From owner-freebsd-current@freebsd.org Tue Nov 10 11:25:58 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67AC6A2AE88; Tue, 10 Nov 2015 11:25:58 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (smtp.digiware.nl [31.223.170.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 28E8310A4; Tue, 10 Nov 2015 11:25:57 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id A6A21153465; Tue, 10 Nov 2015 12:25:47 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xh2X-YOM884m; Tue, 10 Nov 2015 12:25:28 +0100 (CET) Received: from [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb] (unknown [IPv6:2001:4cb8:3:1:d119:ed2b:ab19:e9bb]) by smtp.digiware.nl (Postfix) with ESMTP id 97AE9153430; Tue, 10 Nov 2015 12:25:28 +0100 (CET) Subject: Re: OpenSSH HPN To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl> <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl> <86611a9kj6.fsf@desk.des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Willem Jan Withagen Organization: Digiware Management b.v. Message-ID: <5641D419.5090103@digiware.nl> Date: Tue, 10 Nov 2015 12:25:13 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <86611a9kj6.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 11:25:58 -0000 On 10-11-2015 12:11, Dag-Erling Smørgrav wrote: > Willem Jan Withagen writes: >> Digging in my logfiles .... , and its things like: >> sshd[84942]: Disconnecting: Too many authentication failures [preauth] >> >> So errors/warnings without IP-nr. >> >> And I think I fixed it on one server to also write: >> error: maximum authentication attempts exceeded for root from >> 173.254.203.88 port 1042 ssh2 [preauth] > > fail2ban should catch both of these since sshd will print a message for > each failed authentication attempt before it prints a message about > reaching the limit. It's already too long to remember the full facts, but when I was looking at the parser in sshguard, I think I noticed that certain accesses weren't logged and added some more logging rules to catch those. What I still have lingering is this snippet: Index: crypto/openssh/packet.c =================================================================== --- crypto/openssh/packet.c (revision 289060) +++ crypto/openssh/packet.c (working copy) @@ -1128,8 +1128,10 @@ logit("Connection closed by %.200s", get_remote_ipaddr()); cleanup_exit(255); } - if (len < 0) + if (len < 0) { + logit("Read from socket failed: %.200s", get_remote_ipaddr()); fatal("Read from socket failed: %.100s", strerror(errno)); + } /* Append it to the buffer. */ packet_process_incoming(buf, len); } But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr. >> Are they still willing to accept changes to the old version that is >> currently in base? > > No, why would they do that? Exactly my question.... I guess I misinterpreted your suggestion on upstreaming patches. --WjW