On 10-11-2015 12:11, Dag-Erling Sm?rgrav wrote:> Willem Jan Withagen <wjw at digiware.nl> writes:
>> Digging in my logfiles .... , and its things like:
>> sshd[84942]: Disconnecting: Too many authentication failures
[preauth]
>>
>> So errors/warnings without IP-nr.
>>
>> And I think I fixed it on one server to also write:
>> error: maximum authentication attempts exceeded for root from
>> 173.254.203.88 port 1042 ssh2 [preauth]
>
> fail2ban should catch both of these since sshd will print a message for
> each failed authentication attempt before it prints a message about
> reaching the limit.
It's already too long to remember the full facts, but when I was looking
at the parser in sshguard, I think I noticed that certain accesses
weren't logged and added some more logging rules to catch those.
What I still have lingering is this snippet:
Index: crypto/openssh/packet.c
==================================================================---
crypto/openssh/packet.c (revision 289060)
+++ crypto/openssh/packet.c (working copy)
@@ -1128,8 +1128,10 @@
logit("Connection closed by %.200s",
get_remote_ipaddr());
cleanup_exit(255);
}
- if (len < 0)
+ if (len < 0) {
+ logit("Read from socket failed: %.200s",
get_remote_ipaddr());
fatal("Read from socket failed: %.100s",
strerror(errno));
+ }
/* Append it to the buffer. */
packet_process_incoming(buf, len);
}
But like I said: The code I found at openssh was so totally different
that I did not continued this track, but chose to start running openssh
from ports. Which does not generate warnings I have questions about the
originating ip-nr.
>> Are they still willing to accept changes to the old version that is
>> currently in base?
>
> No, why would they do that?
Exactly my question....
I guess I misinterpreted your suggestion on upstreaming patches.
--WjW