gnu/125184: sshd does not always log IP address for login failures

[Richard Clayton]

>Number:         125184
>Category:       gnu
>Synopsis:       sshd does not always log IP address for login failures
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 02 14:00:11 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Richard Clayton
>Release:        7.0-STABLE
>Organization:
University of Cambridge
>Environment:
FreeBSD happyday.demon.co.uk 7.0-STABLE FreeBSD 7.0-STABLE #20: Thu Apr 17 23:45:32 BST 2008     rnc1 at happyday.demon.co.uk:/usr/obj/usr/src/sys/HAPPYDAY  i386

>Description:
When login failures occur (usually attacks by password guessers), and there is reverse DNS for the remote machine, then the reverse DNS value is recorded...

.. however, since the reverse DNS is not reliable (it may be controlled by the attacker, or may just be inaccurate) it is important to also log the actual IP address that was used, since only this can be used to ensure that reports of wickedness are sent to the correct place.

It would also be nice :) to guarantee a fixed format for locating the IP address in all relevant error messages; since that will permit automating of abuse reports.
>How-To-Repeat:
#1 Place machine onto Internet
#2 wait (not very long)
#3 examine daily security email...

If waiting undesirable, access machine via ssh from machine at an IP address that has some reverse DNS set up.

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: