Package: sshguard Version: 1.7.1-1 Severity: important Tags: patch Dear maintainer,
Quite a long ago, I've noticed that sshguard stopped detecting one of the most popular lines in auth.log for ssh, which looks like that: Jun 1 00:02:59 server sshd[15980]: Failed password for invalid user student from 119.28.7.243 port 60902 ssh2 Not being able to detect these lines renders sshguard pretty much useless for detecting ssh attacks. Until now I managed to mitigate that via rsyslog rewriting template, but now I decided to do things properly and send you a patch that makes sshguard detect lines like these. I'm not very good with flex, but I've tested it on sshguard debug mode, and it seems to work OK. Please see the patch enclosed. It should be applied to the file src/parser/attack_scanner.l. Is it possible that it will be accepted in stretch? Thanks in advance! -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.9.0-6-686 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages sshguard depends on: ii init-system-helpers 1.48 ii iptables 1.6.0+snapshot20161117-6 ii libc6 2.24-11+deb9u3 ii lsb-base 9.20161125 sshguard recommends no packages. sshguard suggests no packages. -- no debconf information
--- attack_scanner.orig.l 2016-10-11 19:22:37.000000000 +0300 +++ attack_scanner.l 2018-06-01 01:35:52.000000000 +0300 @@ -38,7 +38,7 @@ /* Start Conditions */ /* for Login services */ -%s ssh_notallowed ssh_loginerr ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex +%s ssh_invaluser ssh_notallowed ssh_loginerr ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex /* for Mail services */ %s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied sendmail_authfailure postfix_loginerr /* for FTP services */ @@ -124,6 +124,8 @@ /* SSH: invalid or rejected user (cross platform [generated by openssh]) */ [Ii]"nvalid user ".+" from " { return SSH_INVALUSERPREF; } +"Failed password for "?[Ii]"nvalid user ".+" from " { BEGIN(ssh_invaluser); return SSH_INVALUSERPREF; } +<ssh_invaluser>"port "{NUMBER}" ssh".? { BEGIN(INITIAL); } /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */ /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */ "User ".+" from " { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }