package/network/services/dropbear/patches/010-backport-change-address-logging.patch

   1 From c153b3612b7c9f24a0f5af43618a646545ed6e22 Mon Sep 17 00:00:00 2001
   2 From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
   3 Date: Mon, 30 Sep 2019 12:42:13 +0100
   4 Subject: [PATCH] Improve address logging on early exit messages
   5
   6 Change 'Early exit' and 'Exit before auth' messages to include the IP
   7 address & port as part of the message.
   8
   9 This allows log scanning utilities such as 'fail2ban' to obtain the
  10 offending IP address as part of the failure event instead of extracting
  11 the PID from the message and then scanning the log again for match
  12 'child connection from' messages
  13
  14 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
  15 ---
  16  svr-auth.c    | 18 +++++++-----------
  17  svr-session.c | 20 ++++++++++++++------
  18  2 files changed, 21 insertions(+), 17 deletions(-)
  19
  20 --- a/svr-auth.c
  21 +++ b/svr-auth.c
  22 @@ -241,8 +241,7 @@ static int checkusername(const char *use
  23         }
  24
  25         if (strlen(username) != userlen) {
  26 -               dropbear_exit("Attempted username with a null byte from %s",
  27 -                       svr_ses.addrstring);
  28 +               dropbear_exit("Attempted username with a null byte");
  29         }
  30
  31         if (ses.authstate.username == NULL) {
  32 @@ -252,8 +251,7 @@ static int checkusername(const char *use
  33         } else {
  34                 /* check username hasn't changed */
  35                 if (strcmp(username, ses.authstate.username) != 0) {
  36 -                       dropbear_exit("Client trying multiple usernames from %s",
  37 -                               svr_ses.addrstring);
  38 +                       dropbear_exit("Client trying multiple usernames");
  39                 }
  40         }
  41
  42 @@ -268,8 +266,7 @@ static int checkusername(const char *use
  43         if (!ses.authstate.pw_name) {
  44                 TRACE(("leave checkusername: user '%s' doesn't exist", username))
  45                 dropbear_log(LOG_WARNING,
  46 -                               "Login attempt for nonexistent user from %s",
  47 -                               svr_ses.addrstring);
  48 +                               "Login attempt for nonexistent user");
  49                 ses.authstate.checkusername_failed = 1;
  50                 return DROPBEAR_FAILURE;
  51         }
  52 @@ -279,9 +276,8 @@ static int checkusername(const char *use
  53         if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) {
  54                 TRACE(("running as nonroot, only server uid is allowed"))
  55                 dropbear_log(LOG_WARNING,
  56 -                               "Login attempt with wrong user %s from %s",
  57 -                               ses.authstate.pw_name,
  58 -                               svr_ses.addrstring);
  59 +                               "Login attempt with wrong user %s",
  60 +                               ses.authstate.pw_name);
  61                 ses.authstate.checkusername_failed = 1;
  62                 return DROPBEAR_FAILURE;
  63         }
  64 @@ -440,8 +436,8 @@ void send_msg_userauth_failure(int parti
  65                 } else {
  66                         userstr = ses.authstate.pw_name;
  67                 }
  68 -               dropbear_exit("Max auth tries reached - user '%s' from %s",
  69 -                               userstr, svr_ses.addrstring);
  70 +               dropbear_exit("Max auth tries reached - user '%s'",
  71 +                               userstr);
  72         }
  73
  74         TRACE(("leave send_msg_userauth_failure"))
  75 --- a/svr-session.c
  76 +++ b/svr-session.c
  77 @@ -149,28 +149,36 @@ void svr_session(int sock, int childpipe
  78  void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
  79         char exitmsg[150];
  80         char fullmsg[300];
  81 +       char fromaddr[60];
  82         int i;
  83
  84         /* Render the formatted exit message */
  85         vsnprintf(exitmsg, sizeof(exitmsg), format, param);
  86
  87 +       /* svr_ses.addrstring may not be set for some early exits, or for
  88 +       the listener process */
  89 +       fromaddr[0] = '\0';
  90 +       if (svr_ses.addrstring) {
  91 +           snprintf(fromaddr, sizeof(fromaddr), " from <%s>", svr_ses.addrstring);
  92 +    }
  93 +
  94         /* Add the prefix depending on session/auth state */
  95         if (!ses.init_done) {
  96                 /* before session init */
  97 -               snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg);
  98 +               snprintf(fullmsg, sizeof(fullmsg), "Early exit%s: %s", fromaddr, exitmsg);
  99         } else if (ses.authstate.authdone) {
 100                 /* user has authenticated */
 101                 snprintf(fullmsg, sizeof(fullmsg),
 102 -                               "Exit (%s): %s",
 103 -                               ses.authstate.pw_name, exitmsg);
 104 +                               "Exit (%s)%s: %s",
 105 +                               ses.authstate.pw_name, fromaddr, exitmsg);
 106         } else if (ses.authstate.pw_name) {
 107                 /* we have a potential user */
 108                 snprintf(fullmsg, sizeof(fullmsg),
 109 -                               "Exit before auth (user '%s', %u fails): %s",
 110 -                               ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
 111 +                               "Exit before auth%s: (user '%s', %u fails): %s",
 112 +                               fromaddr, ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
 113         } else {
 114                 /* before userauth */
 115 -               snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg);
 116 +               snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", fromaddr, exitmsg);
 117         }
 118
 119         dropbear_log(LOG_INFO, "%s", fullmsg);