From owner-freebsd-current@freebsd.org  Tue Nov 10 16:02:18 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E19A4A2B6D9
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Tue, 10 Nov 2015 16:02:17 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A010519D2
 for <freebsd-current@freebsd.org>; Tue, 10 Nov 2015 16:02:17 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id 7B73220FDC
 for <freebsd-current@freebsd.org>; Tue, 10 Nov 2015 11:02:10 -0500 (EST)
Received: from web3 ([10.202.2.213])
 by compute2.internal (MEProxy); Tue, 10 Nov 2015 11:02:10 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=e6TqZ2xc57w97S/
 vg6/K05UvhHU=; b=oYOVtDPXsje+9aWVE0EtVa8C2reiauN6yuPisdaNaONxu/k
 Xinph+Do2aoxPDSE/ATsM/JuWBRzJJ7u52liCbdfY3y1RbcNK0IOf5sLxSRkD5Y9
 2nSAiF0C2QA18DpSnn1d/XDroXt1s0U5JkWsmO4IzUFGO4FKSjJx3gZ72aYs=
Received: by web3.nyi.internal (Postfix, from userid 99)
 id 43E8410C20A; Tue, 10 Nov 2015 11:02:10 -0500 (EST)
Message-Id: <1447171330.3672217.435085401.40D8E7F2@webmail.messagingengine.com>
X-Sasl-Enc: emHDRnhRl3CPli67HfP6s2MQO2p/QwGujnguKu7JytKe 1447171330
From: Mark Felder <feld@FreeBSD.org>
To: Willem Jan Withagen <wjw@digiware.nl>,
 =?ISO-8859-1?Q?Dag-Erling=20Sm=F8rgrav?= <des@des.no>
Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-643af86c
Subject: Re: OpenSSH HPN
Date: Tue, 10 Nov 2015 10:02:10 -0600
In-Reply-To: <5641D419.5090103@digiware.nl>
References: <86io5a9ome.fsf@desk.des.no> <5641BFC4.7050208@digiware.nl>
 <86a8qm9l9b.fsf@desk.des.no> <5641D00E.501@digiware.nl>
 <86611a9kj6.fsf@desk.des.no> <5641D419.5090103@digiware.nl>
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 16:02:18 -0000



On Tue, Nov 10, 2015, at 05:25, Willem Jan Withagen wrote:
> On 10-11-2015 12:11, Dag-Erling Sm=F8rgrav wrote:
> > Willem Jan Withagen <wjw@digiware.nl> writes:
> >> Digging in my logfiles .... , and its things like:
> >>   sshd[84942]: Disconnecting: Too many authentication failures [preaut=
h]
> >>
> >> So errors/warnings without IP-nr.
> >>
> >> And I think I fixed it on one server to also write:
> >> error: maximum authentication attempts exceeded for root from
> >> 173.254.203.88 port 1042 ssh2 [preauth]
> >
> > fail2ban should catch both of these since sshd will print a message for
> > each failed authentication attempt before it prints a message about
> > reaching the limit.
>=20
> It's already too long to remember the full facts, but when I was looking=
=20
> at the parser in sshguard, I think I noticed that certain accesses=20
> weren't logged and added some more logging rules to catch those.
>=20
> What I still have lingering is this snippet:
> Index: crypto/openssh/packet.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- crypto/openssh/packet.c     (revision 289060)
> +++ crypto/openssh/packet.c     (working copy)
> @@ -1128,8 +1128,10 @@
>                          logit("Connection closed by %.200s",=20
> get_remote_ipaddr());
>                          cleanup_exit(255);
>                  }
> -               if (len < 0)
> +               if (len < 0) {
> +                       logit("Read from socket failed: %.200s",=20
> get_remote_ipaddr());
>                          fatal("Read from socket failed: %.100s",=20
> strerror(errno));
> +               }
>                  /* Append it to the buffer. */
>                  packet_process_incoming(buf, len);
>          }
>=20
> But like I said: The code I found at openssh was so totally different=20
> that I did not continued this track, but chose to start running openssh=20
> from ports. Which does not generate warnings I have questions about the=20
> originating ip-nr.
>=20
> >> Are they still willing to accept changes to the old version that is
> >> currently in base?
> >
> > No, why would they do that?
>=20
> Exactly my question....
> I guess I misinterpreted your suggestion on upstreaming patches.
>=20
> --WjW
>=20

I honestly think everyone would be better served by porting blacklistd
from NetBSD than trying to increase verbosity for log files.


--=20
  Mark Felder
  ports-secteam member
  feld@FreeBSD.org