Dear OpenSSH developers, I was looking at the fail2ban project and had an idea that instead of parsing log files it could be possible to notify interested parties (like fail2ban) via (for instance) D-bus about a failed login attempt. Other application could also use this protocol to notify about suspect behaviors. A central functionality will allow for other (new) projects to integrate without much effort. What do you think? Best regards Krzysztof Kowalski
Given the most recent security scare with distribution-patched sshd having a backdoor because it indirectly linked to xz, I'd expect sentiment to be strongly against adding any integrations. While there is some utility to what you are suggesting, maybe it makes more sense to split apart the fail2ban log parsing from its jail functionality and use it to parse logs onto D-bus. Let's keep sshd as simple and secure as it can be. --Gregory On Thu, Apr 11, 2024 at 05:01:37PM +0200, Krzysztof Kowalski wrote:> Dear OpenSSH developers, > > > I was looking at the fail2ban project and had an idea that instead of > parsing log files it could be possible to notify interested parties (like > fail2ban) via (for instance) D-bus about a failed login attempt. > > Other application could also use this protocol to notify about suspect > behaviors. A central functionality will allow for other (new) projects to > integrate without much effort. > > What do you think? > > > Best regards > > Krzysztof Kowalski > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
> I was looking at the fail2ban project and had an idea that instead of > parsing log files it could be possible to notify interested parties > (like fail2ban) via (for instance) D-bus about a failed login attempt. > > Other application could also use this protocol to notify about suspect > behaviors. A central functionality will allow for other (new) projects > to integrate without much effort. > > What do you think?Apart from the current trend of minimizing attach surface, this would need some kind of queue in case the analyzer was stopped, temporarily busy, or whatever. I guess that should use stable storage instead of RAM (to not go OOM just because of external events) - and now we're at the current solution already, with sshd logging to disk and fail2ban reading these files. Sure, we might be able to ease parsing by dropping JSON instead of text files -- but that would be _additional_ IO, and the "problem" of parsing is already solved, so it doesn't seem to be any real improvement.
> On 11 Apr 2024, at 17:01, Krzysztof Kowalski <krzysztof.kowalski at hashmx.com> wrote: > > Dear OpenSSH developers, > > > I was looking at the fail2ban project and had an idea that instead of parsing log files it could be possible to notify interested parties (like fail2ban) via (for instance) D-bus about a failed login attempt. > > Other application could also use this protocol to notify about suspect behaviors. A central functionality will allow for other (new) projects to integrate without much effort. > > What do you think?Just use sshguard - very effective and much more light weight than fail2ban
On Thu, 11 Apr 2024, Krzysztof Kowalski wrote:> Dear OpenSSH developers, > > I was looking at the fail2ban project and had an idea that instead of parsing > log files it could be possible to notify interested parties (like fail2ban) > via (for instance) D-bus about a failed login attempt. > > Other application could also use this protocol to notify about suspect > behaviors. A central functionality will allow for other (new) projects to > integrate without much effort. > > What do you think?As others have mentioned, we're really not in the mood for more library dependencies right now. However, some people have asked for platform features that would require D-bus support. I don't know much about the D-bus protocol, but if a small D-bus client is just opening a unix domain socket and writing a message to it then we could possibly support it using a standalone implementation, like we just did for systemd. -d