On 10-11-2015 12:11, Dag-Erling Sm?rgrav wrote:> Willem Jan Withagen <wjw at digiware.nl> writes: >> Digging in my logfiles .... , and its things like: >> sshd[84942]: Disconnecting: Too many authentication failures [preauth] >> >> So errors/warnings without IP-nr. >> >> And I think I fixed it on one server to also write: >> error: maximum authentication attempts exceeded for root from >> 173.254.203.88 port 1042 ssh2 [preauth] > > fail2ban should catch both of these since sshd will print a message for > each failed authentication attempt before it prints a message about > reaching the limit.It's already too long to remember the full facts, but when I was looking at the parser in sshguard, I think I noticed that certain accesses weren't logged and added some more logging rules to catch those. What I still have lingering is this snippet: Index: crypto/openssh/packet.c ==================================================================--- crypto/openssh/packet.c (revision 289060) +++ crypto/openssh/packet.c (working copy) @@ -1128,8 +1128,10 @@ logit("Connection closed by %.200s", get_remote_ipaddr()); cleanup_exit(255); } - if (len < 0) + if (len < 0) { + logit("Read from socket failed: %.200s", get_remote_ipaddr()); fatal("Read from socket failed: %.100s", strerror(errno)); + } /* Append it to the buffer. */ packet_process_incoming(buf, len); } But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr.>> Are they still willing to accept changes to the old version that is >> currently in base? > > No, why would they do that?Exactly my question.... I guess I misinterpreted your suggestion on upstreaming patches. --WjW
Willem Jan Withagen <wjw at digiware.nl> writes:> "Dag-Erling Sm?rgrav" <des at des.no> writes: > > Willem Jan Withagen <wjw at digiware.nl> writes: > > > Are they still willing to accept changes to the old version that > > > is currently in base? > > No, why would they do that? > Exactly my question.... I guess I misinterpreted your suggestion on > upstreaming patches.I didn't suggest submitting patches, I suggested submitting a feature request. Damien is generally pretty open to suggestions. DES -- Dag-Erling Sm?rgrav - des at des.no
On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:> On 10-11-2015 12:11, Dag-Erling Sm?rgrav wrote: > > Willem Jan Withagen <wjw at digiware.nl> writes: > >> Digging in my logfiles .... , and its things like: > >> sshd[84942]: Disconnecting: Too many authentication failures [preauth] > >> > >> So errors/warnings without IP-nr. > >> > >> And I think I fixed it on one server to also write: > >> error: maximum authentication attempts exceeded for root from > >> 173.254.203.88 port 1042 ssh2 [preauth] > > > > fail2ban should catch both of these since sshd will print a message for > > each failed authentication attempt before it prints a message about > > reaching the limit. > > It's already too long to remember the full facts, but when I was looking > at the parser in sshguard, I think I noticed that certain accesses > weren't logged and added some more logging rules to catch those. > > What I still have lingering is this snippet: > Index: crypto/openssh/packet.c > ==================================================================> --- crypto/openssh/packet.c (revision 289060) > +++ crypto/openssh/packet.c (working copy) > @@ -1128,8 +1128,10 @@ > logit("Connection closed by %.200s", > get_remote_ipaddr()); > cleanup_exit(255); > } > - if (len < 0) > + if (len < 0) { > + logit("Read from socket failed: %.200s", > get_remote_ipaddr()); > fatal("Read from socket failed: %.100s", > strerror(errno)); > + } > /* Append it to the buffer. */ > packet_process_incoming(buf, len); > } > > But like I said: The code I found at openssh was so totally different > that I did not continued this track, but chose to start running openssh > from ports. Which does not generate warnings I have questions about the > originating ip-nr. > > >> Are they still willing to accept changes to the old version that is > >> currently in base? > > > > No, why would they do that? > > Exactly my question.... > I guess I misinterpreted your suggestion on upstreaming patches. > > --WjW >I honestly think everyone would be better served by porting blacklistd from NetBSD than trying to increase verbosity for log files. -- Mark Felder ports-secteam member feld at FreeBSD.org