Date: Tue, 10 Nov 2015 11:12:35 -0500 From: Allan Jude <allanjude@freebsd.org> To: freebsd-current@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <56421773.6030101@freebsd.org> In-Reply-To: <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com> References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl> <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--SmlPJC1DdVvjsHDevEIHnrP2nrCBRoSKl
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 2015-11-10 11:02, Mark Felder wrote:
>=20
>=20
> On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:
>> On 10-11-2015 12:11, Dag-Erling Sm=F8rgrav wrote:
>>> Willem Jan Withagen <wjw@digiware.nl> writes:
>>>> Digging in my logfiles .... , and its things like:
>>>> sshd[84942]: Disconnecting: Too many authentication failures [prea=
uth]
>>>>
>>>> So errors/warnings without IP-nr.
>>>>
>>>> And I think I fixed it on one server to also write:
>>>> error: maximum authentication attempts exceeded for root from
>>>> 173.254.203.88 port 1042 ssh2 [preauth]
>>>
>>> fail2ban should catch both of these since sshd will print a message f=
or
>>> each failed authentication attempt before it prints a message about
>>> reaching the limit.
>>
>> It's already too long to remember the full facts, but when I was looki=
ng=20
>> at the parser in sshguard, I think I noticed that certain accesses=20
>> weren't logged and added some more logging rules to catch those.
>>
>> What I still have lingering is this snippet:
>> Index: crypto/openssh/packet.c
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> --- crypto/openssh/packet.c (revision 289060)
>> +++ crypto/openssh/packet.c (working copy)
>> @@ -1128,8 +1128,10 @@
>> logit("Connection closed by %.200s",=20
>> get_remote_ipaddr());
>> cleanup_exit(255);
>> }
>> - if (len < 0)
>> + if (len < 0) {
>> + logit("Read from socket failed: %.200s",=20
>> get_remote_ipaddr());
>> fatal("Read from socket failed: %.100s",=20
>> strerror(errno));
>> + }
>> /* Append it to the buffer. */
>> packet_process_incoming(buf, len);
>> }
>>
>> But like I said: The code I found at openssh was so totally different =
>> that I did not continued this track, but chose to start running openss=
h=20
>> from ports. Which does not generate warnings I have questions about th=
e=20
>> originating ip-nr.
>>
>>>> Are they still willing to accept changes to the old version that is
>>>> currently in base?
>>>
>>> No, why would they do that?
>>
>> Exactly my question....
>> I guess I misinterpreted your suggestion on upstreaming patches.
>>
>> --WjW
>>
>=20
> I honestly think everyone would be better served by porting blacklistd
> from NetBSD than trying to increase verbosity for log files.
>=20
>=20
I have been using HPN + NONE for a few years and find them quite useful,
but it is easier to install openssh-portable and run that than to
recompile the base system to enable the NONE cipher, so I have no
objection to removing the patches from base.
The useful logging feature that comes with the newer version of openssh,
is logging which SSH key the user authenticated with.
--=20
Allan Jude
--SmlPJC1DdVvjsHDevEIHnrP2nrCBRoSKl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJWQhd2AAoJEBmVNT4SmAt+YxoP/jwrMC+6tER+hf1KS5r2MGje
sAI2ZzEPGbVMtFTN/IkOyHfLWSce1L+iTByAfDWN7B6tgNOdX3P7CGgE0h1KfHKh
Xzi9N/cBAMiw6tAkX5vFPXGjguGNYb1GsUlX/J48gtnvW9Fy++weHohZkUSNggaX
5SwmB0jlkmX7kSbHJZQR1kFvtiTk3Keofx77O2kwi/VdnN9twIjRS03gBxArxJvZ
MC8ZjlKXqKCdEor7SVMGKYp59IxYmEzLy+0Ox2XELv//92hr7s2JXOHVtv737FKx
Lga4mhtD1Ee69d5pxPBEh6RaxfjBbYI5FzkoYuOOCA25NNslgZkW4nYjF93ystqh
hixTtfHDV94QoY4wHCiT/XzljQbVhpva7+vl7OTfaZqgl5IkH8qwx/q9CPnUw7Rl
PnEBeLi/Eo4FF87XVzUVHvLkbDmIYRkNeTLLKk4YWbnyIGdl5l/t9P3JhNG29apn
kjP1nXUMjotbiMZgJrYTE08Q3Y/oaEaYTr9Ke7RR031IcyPaB6ecQAGH7UvKqsWY
rR3CiVqiyEYV4G6Jtj96SntJndVNi/Zh68WRppqWbw/PEsUCNNLjV1m/d8YDLxy7
HApMVhcq5+i2zRGflyBqdrHShoSoVMnz2Im5q0nb0mlARGAgBI7vOiEJD/rYWvgU
nHwqtSA1j0hVKwPctSGR
=y+Vi
-----END PGP SIGNATURE-----
--SmlPJC1DdVvjsHDevEIHnrP2nrCBRoSKl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56421773.6030101>