sshguard is not detecting log entries like this: Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root from ns2.tilbd.net because it gets a "Could not resolve" error: $ echo ' Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root from ns2.tilbd.net' | /usr/local/libexec/sshg-parser -a Could not resolve 'ns2.tilbd.net' to address Jun 27 10:13:54 ext1 sshd[84354]: error: PAM: Authentication error for root from ns2.tilbd.net $ I am running sshguard 2.4.2_2,1 on FreeBSD 12.4-RELEASE-p2. I think the problem is that sshg-parser calls cap_enter (in sandbox_init) which makes the kernel block things needed for DNS lookup in attack_from_hostname. The output from truss shows: cap_enter() = 0 (0x0) fstat(0,{ mode=p--------- ,inode=355787,size=97,blksize=4096 }) = 0 (0x0) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370293760 (0x800a11000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370297856 (0x800a12000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370301952 (0x800a13000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370306048 (0x800a14000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370310144 (0x800a15000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370314240 (0x800a16000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370318336 (0x800a17000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370322432 (0x800a18000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370326528 (0x800a19000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370330624 (0x800a1a000) read(0," Jun 27 10:13:54 ext1 sshd[8435"...,4096) = 97 (0x61) mmap(0x0,28672,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370334720 (0x800a1b000) mmap(0x0,20480,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370363392 (0x800a22000) fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permitted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370383872 (0x800a27000) mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370453504 (0x800a38000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370523136 (0x800a49000) gettimeofday({ 1687889156.834461 },0x0) = 0 (0x0) getpid() = 87455 (0x1559f) gettimeofday({ 1687889156.835202 },0x0) = 0 (0x0) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370527232 (0x800a4a000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370531328 (0x800a4b000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370535424 (0x800a4c000) issetugid() = 0 (0x0) open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' __sysctl("kern.hostname",2,0x7fffffffd040,0x7fffffffcd58,0x0,0) = 0 (0x0) issetugid() = 0 (0x0) mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34370539520 (0x800a4d000) gettimeofday({ 1687889156.839494 },0x0) = 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) fstatat(AT_FDCWD,"/etc/nsswitch.conf",0x7fffffffdb10,0x0) ERR#94 'Not permitted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) ERR#94 'Not permitted in capability mode' clock_gettime(12,{ 2948703.216701665 }) = 0 (0x0) fstatat(AT_FDCWD,"/etc/resolv.conf",0x7fffffffd370,0x0) ERR#94 'Not permitted in capability mode' gettimeofday({ 1687889156.846809 },0x0) = 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET 0.0.0.0:53 },16) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) socket(PF_INET6,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3) connect(3,{ AF_INET6 [::]:53 },28) ERR#94 'Not permitted in capability mode' close(3) = 0 (0x0) Could not resolve 'ns2.tilbd.net' to address write(2,"Could not resolve 'ns2.tilbd.net"...,45) = 45 (0x2d)
Thank you for your investigation and report. To summarize, the sshg-parser process cannot resolve DNS names because it is in the FreeBSD capability mode sandbox. This is an upstream issue, and since I'm upstream I'll work on this. Most likely I'll make sshg-parser use cap_getnameinfo if compiled with sandboxing support on FreeBSD.
Fix committed upstream in cd8d3c45: https://bitbucket.org/sshguard/sshguard/commits/cd8d3c45a9a18bb28a3b4f9d4bb82e220ac0076c/raw
Hi Kevin, Can you update the port accordingly?
(In reply to Fernando Apesteguía from comment #3) Of course. It has been a while since a release, so I think I'll just cut a release and update the port. Will advise here when I do.
(In reply to Kevin Zheng from comment #4) Thanks!
Created attachment 243202 [details] Patch This patch updates the port to 2.4.3. Changes: **Added** - Add signature for BIND - Add signature for Gitea - Add signature for Microsoft SQL Server for Linux - Add signature for OpenVPN Portshare - Add signature for user-defined HTTP attacks - Update signatures for Dovecot - Update signatures for Postfix **Fixed** - Fix memset off-by-one - Resolve DNS names in capability mode using casper
Created attachment 246041 [details] patch to 2.4.3, including cyrus imap pattern fix I have added a patch that includes fixes for a bug that I noticed during usage/testing: sshguard fails to properly detect authorization failures in cyrus-imap on FreeBSD. I fixed the pattern match and added a patch file to the port patch. I'll be uploading a poudriere test log in a moment. Not sure why this is still open? Kevin, did you put the requisite maintainer-approval flags on the attachments before? Sorry for hijacking this, I figured it's better to suggest my additions/patch here instead of filing an additional ticket on the same thing...
Created attachment 246042 [details] poudriere log for 13.2-RELEASE Poudriere test run for the fixed and updated 2.4.3 version
I can work on this and land the patches once there is approval from the maintainer.
Both approved. It's possible that I didn't set the right Bugzilla flags. I am also upstream, so thank you Chris for the fix. I'll upstream this.
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=efda5c514648db7c2bbacaa7a57dfa946dd9f054 commit efda5c514648db7c2bbacaa7a57dfa946dd9f054 Author: Chris Moerz <freebsd@ny-central.org> AuthorDate: 2023-11-03 08:18:27 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-11-06 11:36:49 +0000 security/sshguard: fix logging of entries with hostnames With work from martin@lispworks.com PR: 272249 Reported by: martin@lispworks.com Approved by: kevinz5000@gmail.com (maintainer) security/sshguard/Makefile | 3 +-- security/sshguard/distinfo | 6 +++--- .../files/patch-src_blocker_sshguard__whitelist.c (gone) | 11 ----------- .../sshguard/files/patch-src_parser_attack__scanner.l (new) | 11 +++++++++++ 4 files changed, 15 insertions(+), 16 deletions(-)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=74229fe9f145578948cde5597c3945ff662372e9 commit 74229fe9f145578948cde5597c3945ff662372e9 Author: Chris Moerz <freebsd@ny-central.org> AuthorDate: 2023-11-03 08:18:27 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2023-11-13 11:36:36 +0000 security/sshguard: fix logging of entries with hostnames With work from martin@lispworks.com PR: 272249 Reported by: martin@lispworks.com Approved by: kevinz5000@gmail.com (maintainer) (cherry picked from commit efda5c514648db7c2bbacaa7a57dfa946dd9f054) security/sshguard/Makefile | 3 +-- security/sshguard/distinfo | 6 +++--- .../files/patch-src_blocker_sshguard__whitelist.c (gone) | 11 ----------- .../sshguard/files/patch-src_parser_attack__scanner.l (new) | 11 +++++++++++ 4 files changed, 15 insertions(+), 16 deletions(-)