RFC: Improve address logging on early exit messages #83
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change 'Early exit' and 'Exit before auth' messages to include the IP address & port as part of the message. This allows log scanning utilities such as 'fail2ban' to obtain the offending IP address as part of the failure event instead of extracting the PID from the message and then scanning the log again for match 'child connection from' messages Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
I like this. I'll merge it once I give it a try.
Thanks
…On 16 October 2019 5:48:21 pm AWST, Kevin Darbyshire-Bryant ***@***.***> wrote:
Change 'Early exit' and 'Exit before auth' messages to
include the IP
address & port as part of the message.
This allows log scanning utilities such as 'fail2ban' to obtain
the
offending IP address as part of the failure event instead of extracting
the PID from the message and then scanning the log again for match
'child connection from' messages
Signed-off-by: Kevin Darbyshire-Bryant
***@***.***>
Delimiting with < > may be a step too far... or the whole idea...
hence the RFC :-)
You can view, comment on, or merge this pull request online at:
#83
-- Commit Summary --
* Improve address logging on early exit messages
-- File Changes --
M svr-auth.c (18)
M svr-session.c (8)
-- Patch Links --
https://github.com/mkj/dropbear/pull/83.patch
https://github.com/mkj/dropbear/pull/83.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#83
|
Repository owner
deleted a comment from
CatAnonymous
Nov 27, 2019
|
Friendly ping |
|
Ping |
|
Thanks |
|
I've changed the format slightly in 201e359. It wasn't handling some cases where addrstring hadn't been set yet. |
|
When doing changes which are intended to help software like Fail2Ban, while containing breaking changes for them, it makes sense to communicate it, or send a commit with the needed filter changes. The Fail2Ban Dropbear filter was now partly broken for several years 😉: fail2ban/fail2ban#3791 Another issue: "Login attempt for nonexistent user" is no early exit message, hence those do now not contain a host anymore and are impossible to track with this change. I can send a PR to revert this part of the code, if wanted. I think it is important. EDIT: I guess the same is true for "Login attempt with wrong user", but I cannot test it quickly now. EDIT2: Too important to communicate through a closed PR, hence here the partial revert: #316 |
MichaIng
added a commit
to MichaIng/dropbear
that referenced
this pull request
Jul 10, 2024
mkj#83 removed the host from the final message part of early exit messages, and added it to the initial message part instead. This was however done for "Login attempt for nonexistent user" as well, which is no early exit message, but allows the client to keep trying. Those log entries hence now do not contain a host anymore. This PR reverts this part of mkj#83 to restore the missing host, and re-enable software like Fail2Ban to track these login failures. Signed-off-by: MichaIng <micha@dietpi.com>
mkj
pushed a commit
that referenced
this pull request
Oct 21, 2024
#83 removed the host from the final message part of early exit messages, and added it to the initial message part instead. This was however done for "Login attempt for nonexistent user" as well, which is no early exit message, but allows the client to keep trying. Those log entries hence now do not contain a host anymore. This PR reverts this part of #83 to restore the missing host, and re-enable software like Fail2Ban to track these login failures. Signed-off-by: MichaIng <micha@dietpi.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change 'Early exit' and 'Exit before auth' messages to include the IP
address & port as part of the message.
This allows log scanning utilities such as 'fail2ban' to obtain the
offending IP address as part of the failure event instead of extracting
the PID from the message and then scanning the log again for match
'child connection from' messages
Signed-off-by: Kevin Darbyshire-Bryant ldir@darbyshire-bryant.me.uk
Delimiting with < > may be a step too far... or the whole idea... hence the RFC :-)