Problem With regex.pm and SSH on CentOS 5

Post Reply
michaelau
Junior Member
Posts: 2
Joined: 18 Nov 2012, 10:50

Problem With regex.pm and SSH on CentOS 5

Post by michaelau »

OS: CentOS 5.8 x86_64
CSF Version: 5.71
SSH Version: openssh-4.3p2-82.el5

Hello.

We run quite a few CentOS 5 and a week or so ago serveral of our servers were the target of brute force SSH attacks. What we found though was that with:

LF_SSHD = 15
ST_DISKW_FREQ = 5

LFD was not blocking the the IP's (and there were many more than 15 brute force attempts per IP address per 5 minutes). As it turns out, the problem was in regex.pm for the SSH strings. Sll of the SSH regexes were looking for once instance of a character that is not a space and not a dot (period) which is in between the date/time and sshd[$pid], i.e.

$line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ sshd\[\d+\]:

However, there is no such character in /var/log/secure for SSH on CentOS 5. All that is in between the date/time and sshd[$pid] is a single space. As such, once [^\s\.]+ was removed such that the above regex was changed to this:

$line =~ /^(\S+|\S+\s+\d+\s+\S+) sshd\[\d+\]:

then LFD finally began blocking the brute force IPs.

Thought that you may like to know :)

Cheers,
Michael (AU)
michaelau
Junior Member
Posts: 2
Joined: 18 Nov 2012, 10:50

Re: Problem With regex.pm and SSH on CentOS 5

Post by michaelau »

Hi.

Forgot all about this until the recent CSF upgrade a few days ago. Anyway, I figured out what the issue was. We use cPanel in conjubnction with CloudLinux's LVE prodict. As such, because we use LVE, a few CentOS packages are necessarily replaced by CloudLinux with one of them being (you guessed it) OpenSSH and as it turns out, the CloudLinux version of OpenSSH does not write the short hostname of the server in the log entry. In other words:

A log entry created by CentOS' OpenSSH begins with:

Feb 10 03:35:10 XXX sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root

where 'XXX' is the short hostname (hostname -s) of the server and of course is what [^\s\.]+ is matched against. However, the same log entry would be made by CloudLinux's OpenSSH like without the short hostname like so:

Feb 10 03:35:10 sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root

So we obviously need to take this up with CloudLinux :)

Cheers,
Michael
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Problem With regex.pm and SSH on CentOS 5

Post by ForumAdmin »

I've modified the regexes to deal with this for the next csf release.
Post Reply