ports/126867: sshguard-pf 1.1 fails to detect attempted logins
grem
freebsdusb at bindone.de
Wed Aug 27 00:01:30 UTC 2008
Forgot How-To-Repeat:
cd /usr/ports/security/sshguard-pf
make install
tail -F /var/log/auth.log | sshguard
Login to your system using an invalid/non existing username: You'll get
locked out as expected.
Login how many times you feel like using an existing user but a wrong
password, your IP will never be blacklisted.
Michael wrote:
>> Number: 126867
>> Category: ports
>> Synopsis: sshguard-pf 1.1 fails to detect attempted logins
>> Confidential: no
>> Severity: critical
>> Priority: high
>> Responsible: freebsd-ports-bugs
>> State: open
>> Quarter:
>> Keywords:
>> Date-Required:
>> Class: sw-bug
>> Submitter-Id: current-users
>> Arrival-Date: Tue Aug 26 23:30:00 UTC 2008
>> Closed-Date:
>> Last-Modified:
>> Originator: Michael
>> Release: FreeBSD 6.3
>> Organization:
> /bin/done digital solutions
>> Environment:
> FreeBSD servername 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Fri Feb 22 01:48:25 CET 2008 root at servername:/usr/src/sys/i386/compile/GENERIC i386
>> Description:
> After the upgrade from sshguard-pf 1.0 to 1.1 sshguard doesn't catch failed logins of valid users anymore. So basically its main purpose of preventing brute force password discovery is malfunctioning. This happens on FreeBSD 6.x and 7.x standard installs. By comparing attack_scanner.l in the old and new version I can see that the line catching these logins (it was labeled FreeBSD/MacOS X) is simply gone.
>
> This is the log entry generated by FreeBSD on login errors of valid users (PAM):
>
> Aug 27 00:04:05 server sshd[67300]: error: PAM: authentication error for username from 80.190.1.1
>
> I cannot see anything that can potentially get that in the parser sources.
>
> Since I have no expertise writing yacc/bison parsers sombody else has to look at this and fix it asap. portupgrade sshguard-pf basically leaves your system unprotected without any indication.
>
> I assume that this affects all sshguard* ports.
>
> I will also contact the author about this.
>
>> How-To-Repeat:
>
>> Fix:
> Someone has to fix the parser.
>
>> Release-Note:
>> Audit-Trail:
>> Unformatted:
> _______________________________________________
> freebsd-ports-bugs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs
> To unsubscribe, send any mail to "freebsd-ports-bugs-unsubscribe at freebsd.org"
More information about the freebsd-ports-bugs
mailing list