Project

General

Profile

Actions

Regression #15687

closed

``sshguard`` is not properly detecting GUI login failures

Added by Jim Pingle 4 months ago. Updated 8 days ago.

Status:
Resolved
Priority:
Very High
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The sshguard daemon isn't triggering blocks for GUI authentication failures.

The patch that adds the login string detection isn't complete. It should have a string in files/patch-src_parser_attack__scanner.l but it isn't there currently.

Possible that our local modification was clobbered by an upstream change in the same file in commit efda5c514648db7c2bbacaa7a57dfa946dd9f054 but it's not clear when that change was merged into our releases.

That patch should include our parsing string, for example:

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/ecbea214bcb2421d826960764717fa81d67bfb07#e9f85c39d66fd4403b5f6dbd7a02651de8a10c08
(Original was in https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/b64b53fbd27d5d186e5abf936cdb4d6989898e06#e9f85c39d66fd4403b5f6dbd7a02651de8a10c08 but that string wasn't right)

I checked the upstream source and the string isn't in their source so the change in that patch is still necessary.

We'll most likely need to check/confirm if this is affecting current releases and build a fixed sshguard binary package for any that are affected.

Actions #1

Updated by Jim Pingle 4 months ago

  • Private changed from No to Yes
Actions #2

Updated by Kristof Provost 4 months ago

  • Status changed from Confirmed to Ready To Test
  • Assignee set to Kristof Provost

I've re-added the 'webConfigurator authentication error for user' patch in sshguard.

Actions #3

Updated by Jim Pingle 3 months ago

  • % Done changed from 0 to 90

Fix works well on Plus 24.08 and CE 2.8.0 snapshots.

Next is picking it back to 24.03 and testing there.

No need to pick it back to any CE branches as the problematic change hasn't been in any CE release.

Actions #4

Updated by Jim Pingle 3 months ago

  • Status changed from Ready To Test to Resolved
  • % Done changed from 90 to 100

Fix was picked back to 24.03 and it's working there, too.

Actions #5

Updated by Jim Pingle about 2 months ago

  • Plus Target Version changed from 24.08 to 24.11
Actions #7

Updated by Jim Pingle 8 days ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF