ports/174571: security/sshguard 1.5 does not detect ssh invalid users logins
François Charlier
fcharlier at ploup.net
Wed Dec 19 11:50:01 UTC 2012
>Number: 174571
>Category: ports
>Synopsis: security/sshguard 1.5 does not detect ssh invalid users logins
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 19 11:50:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: François Charlier
>Release: 9.0
>Organization:
>Environment:
FreeBSD stardust.ploup.net 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
sshguard >1.5 does not parse ssh invalid user logins like :
Dec 18 06:23:27 redacted sshd[6294]: Invalid user aaron from 1.1.1.1
because it matches the lowercase invalid word only.
The bug has been reported on sshguard-users mailing-list in june 2012 [1] and I submitted a patch [2] today.
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=20120625040417.GD4130%40nntp.AegisInfoSys.com&forum_name=sshguard-users
[2] https://sourceforge.net/tracker/?func=detail&aid=3597444&group_id=188282&atid=924687
>How-To-Repeat:
>Fix:
See attached patch
Patch attached with submission follows:
diff -Naur sshguard.orig/Makefile sshguard/Makefile
--- sshguard.orig/Makefile 2012-12-19 11:09:43.026352081 +0000
+++ sshguard/Makefile 2012-12-19 11:10:19.859353918 +0000
@@ -7,7 +7,7 @@
PORTNAME= sshguard
PORTVERSION= 1.5
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= security
MASTER_SITES= SF/sshguard/sshguard/sshguard-${PORTVERSION}
diff -Naur sshguard.orig/files/patch-src-parser-attack_scanner.l sshguard/files/patch-src-parser-attack_scanner.l
--- sshguard.orig/files/patch-src-parser-attack_scanner.l 1970-01-01 00:00:00.000000000 +0000
+++ sshguard/files/patch-src-parser-attack_scanner.l 2012-12-19 11:02:17.619357458 +0000
@@ -0,0 +1,11 @@
+--- src/parser/attack_scanner.l.orig 2012-12-19 10:58:02.992356246 +0000
++++ src/parser/attack_scanner.l 2012-12-19 10:58:22.407356894 +0000
+@@ -127,7 +127,7 @@
+
+
+ /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
+-"Invalid user ".+" from " { return SSH_INVALUSERPREF; }
++[Ii]"nvalid user ".+" from " { return SSH_INVALUSERPREF; }
+ /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
+ /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
+ "User ".+" from " { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list