NAK, inline:
> On Nov 3, 2017, at 6:46 AM, Hans Dedecker <dedec...@gmail.com> wrote: > > By default dropbear logs to syslog which discloses info about account names > when doing connection attempts (e.g. "Bad password attempt for 'engineer' from > x.x.x.x:y") > As this facilitates brute force attempts against account names; make syslog > support configurable in order not to leak sensitive info via syslog. > > Signed-off-by: Hans Dedecker <dedec...@gmail.com> > --- > package/network/services/dropbear/Config.in | 6 ++++++ > package/network/services/dropbear/Makefile | 7 ++++--- > 2 files changed, 10 insertions(+), 3 deletions(-) > > diff --git a/package/network/services/dropbear/Config.in > b/package/network/services/dropbear/Config.in > index ca0af9d..95316b9 100644 > --- a/package/network/services/dropbear/Config.in > +++ b/package/network/services/dropbear/Config.in > @@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE > help > Dropbear will use pututline() to write the utmp structure into > the utmp file. > > +config DROPBEAR_DISABLE_SYSLOG > + bool "Disable syslog logging" > + default n > + help > + Disables syslog log support; log messages will be redirected to > stderr. > + Not logging attacks at all is the worst possible option. See the rational for auditing and logging in the NSA’s Red Book. Better fix is a patch which logs different message contents (i.e. maybe one without the user name) based on a command-line option or that just logs this message at a different priority (info versus notice, for example) so they could be dropped just by raising the log level. -Philip > endmenu > diff --git a/package/network/services/dropbear/Makefile > b/package/network/services/dropbear/Makefile > index 2db2f81..32efa7b 100644 > --- a/package/network/services/dropbear/Makefile > +++ b/package/network/services/dropbear/Makefile > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > PKG_NAME:=dropbear > PKG_VERSION:=2017.75 > -PKG_RELEASE:=4 > +PKG_RELEASE:=5 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 > PKG_SOURCE_URL:= \ > @@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0 > PKG_CONFIG_DEPENDS:= \ > CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ > CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ > - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE > + CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ > + CONFIG_DROPBEAR_DISABLE_SYSLOG > > include $(INCLUDE_DIR)/package.mk > > @@ -69,7 +70,7 @@ endef > CONFIGURE_ARGS += \ > --disable-pam \ > --enable-openpty \ > - --enable-syslog \ > + $(if > $(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \ > --disable-lastlog \ > --disable-utmpx \ > $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \ > -- > 1.9.1 > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
