272249 – security/sshguard: not detecting log entries containing hostnames

Bug 272249 - security/sshguard: not detecting log entries containing hostnames

Summary: security/sshguard: not detecting log entries containing hostnames

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Fernando Apesteguía

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-27 18:13 UTC by martin
Modified:	2023-11-13 11:37 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (kevinz5000)

Attachments
Patch (2.29 KB, patch) 2023-07-04 18:11 UTC, Kevin Zheng	no flags	Details \| Diff
patch to 2.4.3, including cyrus imap pattern fix (3.40 KB, patch) 2023-11-01 07:49 UTC, Chris Moerz	freebsd: maintainer-approval?	Details \| Diff
poudriere log for 13.2-RELEASE (27.16 KB, text/plain) 2023-11-01 07:50 UTC, Chris Moerz	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description martin 2023-06-27 18:13:43 UTC

sshguard is not detecting log entries like this:

  Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root from ns2.tilbd.net

because it gets a "Could not resolve" error:

$  echo '  Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root from ns2.tilbd.net' | /usr/local/libexec/sshg-parser -a
Could not resolve 'ns2.tilbd.net' to address
    Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root from ns2.tilbd.net
$ 

I am running sshguard 2.4.2_2,1 on FreeBSD 12.4-RELEASE-p2.

I think the problem is that sshg-parser calls cap_enter (in sandbox_init) which makes the kernel block things needed for DNS lookup in attack_from_hostname.

The output from truss shows:

cap_enter()					 = 0 (0x0)
fstat(0,{ mode=p--------- ,inode=355787,size=97,blksize=4096 }) = 0 (0x0)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370293760 (0x800a11000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370297856 (0x800a12000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370301952 (0x800a13000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370306048 (0x800a14000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370310144 (0x800a15000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370314240 (0x800a16000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370318336 (0x800a17000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370322432 (0x800a18000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370326528 (0x800a19000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370330624 (0x800a1a000)
read(0,"  Jun 27 10:13:54 ext1 sshd[8435"...,4096) = 97 (0x61)
mmap(0x0,28672,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370334720 (0x800a1b000)
mmap(0x0,20480,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370363392 (0x800a22000)
fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permitted in capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)	 ERR#94 'Not permitted in capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)	 ERR#94 'Not permitted in capability mode'
mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370383872 (0x800a27000)
mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370453504 (0x800a38000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370523136 (0x800a49000)
gettimeofday({ 1687889156.834461 },0x0)		 = 0 (0x0)
getpid()					 = 87455 (0x1559f)
gettimeofday({ 1687889156.835202 },0x0)		 = 0 (0x0)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370527232 (0x800a4a000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370531328 (0x800a4b000)
mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370535424 (0x800a4c000)
issetugid()					 = 0 (0x0)
open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode'
__sysctl("kern.hostname",2,0x7fffffffd040,0x7fffffffcd58,0x0,0) = 0 (0x0)
issetugid()					 = 0 (0x0)
mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370539520 (0x800a4d000)
gettimeofday({ 1687889156.839494 },0x0)		 = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permitted in capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)	 ERR#94 'Not permitted in capability mode'
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)	 ERR#94 'Not permitted in capability mode'
clock_gettime(12,{ 2948703.216701665 })		 = 0 (0x0)
fstatat(AT_FDCWD,"/etc/resolv.conf",0x7fffffffd370,0x0) ERR#94 'Not permitted in capability mode'
gettimeofday({ 1687889156.846809 },0x0)		 = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET 0.0.0.0:53 },16)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0)	 = 3 (0x3)
connect(3,{ AF_INET6 [::]:53 },28)		 ERR#94 'Not permitted in capability mode'
close(3)					 = 0 (0x0)
Could not resolve 'ns2.tilbd.net' to address
write(2,"Could not resolve 'ns2.tilbd.net"...,45) = 45 (0x2d)

Comment 1 Kevin Zheng 2023-06-27 18:19:10 UTC

Thank you for your investigation and report. To summarize, the sshg-parser process cannot resolve DNS names because it is in the FreeBSD capability mode sandbox. This is an upstream issue, and since I'm upstream I'll work on this.

Most likely I'll make sshg-parser use cap_getnameinfo if compiled with sandboxing support on FreeBSD.

Comment 2 Kevin Zheng 2023-06-27 19:23:26 UTC

Fix committed upstream in cd8d3c45: https://bitbucket.org/sshguard/sshguard/commits/cd8d3c45a9a18bb28a3b4f9d4bb82e220ac0076c/raw

Comment 3 Fernando Apesteguía freebsd_committer

2023-06-28 09:53:53 UTC

Hi Kevin,

Can you update the port accordingly?

Comment 4 Kevin Zheng 2023-06-28 17:36:55 UTC

(In reply to Fernando Apesteguía from comment #3)
Of course. It has been a while since a release, so I think I'll just cut a release and update the port. Will advise here when I do.

Comment 5 Fernando Apesteguía freebsd_committer

2023-06-29 06:18:47 UTC

(In reply to Kevin Zheng from comment #4)
Thanks!

Comment 6 Kevin Zheng 2023-07-04 18:11:05 UTC

Created attachment 243202 [details]
Patch

This patch updates the port to 2.4.3. Changes:

**Added**

- Add signature for BIND
- Add signature for Gitea
- Add signature for Microsoft SQL Server for Linux
- Add signature for OpenVPN Portshare
- Add signature for user-defined HTTP attacks
- Update signatures for Dovecot
- Update signatures for Postfix

**Fixed**

- Fix memset off-by-one
- Resolve DNS names in capability mode using casper

Comment 7 Chris Moerz 2023-11-01 07:49:43 UTC

Created attachment 246041 [details]
patch to 2.4.3, including cyrus imap pattern fix

I have added a patch that includes fixes for a bug that I noticed during usage/testing: sshguard fails to properly detect authorization failures in cyrus-imap on FreeBSD. I fixed the pattern match and added a patch file to the port patch.

I'll be uploading a poudriere test log in a moment.

Not sure why this is still open? Kevin, did you put the requisite maintainer-approval flags on the attachments before?

Sorry for hijacking this, I figured it's better to suggest my additions/patch here instead of filing an additional ticket on the same thing...

Comment 8 Chris Moerz 2023-11-01 07:50:33 UTC

Created attachment 246042 [details]
poudriere log for 13.2-RELEASE

Poudriere test run for the fixed and updated 2.4.3 version

Comment 9 Fernando Apesteguía freebsd_committer

2023-11-01 10:25:12 UTC

I can work on this and land the patches once there is approval from the maintainer.

Comment 10 Kevin Zheng 2023-11-01 17:39:57 UTC

Both approved. It's possible that I didn't set the right Bugzilla flags.

I am also upstream, so thank you Chris for the fix. I'll upstream this.

Comment 11 Fernando Apesteguía freebsd_committer

2023-11-06 11:37:15 UTC

Committed,

Thanks!

Comment 12 commit-hook freebsd_committer

2023-11-06 11:37:43 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=efda5c514648db7c2bbacaa7a57dfa946dd9f054

commit efda5c514648db7c2bbacaa7a57dfa946dd9f054
Author:     Chris Moerz <freebsd@ny-central.org>
AuthorDate: 2023-11-03 08:18:27 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-11-06 11:36:49 +0000

    security/sshguard: fix logging of entries with hostnames

    With work from martin@lispworks.com

    PR:             272249
    Reported by:    martin@lispworks.com
    Approved by:    kevinz5000@gmail.com (maintainer)

 security/sshguard/Makefile                                    |  3 +--
 security/sshguard/distinfo                                    |  6 +++---
 .../files/patch-src_blocker_sshguard__whitelist.c (gone)      | 11 -----------
 .../sshguard/files/patch-src_parser_attack__scanner.l (new)   | 11 +++++++++++
 4 files changed, 15 insertions(+), 16 deletions(-)

Comment 13 commit-hook freebsd_committer

2023-11-13 11:37:00 UTC

A commit in branch 2023Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=74229fe9f145578948cde5597c3945ff662372e9

commit 74229fe9f145578948cde5597c3945ff662372e9
Author:     Chris Moerz <freebsd@ny-central.org>
AuthorDate: 2023-11-03 08:18:27 +0000
Commit:     Renato Botelho <garga@FreeBSD.org>
CommitDate: 2023-11-13 11:36:36 +0000

    security/sshguard: fix logging of entries with hostnames

    With work from martin@lispworks.com

    PR:             272249
    Reported by:    martin@lispworks.com
    Approved by:    kevinz5000@gmail.com (maintainer)

    (cherry picked from commit efda5c514648db7c2bbacaa7a57dfa946dd9f054)

 security/sshguard/Makefile                                    |  3 +--
 security/sshguard/distinfo                                    |  6 +++---
 .../files/patch-src_blocker_sshguard__whitelist.c (gone)      | 11 -----------
 .../sshguard/files/patch-src_parser_attack__scanner.l (new)   | 11 +++++++++++
 4 files changed, 15 insertions(+), 16 deletions(-)