On 10-11-2015 12:11, Dag-Erling Smørgrav wrote:
Willem Jan Withagen <w...@digiware.nl> writes:
Digging in my logfiles .... , and its things like:
  sshd[84942]: Disconnecting: Too many authentication failures [preauth]

So errors/warnings without IP-nr.

And I think I fixed it on one server to also write:
error: maximum authentication attempts exceeded for root from port 1042 ssh2 [preauth]

fail2ban should catch both of these since sshd will print a message for
each failed authentication attempt before it prints a message about
reaching the limit.

It's already too long to remember the full facts, but when I was looking at the parser in sshguard, I think I noticed that certain accesses weren't logged and added some more logging rules to catch those.

What I still have lingering is this snippet:
Index: crypto/openssh/packet.c
--- crypto/openssh/packet.c     (revision 289060)
+++ crypto/openssh/packet.c     (working copy)
@@ -1128,8 +1128,10 @@
logit("Connection closed by %.200s", get_remote_ipaddr());
-               if (len < 0)
+               if (len < 0) {
+ logit("Read from socket failed: %.200s", get_remote_ipaddr()); fatal("Read from socket failed: %.100s", strerror(errno));
+               }
                /* Append it to the buffer. */
                packet_process_incoming(buf, len);

But like I said: The code I found at openssh was so totally different that I did not continued this track, but chose to start running openssh from ports. Which does not generate warnings I have questions about the originating ip-nr.

Are they still willing to accept changes to the old version that is
currently in base?

No, why would they do that?

Exactly my question....
I guess I misinterpreted your suggestion on upstreaming patches.


freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to