Modify BusyBox Syslog Banner to account for the -S option

Create issue
Issue #115 resolved
Web User created an issue

Some versions of syslogd on BusyBox include a -S option which removes the hostname and service from the event log entries. On systems where this option is used when launching syslogd it will cause sshguard to not recognize any of the syslog entries.

BusyBox v1.24.2 (2017-12-08 19:09:25 UTC) multi-call binary.

Usage: syslogd [OPTIONS]

System logging utility

-n      Run in foreground
-R HOST[:PORT]  Log to HOST:PORT (default PORT:514)
-L      Log locally and via network (default is network only if -R)
-C[size_kb] Log to shared mem buffer (use logread to read it)
-K      Log to kernel printk buffer (use dmesg to read it)
-O FILE     Log to FILE (default:/var/log/messages, stdout if -)
-s SIZE     Max size (KB) before rotation (default:200KB, 0=off)
-b N        N rotated logs to keep (default:1, max=99, 0=purge)
-l N        Log only messages more urgent than prio N (1-8)
-S      Smaller output
-D      Drop duplicates
-f FILE     Use FILE as config (default:/etc/syslog.conf)

Below is an example of what the syslog entry looks like when the -S option is used.

May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066

This problem can be resolved by removing the -S option from the startup script for syslogd, however, this may cause issues in other areas. Preferably sshguard would be able to recognize that the -S option has been used and adjust accordingly similar to the way syslog banner handles missing PID info.

Comments (4)

  1. Web User reporter

    To test this you can try the following…

    First CD to the directory where your sshg-parser executable is located.

    Paste the line below and hit enter.

    echo May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066 | ./sshg-parser

    You will likely receive no output.

    Now paste the line below and hit enter.

    echo May 9 11:11:17 test sshd[30876]: Invalid user www from 139.59.34.17 port 51066 | ./sshg-parser

    You should receive a response of 100 139.59.34.17 4 10 indicating that the parser has successfully deciphered the syslog header.

  2. Kevin Zheng

    This patch fixes the issue but makes running flex much slower:

    diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
    index 5f5e185..9c0a730 100644
    --- a/src/parser/attack_scanner.l
    +++ b/src/parser/attack_scanner.l
    @@ -121,13 +121,13 @@ WORDPRESS_LOGIN            .*"/wp-login"(\.php)?
       */
    
      /* handle entries with PID and without PID from processes other than sshguard */
    -({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}("/"{PROCESSNAME}){0,2}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
    +({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]?{PROCESSNAME}("/"{PROCESSNAME}){0,2}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
             /* extract PID */
             yylval.num = getsyslogpid(yytext, yyleng);
             return SYSLOG_BANNER_PID;
             }
    
    -({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}("/"{PROCESSNAME}){0,2}":")?   { return SYSLOG_BANNER; }
    +({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]?({PROCESSNAME}("/"{PROCESSNAME}){0,2}":")?   { return SYSLOG_BANNER; }
    
    
      /* metalog banner */
    
  3. Log in to comment