the upgrade from sshguard-pf 1.0 to 1.1 sshguard doesn't catch failed logins of valid users anymore. So basically its main purpose of preventing brute force password discovery is malfunctioning. This happens on FreeBSD 6.x and 7.x standard installs. By comparing attack_scanner.l in the old and new version I can see that the line catching these logins (it was labeled FreeBSD/MacOS X) is simply gone. 
> 
> This is the log entry generated by FreeBSD on login errors of valid users (PAM):
> 
> Aug 27 00:04:05 server sshd[67300]: error: PAM: authentication error for username from 80.190.1.1
> 
> I cannot see anything that can potentially get that in the parser sources.
> 
> Since I have no expertise writing yacc/bison parsers sombody else has to look at this and fix it asap. portupgrade sshguard-pf basically leaves your system unprotected without any indication.
> 
> I assume that this affects all sshguard* ports.
> 
> I will also contact the author about this.
> 
>> How-To-Repeat:
> 
>> Fix:
> Someone has to fix the parser.
> 
>> Release-Note:
>> Audit-Trail:
>> Unformatted:
> _______________________________________________
> freebsd-ports-bugs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs
> To unsubscribe, send any mail to "freebsd-ports-bugs-unsubscribe at freebsd.org"




More information about the freebsd-ports-bugs mailing list