[Bug 272249] security/sshguard: not detecting log entries containing hostnames

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 27 Jun 2023 18:13:43 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272249

            Bug ID: 272249
           Summary: security/sshguard: not detecting log entries
                    containing hostnames
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: martin@lispworks.com
                CC: kevinz5000@gmail.com
                CC: kevinz5000@gmail.com
             Flags: maintainer-feedback?(kevinz5000@gmail.com)

sshguard is not detecting log entries like this:

  Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root
from ns2.tilbd.net

because it gets a "Could not resolve" error:

$  echo '  Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error
for root from ns2.tilbd.net' | /usr/local/libexec/sshg-parser -a
Could not resolve 'ns2.tilbd.net' to address
    Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root
from ns2.tilbd.net
$ 

I am running sshguard 2.4.2_2,1 on FreeBSD 12.4-RELEASE-p2.

I think the problem is that sshg-parser calls cap_enter (in sandbox_init) which
makes the kernel block things needed for DNS lookup in attack_from_hostname.

The output from truss shows:

cap_enter()                                      = 0 (0x0)
fstat(0,{ mode=p--------- ,inode=355787,size=97,blksize=4096 }) = 0 (0x0)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370293760
(0x800a11000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370297856
(0x800a12000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370301952
(0x800a13000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370306048
(0x800a14000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370310144
(0x800a15000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370314240
(0x800a16000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370318336
(0x800a17000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370322432
(0x800a18000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370326528
(0x800a19000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370330624
(0x800a1a000)
read(0,"  Jun 27 10:13:54 ext1 sshd[8435"...,4096) = 97 (0x61)
mmap(0x0,28672,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370334720
(0x800a1b000)
mmap(0x0,20480,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370363392
(0x800a22000)
fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permitted
in capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)       ERR#94 'Not permitted in
capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)       ERR#94 'Not permitted in
capability mode'
mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370383872
(0x800a27000)
mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370453504
(0x800a38000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370523136
(0x800a49000)
gettimeofday({ 1687889156.834461 },0x0)          = 0 (0x0)
getpid()                                         = 87455 (0x1559f)
gettimeofday({ 1687889156.835202 },0x0)          = 0 (0x0)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370527232
(0x800a4a000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370531328
(0x800a4b000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370535424
(0x800a4c000)
issetugid()                                      = 0 (0x0)
open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in
capability mode'
__sysctl("kern.hostname",2,0x7fffffffd040,0x7fffffffcd58,0x0,0) = 0 (0x0)
issetugid()                                      = 0 (0x0)
mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370539520
(0x800a4d000)
gettimeofday({ 1687889156.839494 },0x0)          = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)        = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)             ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)               ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)        = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)             ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)               ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permitted
in capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)       ERR#94 'Not permitted in
capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)       ERR#94 'Not permitted in
capability mode'
clock_gettime(12,{ 2948703.216701665 })          = 0 (0x0)
fstatat(AT_FDCWD,"/etc/resolv.conf",0x7fffffffd370,0x0) ERR#94 'Not permitted
in capability mode'
gettimeofday({ 1687889156.846809 },0x0)          = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)        = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)             ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)               ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)        = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)             ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)               ERR#94 'Not permitted in
capability mode'
close(3)                                         = 0 (0x0)
Could not resolve 'ns2.tilbd.net' to address
write(2,"Could not resolve 'ns2.tilbd.net"...,45) = 45 (0x2d)

-- 
You are receiving this mail because:
You are the assignee for the bug.