On 10-11-2015 12:11, Dag-Erling Smørgrav wrote:
Willem Jan Withagen <w...@digiware.nl> writes:
Digging in my logfiles .... , and its things like:
sshd[84942]: Disconnecting: Too many authentication failures [preauth]
So errors/warnings without IP-nr.
And I think I fixed it on one server to also write:
error: maximum authentication attempts exceeded for root from
173.254.203.88 port 1042 ssh2 [preauth]
fail2ban should catch both of these since sshd will print a message for
each failed authentication attempt before it prints a message about
reaching the limit.
It's already too long to remember the full facts, but when I was looking
at the parser in sshguard, I think I noticed that certain accesses
weren't logged and added some more logging rules to catch those.
What I still have lingering is this snippet:
Index: crypto/openssh/packet.c
===================================================================
--- crypto/openssh/packet.c (revision 289060)
+++ crypto/openssh/packet.c (working copy)
@@ -1128,8 +1128,10 @@
logit("Connection closed by %.200s",
get_remote_ipaddr());
cleanup_exit(255);
}
- if (len < 0)
+ if (len < 0) {
+ logit("Read from socket failed: %.200s",
get_remote_ipaddr());
fatal("Read from socket failed: %.100s",
strerror(errno));
+ }
/* Append it to the buffer. */
packet_process_incoming(buf, len);
}
But like I said: The code I found at openssh was so totally different
that I did not continued this track, but chose to start running openssh
from ports. Which does not generate warnings I have questions about the
originating ip-nr.
Are they still willing to accept changes to the old version that is
currently in base?
No, why would they do that?
Exactly my question....
I guess I misinterpreted your suggestion on upstreaming patches.
--WjW
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
