From nobody  Sun Dec 20 01:15:59 1998
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA19812;
          Sun, 20 Dec 1998 01:15:59 -0800 (PST)
          (envelope-from nobody)
Message-Id: <199812200915.BAA19812@hub.freebsd.org>
Date: Sun, 20 Dec 1998 01:15:59 -0800 (PST)
From: sysadmin@mfn.org
To: freebsd-gnats-submit@freebsd.org
Subject: Failed login attempts do not log (via syslog) until the next time a valid username is received.
X-Send-Pr-Version: www-1.0

>Number:         9141
>Category:       bin
>Synopsis:       Failed login attempts do not log (via syslog) until the next time a valid username is received.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    nectar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 20 01:20:01 PST 1998
>Closed-Date:    Sun Jan 3 14:40:24 PST 1999
>Last-Modified:  Sun Jan  3 14:40:58 PST 1999
>Originator:     J.A. Terranson
>Release:        2.2.5-R
>Organization:
Missouri FreeNet
>Environment:
FreeBSD 2.2.5-RELEASE (SUPPORT) #0: Thu Dec 17 23:14:31 CST 1998 
>Description:
Faild login attempts are not logged until a valid username is recieved, allowing a penetration attempt on a login-silent system (like a name server, where this occurred) to go on for extended periods of time unnoticed.
>How-To-Repeat:
on a quiescent system, make as many bad login attempts as you like,
while watching the syslog output: it will be silent.  Syslog will finally make it's report immediately *after* a valid username is entered.
>Fix:
Report failed login attempts immediately, rather than trying to save syslog bytes by reporting only the cumulative total.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->nectar 
Responsible-Changed-By: nectar 
Responsible-Changed-When: Sun Jan 3 14:39:13 PST 1999 
Responsible-Changed-Why:  
I noticed this ``bug'' being discussed on BUGTRAQ. 
State-Changed-From-To: open->closed 
State-Changed-By: nectar 
State-Changed-When: Sun Jan 3 14:40:24 PST 1999 
State-Changed-Why:  
This has been the behavior of BSD systems since at least BSD 4.4 Lite. 
syslogd is coded to suppress a series of duplicate messages until it 
gets a different message. 

Use the '-m <interval>' option in order to force a message occasionally 
so that the scenario you described does not occur. 
>Unformatted:
