From nobody@FreeBSD.org  Wed Dec 19 11:42:56 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3DE56391
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 19 Dec 2012 11:42:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C3C88FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 19 Dec 2012 11:42:56 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id qBJBgtdD037806
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 19 Dec 2012 11:42:55 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id qBJBgtgA037805;
	Wed, 19 Dec 2012 11:42:55 GMT
	(envelope-from nobody)
Message-Id: <201212191142.qBJBgtgA037805@red.freebsd.org>
Date: Wed, 19 Dec 2012 11:42:55 GMT
From: Franois Charlier <fcharlier@ploup.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: security/sshguard 1.5 does not detect ssh invalid users logins
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: mij@bitchx.it

>Number:         174571
>Category:       ports
>Synopsis:       security/sshguard 1.5 does not detect ssh invalid users logins
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    crees
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 19 11:50:00 UTC 2012
>Closed-Date:    Tue Apr 08 19:03:34 UTC 2014
>Last-Modified:  Tue Apr  8 19:10:01 UTC 2014
>Originator:     Franois Charlier
>Release:        9.0
>Organization:
>Environment:
FreeBSD stardust.ploup.net 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
sshguard >1.5 does not parse ssh invalid user logins like :

  Dec 18 06:23:27 redacted sshd[6294]: Invalid user aaron from 1.1.1.1

because it matches the lowercase invalid word only.

The bug has been reported on sshguard-users mailing-list in june 2012 [1] and I submitted a patch [2] today.

[1] http://sourceforge.net/mailarchive/forum.php?thread_name=20120625040417.GD4130%40nntp.AegisInfoSys.com&forum_name=sshguard-users

[2] https://sourceforge.net/tracker/?func=detail&aid=3597444&group_id=188282&atid=924687
>How-To-Repeat:

>Fix:
See attached patch

Patch attached with submission follows:

diff -Naur sshguard.orig/Makefile sshguard/Makefile
--- sshguard.orig/Makefile	2012-12-19 11:09:43.026352081 +0000
+++ sshguard/Makefile	2012-12-19 11:10:19.859353918 +0000
@@ -7,7 +7,7 @@
 
 PORTNAME=	sshguard
 PORTVERSION=	1.5
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/sshguard-${PORTVERSION}
 
diff -Naur sshguard.orig/files/patch-src-parser-attack_scanner.l sshguard/files/patch-src-parser-attack_scanner.l
--- sshguard.orig/files/patch-src-parser-attack_scanner.l	1970-01-01 00:00:00.000000000 +0000
+++ sshguard/files/patch-src-parser-attack_scanner.l	2012-12-19 11:02:17.619357458 +0000
@@ -0,0 +1,11 @@
+--- src/parser/attack_scanner.l.orig	2012-12-19 10:58:02.992356246 +0000
++++ src/parser/attack_scanner.l	2012-12-19 10:58:22.407356894 +0000
+@@ -127,7 +127,7 @@
+ 
+ 
+  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
+-"Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
++[Ii]"nvalid user ".+" from "                         { return SSH_INVALUSERPREF; }
+  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
+  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
+ "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->crees 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed Dec 19 11:50:08 UTC 2012 
Responsible-Changed-Why:  
crees@ wants this submitter's PRs (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174571 
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Wed Dec 19 11:50:10 UTC 2012 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174571 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: mij@bitchx.it
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/174571: security/sshguard 1.5 does not detect ssh invalid users logins
Date: Wed, 19 Dec 2012 11:50:09 UT

 Maintainer of security/sshguard,
 
 Please note that PR ports/174571 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/174571
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
State-Changed-From-To: feedback->open 
State-Changed-By: crees 
State-Changed-When: Wed Aug 28 17:48:26 UTC 2013 
State-Changed-Why:  
Hi Mij, is this patch OK? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174571 
State-Changed-From-To: open->closed 
State-Changed-By: crees 
State-Changed-When: Tue Apr 8 19:03:33 UTC 2014 
State-Changed-Why:  
Committed.  Sorry for the really long wait-- the maintainer was 
unresponsive and has been reset. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174571 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/174571: commit references a PR
Date: Tue,  8 Apr 2014 19:03:08 +0000 (UTC)

 Author: crees
 Date: Tue Apr  8 19:03:02 2014
 New Revision: 350643
 URL: http://svnweb.freebsd.org/changeset/ports/350643
 QAT: https://qat.redports.org/buildarchive/r350643/
 
 Log:
   Fix old sshguard bug; does not detect ssh invalid users logins
   
   PR:		ports/174571
   Submitted by:	Francois Charlier <fcharlier@ploup.net>
   
   Reset maintainer after 16 month timeout
   
   While here, stage, remove some insanity and fixup rc script
 
 Added:
   head/security/sshguard/files/patch-src-parser-attack_scanner.l   (contents, props changed)
 Modified:
   head/security/sshguard/Makefile
   head/security/sshguard/files/sshguard.in
   head/security/sshguard/pkg-install
 
 Modified: head/security/sshguard/Makefile
 ==============================================================================
 --- head/security/sshguard/Makefile	Tue Apr  8 18:54:10 2014	(r350642)
 +++ head/security/sshguard/Makefile	Tue Apr  8 19:03:02 2014	(r350643)
 @@ -3,40 +3,30 @@
  
  PORTNAME=	sshguard
  PORTVERSION=	1.5
 -PORTREVISION=	2
 +PORTREVISION=	3
  CATEGORIES=	security
  MASTER_SITES=	SF/sshguard/sshguard/sshguard-${PORTVERSION}
  
 -MAINTAINER=	mij@bitchx.it
 +MAINTAINER=	ports@FreeBSD.org
  COMMENT?=	Protect hosts from brute force attacks against ssh and other services
  
  CONFLICTS?=	sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.*
  
 -PLIST_FILES=	sbin/sshguard
 +USES=		tar:bzip2
 +
 +PLIST_FILES=	sbin/sshguard man/man8/sshguard.8.gz
  
 -MAN8=		sshguard.8
 -MANCOMPRESSED=	no
 -USE_BZIP2=	yes
  USE_RC_SUBR=	sshguard
  MAKE_ARGS+=	ACLOCAL="${TRUE}" AUTOCONF="${TRUE}" AUTOMAKE="${TRUE}"
 -HAS_CONFIGURE=	yes
 +GNU_CONFIGURE=	yes
 +CONFIGURE_ARGS+=--with-firewall=${SSHGUARDFW}
  
 -# sublist will be set afterward
 +SUB_LIST+=	PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK}
  SUB_FILES=	pkg-message
  
  # backend type in { hosts, ipfw, pf }
  SSHGUARDFW?=	hosts
  
 -NO_STAGE=	yes
 -.include <bsd.port.pre.mk>
 -
 -.if defined(PREFIX)
 -CONFIGURE_ARGS+=	--prefix=${PREFIX}
 -.endif
 -
 -# set path for manpages
 -CONFIGURE_ARGS+=	--mandir=${MANPREFIX}/man
 -
  .if ${SSHGUARDFW} == pf
  PKGMSG_FWBLOCK="  To activate or configure PF see http://sshguard.sf.net/doc/setup/blockingpf.html"
  .elif ${SSHGUARDFW} == ipfw
 @@ -47,16 +37,4 @@ PKGMSG_FWBLOCK="  Sshguard is going to u
  PKGMSG_FWBLOCK="  Sshguard will use /etc/ipf.rules as ruleset."
  .endif
  
 -# for substitution in subfiles
 -SUB_LIST+=	PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK}
 -
 -CONFIGURE_ARGS+=	--with-firewall=${SSHGUARDFW}
 -
 -post-install:
 -	@PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
 -	@${CAT}	${PKGMESSAGE}
 -
 -pre-deinstall:
 -	@PKG_PREFIX=${PREFIX} ${SH} ${PKGDEINSTALL} ${PKGNAME} DEINSTALL
 -
 -.include <bsd.port.post.mk>
 +.include <bsd.port.mk>
 
 Added: head/security/sshguard/files/patch-src-parser-attack_scanner.l
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/security/sshguard/files/patch-src-parser-attack_scanner.l	Tue Apr  8 19:03:02 2014	(r350643)
 @@ -0,0 +1,11 @@
 +--- src/parser/attack_scanner.l.orig	2012-12-19 10:58:02.992356246 +0000
 ++++ src/parser/attack_scanner.l	2012-12-19 10:58:22.407356894 +0000
 +@@ -127,7 +127,7 @@
 + 
 + 
 +  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
 +-"Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
 ++[Ii]"nvalid user ".+" from "                         { return SSH_INVALUSERPREF; }
 +  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
 +  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
 + "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
 
 Modified: head/security/sshguard/files/sshguard.in
 ==============================================================================
 --- head/security/sshguard/files/sshguard.in	Tue Apr  8 18:54:10 2014	(r350642)
 +++ head/security/sshguard/files/sshguard.in	Tue Apr  8 19:03:02 2014	(r350643)
 @@ -31,6 +31,7 @@
  
  # PROVIDE: sshguard
  # REQUIRE: LOGIN cleanvar
 +# KEYWORD: shutdown
  
  #
  # Add the following lines to /etc/rc.conf to enable sshguard:
 @@ -62,14 +63,10 @@
  
  name="sshguard"
  rcvar="sshguard_enable"
 -command="/usr/sbin/daemon"
 -actual_command="%%PREFIX%%/sbin/${name}"
 -procname="${actual_command}"
  
  load_rc_config $name
  
 -: ${sshguard_enable="NO"}
 -: ${sshguard_pidfile="/var/run/${name}.pid"}
 +: ${sshguard_enable:="NO"}
  : ${sshguard_blacklist="40:/var/db/sshguard/blacklist.db"}
  : ${sshguard_safety_thresh="40"}
  : ${sshguard_pardon_min_interval="1200"}
 @@ -77,8 +74,11 @@ load_rc_config $name
  : ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"}
  : ${sshguard_watch_logs="/var/log/auth.log:/var/log/maillog"}
  
 -pidfile="${sshguard_pidfile}"
 -sshguard_watch_params=`echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ `
 +pidfile=${sshguard_pidfile:-"/var/run/${name}.pid"}
 +
 +command="/usr/sbin/daemon"
 +actual_command="%%PREFIX%%/sbin/${name}"
 +procname="${actual_command}"
  start_precmd="${name}_prestart"
  
  command_args="-cf ${actual_command} -b ${sshguard_blacklist} ${sshguard_watch_params} -a ${sshguard_safety_thresh} -p ${sshguard_pardon_min_interval} -s ${sshguard_prescribe_interval} -w ${sshguard_whitelistfile} -i ${sshguard_pidfile}"
 @@ -87,6 +87,7 @@ sshguard_prestart()
  {
  	mkdir -p `dirname ${sshguard_blacklist##*:}`
  	[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
 +	sshguard_watch_params=`echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ `
  }
  
  run_rc_command "$1"
 
 Modified: head/security/sshguard/pkg-install
 ==============================================================================
 --- head/security/sshguard/pkg-install	Tue Apr  8 18:54:10 2014	(r350642)
 +++ head/security/sshguard/pkg-install	Tue Apr  8 19:03:02 2014	(r350643)
 @@ -13,7 +13,7 @@ SSHGUARDCONFLINE="auth.info;authpriv.inf
  
  case "$2" in
      "POST-INSTALL")
 -        if test "x$SSHGUARDFW" = xhosts
 +        if test "$SSHGUARDFW" = hosts
          then
              touch /etc/hosts.allow
          fi
 @@ -23,7 +23,7 @@ case "$2" in
  	    TMPFILE=`mktemp -q /tmp/syslogcXX`
  	    # make sure our file has the same permissions as the original, since we mv it back
  	    cp -p $SYSLOGCONF ${TMPFILE}
 -	    echo > ${TMPFILE}
 +	    : > ${TMPFILE}
              inheader=1
              cat "$SYSLOGCONF" | while read cline ;
              do
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
>Unformatted:
