From nobody@FreeBSD.org  Thu Aug 26 04:03:46 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D3A9D16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 26 Aug 2004 04:03:46 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CA86F43D69
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 26 Aug 2004 04:03:46 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7Q43kC8012341
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 26 Aug 2004 04:03:46 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i7Q43kQq012340;
	Thu, 26 Aug 2004 04:03:46 GMT
	(envelope-from nobody)
Message-Id: <200408260403.i7Q43kQq012340@www.freebsd.org>
Date: Thu, 26 Aug 2004 04:03:46 GMT
From: Mitsuru Ogino <ogino@verama.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: script 800.loginfail dose not report 'Illegal user' login failures
X-Send-Pr-Version: www-2.3

>Number:         70973
>Category:       conf
>Synopsis:       [patch] script 800.loginfail does not report 'Illegal user' login failures
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    matteo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 26 04:10:25 GMT 2004
>Closed-Date:    Thu Mar 09 06:56:11 GMT 2006
>Last-Modified:  Thu Mar 09 06:56:11 GMT 2006
>Originator:     Mitsuru Ogino
>Release:        5.2.1-RELEASE-p8
>Organization:
>Environment:
FreeBSD vic.verama.net 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #6: Tue Jun  1 18:43:31 JST 2004   
  root@vic.verama.net:/usr/src/sys/i386/compile/VIC  i386

>Description:
Sshd(8) reports login failures. But the style of report is different between the failure caused by wrong user and that by wrong password. /etc/periodic/security/800.loginfail only report failure by wrong password.
It is important to know that someone attempt to login the system. So the system should report 'Illegal user' login failures to root.

>How-To-Repeat:
in /var/log/auth.log
    Aug 26 01:47:25 vic sshd[68106]: Illegal user test from xxx.xxx.xxx.xxx

>Fix:
Use code to find pattern 'illegal user':

62c62
<       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
---
>       n=$(catmsgs | egrep -ia "^$yesterday.*(fail|illegal user)" |

>Release-Note:
>Audit-Trail:

From: Ceri Davies <ceri@submonkey.net>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: conf/70973
Date: Wed, 1 Sep 2004 10:11:15 +0100

 Adding to audit trail.
 
 Date: Tue, 31 Aug 2004 13:49:21 -0600 (MDT)
 From: "Ryan Sommers" <ryans@gamersimpact.com>
 To: current@freebsd.org
 Message-ID: <50241.208.4.77.15.1093981761.squirrel@www2.neuroflux.com>
 Subject: Periodic security
 
 Slight modification to the loginfail script for periodics. This will catch
 sshd, proftpd and su errors, as well as other programs, better.
 
 --- 800.loginfail       Mon Aug 30 21:50:50 2004
 +++ 800.loginfail       Mon Aug 30 21:51:53 2004
 @@ -59,7 +59,7 @@
      [Yy][Ee][Ss])
         echo ""
         echo "${host} login failures:"
 -       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
 +       n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
             tee /dev/stderr | wc -l)
         [ $n -gt 0 ] && rc=1 || rc=0;;
      *) rc=0;;
 
 -- 
 Ryan "leadZERO" Sommers
 Gamer's Impact President
 ryans@gamersimpact.com
 ICQ: 1019590
 AIM/MSN: leadZERO
 
 -= http://www.gamersimpact.com =-
 

From: Matteo Riondato <rionda@gufi.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: conf/70973: [patch] script 800.loginfail does not report 'Illegal user login failures'
Date: Tue, 29 Mar 2005 13:07:17 +0200

 --X+8siUETKMkW99st
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 The patch works and it can be cleanly applied.
 IMHO it should be commited because it enhance script's useness
 Best Regards
 
 --=20
 Rionda aka Matteo Riondato
 Disinformato per default
 FreeSBIE Developer (http://www.freesbie.org)
 
 --X+8siUETKMkW99st
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFCSTbl2Mp4pR7Fa+wRAlwqAJ9GHdIL1D1mTiVXJSOx+25N3fNMnwCgqL3c
 6BA+83asR6uuf+uiRyx+vGg=
 =F5Ci
 -----END PGP SIGNATURE-----
 
 --X+8siUETKMkW99st--
Responsible-Changed-From-To: freebsd-bugs->matteo 
Responsible-Changed-By: matteo 
Responsible-Changed-When: Sat Mar 4 10:12:40 UTC 2006 
Responsible-Changed-Why:  
I'll handle this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70973 
State-Changed-From-To: open->patched 
State-Changed-By: matteo 
State-Changed-When: Sun Mar 5 15:46:08 UTC 2006 
State-Changed-Why:  
Fixed in -CURRENT 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70973 
State-Changed-From-To: patched->closed 
State-Changed-By: matteo 
State-Changed-When: Thu Mar 9 06:55:55 UTC 2006 
State-Changed-Why:  
Fixed, thanks 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70973 
>Unformatted:
