By default dropbear logs to syslog which discloses info about account names when doing connection attempts (e.g. "Bad password attempt for 'engineer' from x.x.x.x:y") As this facilitates brute force attempts against account names; make syslog support configurable in order not to leak sensitive info via syslog.
Signed-off-by: Hans Dedecker <dedec...@gmail.com> --- package/network/services/dropbear/Config.in | 6 ++++++ package/network/services/dropbear/Makefile | 7 ++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index ca0af9d..95316b9 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE help Dropbear will use pututline() to write the utmp structure into the utmp file. +config DROPBEAR_DISABLE_SYSLOG + bool "Disable syslog logging" + default n + help + Disables syslog log support; log messages will be redirected to stderr. + endmenu diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 2db2f81..32efa7b 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2017.75 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ @@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0 PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE + CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ + CONFIG_DROPBEAR_DISABLE_SYSLOG include $(INCLUDE_DIR)/package.mk @@ -69,7 +70,7 @@ endef CONFIGURE_ARGS += \ --disable-pam \ --enable-openpty \ - --enable-syslog \ + $(if $(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \ --disable-lastlog \ --disable-utmpx \ $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \ -- 1.9.1 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev