Date: Mon, 4 Feb 2008 18:09:58 GMT From: Michael Grimm <trashcan@odo.in-berlin.de> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/120263: [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE Message-ID: <200802041809.m14I9wkV011656@www.freebsd.org> Resent-Message-ID: <200802041820.m14IK1fc057979@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 120263 >Category: conf >Synopsis: [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 04 18:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Michael Grimm >Release: FreeBSD 6.3-RELEASE i386 >Organization: none >Environment: FreeBSD troi.scotty.invalid 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Sat Jan 26 02:49:42 CET 2008 root@troi.scotty.invalid:/usr/obj/usr/src/sys/VIA-C7 i386 >Description: The following entries in /var/log/auth.log should be triggered in the daily security report (xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ): Jan 26 08:10:30 troi sshd[68360]: Invalid user gary from xxx.xxx.xxx.xxx Jan 26 16:09:32 troi sshd[76566]: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT! 800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE only recognizes the second entry. The relevant 6.2-regex-part of 6.2-800.loginfail is: egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" and in 6.3 is has been changed to: egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal" and tried to modify the regex accordingly. Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)" The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO this should be added as well: Jan 26 23:16:52 troi sshd[87777]: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers >How-To-Repeat: >Fix: apply patch Patch attached with submission follows: --- /usr/src/etc/periodic/security/800.loginfail 2007-03-06 19:29:19.000000000 +0100 +++ 800.loginfail 2008-02-04 19:06:17.000000000 +0100 @@ -59,7 +59,7 @@ [Yy][Ee][Ss]) echo "" echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal|not allowed)" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0;; *) rc=0;; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802041809.m14I9wkV011656>