Date: Wed, 27 Aug 2008 01:34:14 +0200 From: grem <freebsdusb@bindone.de> To: "freebsd-ports-bugs@freebsd.org" <freebsd-ports-bugs@freebsd.org> Subject: Re: ports/126867: sshguard-pf 1.1 fails to detect attempted logins Message-ID: <48B492F6.1070104@bindone.de> In-Reply-To: <200808262324.m7QNONMD036190@www.freebsd.org> References: <200808262324.m7QNONMD036190@www.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Forgot How-To-Repeat: cd /usr/ports/security/sshguard-pf make install tail -F /var/log/auth.log | sshguard Login to your system using an invalid/non existing username: You'll get locked out as expected. Login how many times you feel like using an existing user but a wrong password, your IP will never be blacklisted. Michael wrote: >> Number: 126867 >> Category: ports >> Synopsis: sshguard-pf 1.1 fails to detect attempted logins >> Confidential: no >> Severity: critical >> Priority: high >> Responsible: freebsd-ports-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Tue Aug 26 23:30:00 UTC 2008 >> Closed-Date: >> Last-Modified: >> Originator: Michael >> Release: FreeBSD 6.3 >> Organization: > /bin/done digital solutions >> Environment: > FreeBSD servername 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Fri Feb 22 01:48:25 CET 2008 root@servername:/usr/src/sys/i386/compile/GENERIC i386 >> Description: > After the upgrade from sshguard-pf 1.0 to 1.1 sshguard doesn't catch failed logins of valid users anymore. So basically its main purpose of preventing brute force password discovery is malfunctioning. This happens on FreeBSD 6.x and 7.x standard installs. By comparing attack_scanner.l in the old and new version I can see that the line catching these logins (it was labeled FreeBSD/MacOS X) is simply gone. > > This is the log entry generated by FreeBSD on login errors of valid users (PAM): > > Aug 27 00:04:05 server sshd[67300]: error: PAM: authentication error for username from 80.190.1.1 > > I cannot see anything that can potentially get that in the parser sources. > > Since I have no expertise writing yacc/bison parsers sombody else has to look at this and fix it asap. portupgrade sshguard-pf basically leaves your system unprotected without any indication. > > I assume that this affects all sshguard* ports. > > I will also contact the author about this. > >> How-To-Repeat: > >> Fix: > Someone has to fix the parser. > >> Release-Note: >> Audit-Trail: >> Unformatted: > _______________________________________________ > freebsd-ports-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs > To unsubscribe, send any mail to "freebsd-ports-bugs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48B492F6.1070104>