Modify BusyBox Syslog Banner to account for the -S option
Some versions of syslogd on BusyBox include a -S option which removes the hostname and service from the event log entries. On systems where this option is used when launching syslogd it will cause sshguard to not recognize any of the syslog entries.
BusyBox v1.24.2 (2017-12-08 19:09:25 UTC) multi-call binary.
Usage: syslogd [OPTIONS]
System logging utility
-n Run in foreground
-R HOST[:PORT] Log to HOST:PORT (default PORT:514)
-L Log locally and via network (default is network only if -R)
-C[size_kb] Log to shared mem buffer (use logread to read it)
-K Log to kernel printk buffer (use dmesg to read it)
-O FILE Log to FILE (default:/var/log/messages, stdout if -)
-s SIZE Max size (KB) before rotation (default:200KB, 0=off)
-b N N rotated logs to keep (default:1, max=99, 0=purge)
-l N Log only messages more urgent than prio N (1-8)
-S Smaller output
-D Drop duplicates
-f FILE Use FILE as config (default:/etc/syslog.conf)
Below is an example of what the syslog entry looks like when the -S option is used.
May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066
This problem can be resolved by removing the -S option from the startup script for syslogd, however, this may cause issues in other areas. Preferably sshguard would be able to recognize that the -S option has been used and adjust accordingly similar to the way syslog banner handles missing PID info.
Comments (4)
-
reporter -
This patch fixes the issue but makes running flex much slower:
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l index 5f5e185..9c0a730 100644 --- a/src/parser/attack_scanner.l +++ b/src/parser/attack_scanner.l @@ -121,13 +121,13 @@ WORDPRESS_LOGIN .*"/wp-login"(\.php)? */ /* handle entries with PID and without PID from processes other than sshguard */ -({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}("/"{PROCESSNAME}){0,2}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? { +({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]?{PROCESSNAME}("/"{PROCESSNAME}){0,2}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? { /* extract PID */ yylval.num = getsyslogpid(yytext, yyleng); return SYSLOG_BANNER_PID; } -({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}("/"{PROCESSNAME}){0,2}":")? { return SYSLOG_BANNER; } +({TIMESTAMP_SYSLOG}|{TIMESTAMP_ISO8601})[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]?({PROCESSNAME}("/"{PROCESSNAME}){0,2}":")? { return SYSLOG_BANNER; } /* metalog banner */
-
- changed status to open
-
- changed status to resolved
Fixed in e1fac04, thanks!
- Log in to comment
To test this you can try the following…
First CD to the directory where your sshg-parser executable is located.
Paste the line below and hit enter.
echo May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066 | ./sshg-parser
You will likely receive no output.
Now paste the line below and hit enter.
echo May 9 11:11:17 test sshd[30876]: Invalid user www from 139.59.34.17 port 51066 | ./sshg-parser
You should receive a response of 100 139.59.34.17 4 10 indicating that the parser has successfully deciphered the syslog header.