From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Aug 27 00:01:30 2008 Return-Path: Delivered-To: freebsd-ports-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC5641065677 for ; Wed, 27 Aug 2008 00:01:30 +0000 (UTC) (envelope-from freebsdusb@bindone.de) Received: from mail.bindone.de (mail.bindone.de [80.190.134.51]) by mx1.freebsd.org (Postfix) with SMTP id 0C9EA8FC12 for ; Wed, 27 Aug 2008 00:01:29 +0000 (UTC) (envelope-from freebsdusb@bindone.de) Received: (qmail 7454 invoked by uid 89); 26 Aug 2008 23:34:47 -0000 Received: from unknown (HELO bombat.bindone.de) (mg@bindone.de@84.151.246.89) by mail.bindone.de with ESMTPA; 26 Aug 2008 23:34:47 -0000 Message-ID: <48B492F6.1070104@bindone.de> Date: Wed, 27 Aug 2008 01:34:14 +0200 From: grem User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.16) Gecko/20080818 SeaMonkey/1.1.11 MIME-Version: 1.0 To: "freebsd-ports-bugs@freebsd.org" References: <200808262324.m7QNONMD036190@www.freebsd.org> In-Reply-To: <200808262324.m7QNONMD036190@www.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ports/126867: sshguard-pf 1.1 fails to detect attempted logins X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 00:01:30 -0000 Forgot How-To-Repeat: cd /usr/ports/security/sshguard-pf make install tail -F /var/log/auth.log | sshguard Login to your system using an invalid/non existing username: You'll get locked out as expected. Login how many times you feel like using an existing user but a wrong password, your IP will never be blacklisted. Michael wrote: >> Number: 126867 >> Category: ports >> Synopsis: sshguard-pf 1.1 fails to detect attempted logins >> Confidential: no >> Severity: critical >> Priority: high >> Responsible: freebsd-ports-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Tue Aug 26 23:30:00 UTC 2008 >> Closed-Date: >> Last-Modified: >> Originator: Michael >> Release: FreeBSD 6.3 >> Organization: > /bin/done digital solutions >> Environment: > FreeBSD servername 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Fri Feb 22 01:48:25 CET 2008 root@servername:/usr/src/sys/i386/compile/GENERIC i386 >> Description: > After the upgrade from sshguard-pf 1.0 to 1.1 sshguard doesn't catch failed logins of valid users anymore. So basically its main purpose of preventing brute force password discovery is malfunctioning. This happens on FreeBSD 6.x and 7.x standard installs. By comparing attack_scanner.l in the old and new version I can see that the line catching these logins (it was labeled FreeBSD/MacOS X) is simply gone. > > This is the log entry generated by FreeBSD on login errors of valid users (PAM): > > Aug 27 00:04:05 server sshd[67300]: error: PAM: authentication error for username from 80.190.1.1 > > I cannot see anything that can potentially get that in the parser sources. > > Since I have no expertise writing yacc/bison parsers sombody else has to look at this and fix it asap. portupgrade sshguard-pf basically leaves your system unprotected without any indication. > > I assume that this affects all sshguard* ports. > > I will also contact the author about this. > >> How-To-Repeat: > >> Fix: > Someone has to fix the parser. > >> Release-Note: >> Audit-Trail: >> Unformatted: > _______________________________________________ > freebsd-ports-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs > To unsubscribe, send any mail to "freebsd-ports-bugs-unsubscribe@freebsd.org"