On Fri, 08 Nov 2013, Colin Watson wrote:
> On Sat, Sep 14, 2013 at 07:48:49PM -0400, Yaroslav Halchenko wrote:
> > cool -- thanks Colin for the heads up.
> > I guess that is the code:
> > authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
> > authmsg,
> > method,
> > submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
> > authctxt->valid ? "" : "invalid user ",
> > authctxt->user,
> > get_remote_ipaddr(),
> > get_remote_port(),
> > compat20 ? "ssh2" : "ssh1",
> > authctxt->info != NULL ? ": " : "",
> > authctxt->info != NULL ? authctxt->info : "");
> > would you happen to have a sample log line(s)? removal anchoring at the
> > end
> > might not be ideal here due to a '.*' in the middle thus a bit more
> > analysis is
> > needed on how exactly trailing line could look like and what info could be
> > logged there so we do not end up opening it up for injection attacks.
> Sorry for my delay. Here are a couple of samples:
> (ssh to invalid user; this matches the previous pattern)
> Nov 8 13:33:15 unstable sshd[2825]: Failed password for invalid user fake
> from 10.0.3.1 port 59419 ssh2
> (successful authentication; wouldn't match here but shows the kind of
> extra information provided)
> Nov 8 13:38:43 unstable sshd[2861]: Accepted publickey for cjwatson from
> 10.0.3.1 port 59437 ssh2: RSA 20:a0:6f:22:67:30:0f:a7:a9:f4:93:e6:7d:bd:ae:59
> As far as I can tell from a search through the code the extra
> information provided after the colon-space could currently be:
> ruser <client user (any string, supplied by client)>
> (SSH1, rhosts/RSA)
> <key type> ID <key ID> (serial <number>) CA <key type> <fingerprint>
> (SSH2, pubkey, CA key, no hostbased auth)
> <key type> ID <key ID> (serial <number>) CA <key type> <fingerprint>,
> client user "<user>", client host "<host>"
> (SSH2, pubkey, CA key, hostbased auth)
> <key type> <fingerprint>
> (SSH2, pubkey, not a CA key, no hostbased auth)
> <key type> <fingerprint>, client user "<user>", client host "<host>"
> (SSH2, pubkey, not a CA key, hostbased auth)
eh -- sorry for not following up either...
we have adjusted sshd filter upstream already to be
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(:
(ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user
".{0,100}", client host ".{0,100}")?))?\s*$
which should resolve this issue. Check out
http://github.com/fail2ban/fail2ban
and if you see that it is not working for you.
> I don't think it's really a good idea to special-case all of these,
> because these are quite likely to be adjusted or extended in future.
> I take your point about avoiding injection attacks, though, given that
> some of these can be supplied by the client; I assume your concern is
> that somebody could inject a different host name in their failure and
> thus evade bans. How about just using ".*?" in the middle rather than
> ".*", then? The true host name will always come first. That would
> result in:
> ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?
> Thanks,
--
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
