FS#36821 - [sshguard] sshguard does not report attacks with systemd 206
Attached to Project:
Community Packages
Opened by Abdó Roig-Maranges (abdo) - Saturday, 07 September 2013, 16:09 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Monday, 09 September 2013, 14:30 GMT
Opened by Abdó Roig-Maranges (abdo) - Saturday, 07 September 2013, 16:09 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Monday, 09 September 2013, 14:30 GMT
|
Details
Description:
sshguard does not detect sshd attacks with systemd 206. Additional info: * sshguard 1.5-13 * systemd 206-2 (from testing) Steps to reproduce: Just run sshguard with systemd 206 and look at the logs. sshguard fails to report any attack. There are two problems with the command in /usr/lib/systemd/scripts/sshguard-journalctl /usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | /usr/bin/sshguard -l- "$@" 1. It complains with Failed to parse relative boot ID number 'p' 2. After fixing 1, It does not detect sshd login attempts Fixes: 1. For some reason we have to use '-afb -p info' now instead of '-afbp info'. 2. sshd seems to report stuff under SYSLOG_FACILITY=5. In my use case, as I only care about sshd, I've ended up with SYSLOG_IDENTIFIER=sshd. Not sure what would be the best general solution though. |
This task depends upon
Closed by Massimiliano Torromeo (mtorromeo)
Monday, 09 September 2013, 14:30 GMT
Reason for closing: Fixed
Additional comments about closing: sshguard-1.5-15
Monday, 09 September 2013, 14:30 GMT
Reason for closing: Fixed
Additional comments about closing: sshguard-1.5-15
Really wish they wouldn't do this....
sshguard-journalctl <sshguard's-db> [journalctl-match1 [journalctl-match2 [...]]]
sshguard-1.5-14 should work
This does not solve abdo's problem that claims that sshd logs are assigned to facility 5 (not verified here, on systemd 204 they are still on facilities 4 and 10) and it prevents sshguard from analysing logs from other daemons (eg: vsftp, exim and so on...)
Yes, but now filter is in .service file which can be copied to /etc/systemd/ and modified. Probably it is not the best solution.
I think it would be best to leave the SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 as they were before and with your solution anyone can still remove them and put something else in their place. The wrong facility issue should be investigated separately.
I'm filing a new bug against systemd and I think this can be closed.
@sergej journalctl syntax is weird. When matching for thifferent values of the same field, like SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 they are combined as OR. Otherwise, if the key is different, like SYSLOG_FACILITY=10 SYSLOG_IDENTIFIER=sshd they are combined as AND (WTF?!). To force OR you should add a + in between:
sshguard_journalctl ... SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 + SYSLOG_IDENTIFIER=sshd
Here is a piece of the output from
journalctl SYSLOG_IDENTIFIER=sshd -o verbose
PRIORITY=6
_UID=0
_GID=0
_BOOT_ID=84340610e04d4d43bf1e4bff04d99206
_MACHINE_ID=b4e6d17f67d226c25ddeec660000048f
_HOSTNAME=galois
_TRANSPORT=syslog
_CAP_EFFECTIVE=1fffffffff
SYSLOG_FACILITY=5
SYSLOG_IDENTIFIER=sshd
_COMM=sshd
[...]
MESSAGE=input_userauth_request: invalid user platic [preauth]
So yes, it does go to SYSLOG_FACILITY=5. It may be related to this bug
https://bugzilla.redhat.com/show_bug.cgi?id=988814
which seems to be fixed after 206.
> I think it would be best to leave the SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 as they were before.
@mtorromeo I don't have any problem with adjusting my sshguard.service, and I understand it probably is an upstream issue. However I think sshguard should adapt, temporarily to the situation until it gets fixed upstream. Otherwise it silently stops blocking attacks for systemd 206 users!
Don't bother. I'm already fixing it.