Package: sshguard
Version: 1.5-6
Severity: wishlist
sshguard should parse more errors from postfix. one of the problems i
am seeing here is repeated malformed requests like this:
Dec 13 09:32:50 marcos postfix/smtpd[24754]: lost connection after AUTH from
rrcs-24-213-217-114.nys.biz.rr.com[24.213.217.114]
Dec 13 09:32:50 marcos postfix/smtpd[24754]: disconnect from
rrcs-24-213-217-114.nys.biz.rr.com[24.213.217.114]
Dec 13 09:32:50 marcos postfix/smtpd[24754]: connect from
rrcs-24-213-217-114.nys.biz.rr.com[24.213.217.114]
Dec 13 09:32:50 marcos postfix/smtpd[24754]: lost connection after AUTH from
rrcs-24-213-217-114.nys.biz.rr.com[24.213.217.114]
about 5-10 times per second, for minutes on end sometimes. this can
even fill the logfiles...
it seems this is not recognized by the parser... but i think it
should!
i wonder if the following could be sufficient:
--- sshguard-1.6.0.orig/src/parser/attack_scanner.l
+++ sshguard-1.6.0/src/parser/attack_scanner.l
@@ -39,7 +39,7 @@ static int getsyslogpid(char *syslogbann
/* for Login services */
%s ssh_notallowed ssh_loginerr ssh_reversemap ssh_disconnect ssh_badproto
/* for Mail services */
-%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied
postfix_loginerr
+%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr
%sendmail_relaydenied postfix_loginerr postfix_connerr
/* for FTP services */
%s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr
@@ -161,10 +161,14 @@ HOSTADDR localhost|([-a-zA-Z0-9]+\.)+
"badlogin: "[^\[]*"[" {
BEGIN(cyrusimap_loginerr); return CYRUSIMAP_SASL_LOGINERR_PREF; }
<cyrusimap_loginerr>"] ".*"SASL".*"failed".?$ {
BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
- /* postfix */
+ /* postfix login errors */
"warning: "({WORD}|{HOSTADDR})"[" {
BEGIN(postfix_loginerr); return POSTFIX_SASL_LOGINERR_PREF; }
<postfix_loginerr>"]: SASL "[-A-Z0-9]+" authentication failed".* {
BEGIN(INITIAL); return POSTFIX_SASL_LOGINERR_SUFF; }
+ /* postfix connexion errors */
+"lost connection after AUTH from "({WORD}|{HOSTADDR])"[" {
BEGIN(postfix_connerr); return POSTFIX_SASL_CONNERR_PREF; }
+<postfix_connerr>"]".* {
BEGIN(INITIAL); POSTFIX_SASL_CONNERR_SUFF; }
+
/* FreeBSD's ftpd login errors */
"FTP LOGIN FAILED FROM " {
BEGIN(freebsdftpd_loginerr); return FREEBSDFTPD_LOGINERR_PREF; }
<freebsdftpd_loginerr>", ".+ {
BEGIN(INITIAL); return FREEBSDFTPD_LOGINERR_SUFF; }
i feel there is some glue missing in `attack_scanner.c` and
`attack_parser.y` but i am not familiar with those enough to tell just
yet.
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sshguard depends on:
ii iptables 1.4.21-2+b1
ii libc6 2.19-18+deb8u1
sshguard recommends no packages.
sshguard suggests no packages.
-- Configuration Files:
/etc/default/sshguard changed:
ENABLE_FIREWALL=1
LOGFILES="/var/log/auth.log /var/log/mail.info"
WHITELIST="/etc/sshguard/whitelist"
ARGS="-a 40 -p 420 -s 1200"
-- no debconf information
