Mercurial > dropbear
comparison svr-auth.c @ 1665:7c17995bcdfb
Improve address logging on early exit messages (#83)
Change 'Early exit' and 'Exit before auth' messages to include the IP
address & port as part of the message.
This allows log scanning utilities such as 'fail2ban' to obtain the
offending IP address as part of the failure event instead of extracting
the PID from the message and then scanning the log again for match
'child connection from' messages
Signed-off-by: Kevin Darbyshire-Bryant <[email protected]>
| author | Kevin Darbyshire-Bryant <6500011+ldir-EDB0@users.noreply.github.com> |
|---|---|
| date | Wed, 18 Mar 2020 15:28:56 +0000 |
| parents | 592a18dac250 |
| children | 8dc43b30c6bf |
comparison
equal
deleted
inserted
replaced
| 1664:871484eac157 | 1665:7c17995bcdfb |
|---|---|
| 239 if (userlen > MAX_USERNAME_LEN) { | 239 if (userlen > MAX_USERNAME_LEN) { |
| 240 return DROPBEAR_FAILURE; | 240 return DROPBEAR_FAILURE; |
| 241 } | 241 } |
| 242 | 242 |
| 243 if (strlen(username) != userlen) { | 243 if (strlen(username) != userlen) { |
| 244 dropbear_exit("Attempted username with a null byte from %s", | 244 dropbear_exit("Attempted username with a null byte"); |
| 245 svr_ses.addrstring); | |
| 246 } | 245 } |
| 247 | 246 |
| 248 if (ses.authstate.username == NULL) { | 247 if (ses.authstate.username == NULL) { |
| 249 /* first request */ | 248 /* first request */ |
| 250 fill_passwd(username); | 249 fill_passwd(username); |
| 251 ses.authstate.username = m_strdup(username); | 250 ses.authstate.username = m_strdup(username); |
| 252 } else { | 251 } else { |
| 253 /* check username hasn't changed */ | 252 /* check username hasn't changed */ |
| 254 if (strcmp(username, ses.authstate.username) != 0) { | 253 if (strcmp(username, ses.authstate.username) != 0) { |
| 255 dropbear_exit("Client trying multiple usernames from %s", | 254 dropbear_exit("Client trying multiple usernames"); |
| 256 svr_ses.addrstring); | |
| 257 } | 255 } |
| 258 } | 256 } |
| 259 | 257 |
| 260 /* avoids cluttering logs with repeated failure messages from | 258 /* avoids cluttering logs with repeated failure messages from |
| 261 consecutive authentication requests in a sesssion */ | 259 consecutive authentication requests in a sesssion */ |
| 266 | 264 |
| 267 /* check that user exists */ | 265 /* check that user exists */ |
| 268 if (!ses.authstate.pw_name) { | 266 if (!ses.authstate.pw_name) { |
| 269 TRACE(("leave checkusername: user '%s' doesn't exist", username)) | 267 TRACE(("leave checkusername: user '%s' doesn't exist", username)) |
| 270 dropbear_log(LOG_WARNING, | 268 dropbear_log(LOG_WARNING, |
| 271 "Login attempt for nonexistent user from %s", | 269 "Login attempt for nonexistent user"); |
| 272 svr_ses.addrstring); | |
| 273 ses.authstate.checkusername_failed = 1; | 270 ses.authstate.checkusername_failed = 1; |
| 274 return DROPBEAR_FAILURE; | 271 return DROPBEAR_FAILURE; |
| 275 } | 272 } |
| 276 | 273 |
| 277 /* check if we are running as non-root, and login user is different from the server */ | 274 /* check if we are running as non-root, and login user is different from the server */ |
| 278 uid = geteuid(); | 275 uid = geteuid(); |
| 279 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { | 276 if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { |
| 280 TRACE(("running as nonroot, only server uid is allowed")) | 277 TRACE(("running as nonroot, only server uid is allowed")) |
| 281 dropbear_log(LOG_WARNING, | 278 dropbear_log(LOG_WARNING, |
| 282 "Login attempt with wrong user %s from %s", | 279 "Login attempt with wrong user %s", |
| 283 ses.authstate.pw_name, | 280 ses.authstate.pw_name); |
| 284 svr_ses.addrstring); | |
| 285 ses.authstate.checkusername_failed = 1; | 281 ses.authstate.checkusername_failed = 1; |
| 286 return DROPBEAR_FAILURE; | 282 return DROPBEAR_FAILURE; |
| 287 } | 283 } |
| 288 | 284 |
| 289 /* check for non-root if desired */ | 285 /* check for non-root if desired */ |
| 438 if (ses.authstate.pw_name == NULL) { | 434 if (ses.authstate.pw_name == NULL) { |
| 439 userstr = "is invalid"; | 435 userstr = "is invalid"; |
| 440 } else { | 436 } else { |
| 441 userstr = ses.authstate.pw_name; | 437 userstr = ses.authstate.pw_name; |
| 442 } | 438 } |
| 443 dropbear_exit("Max auth tries reached - user '%s' from %s", | 439 dropbear_exit("Max auth tries reached - user '%s'", |
| 444 userstr, svr_ses.addrstring); | 440 userstr); |
| 445 } | 441 } |
| 446 | 442 |
| 447 TRACE(("leave send_msg_userauth_failure")) | 443 TRACE(("leave send_msg_userauth_failure")) |
| 448 } | 444 } |
| 449 | 445 |