ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Problem With regex.pm and SSH on CentOS 5

https://mail.forum.configserver.com/viewtopic.php?t=5993

Page 1 of 1

Problem With regex.pm and SSH on CentOS 5

Posted: 18 Nov 2012, 11:28
by michaelau
OS: CentOS 5.8 x86_64
CSF Version: 5.71
SSH Version: openssh-4.3p2-82.el5

Hello.

We run quite a few CentOS 5 and a week or so ago serveral of our servers were the target of brute force SSH attacks. What we found though was that with:

LF_SSHD = 15
ST_DISKW_FREQ = 5

LFD was not blocking the the IP's (and there were many more than 15 brute force attempts per IP address per 5 minutes). As it turns out, the problem was in regex.pm for the SSH strings. Sll of the SSH regexes were looking for once instance of a character that is not a space and not a dot (period) which is in between the date/time and sshd[$pid], i.e.

$line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ sshd\[\d+\]:

However, there is no such character in /var/log/secure for SSH on CentOS 5. All that is in between the date/time and sshd[$pid] is a single space. As such, once [^\s\.]+ was removed such that the above regex was changed to this:

$line =~ /^(\S+|\S+\s+\d+\s+\S+) sshd\[\d+\]:

then LFD finally began blocking the brute force IPs.

Thought that you may like to know :)

Cheers,
Michael (AU)

Re: Problem With regex.pm and SSH on CentOS 5

Posted: 12 Feb 2013, 01:08
by michaelau
Hi.

Forgot all about this until the recent CSF upgrade a few days ago. Anyway, I figured out what the issue was. We use cPanel in conjubnction with CloudLinux's LVE prodict. As such, because we use LVE, a few CentOS packages are necessarily replaced by CloudLinux with one of them being (you guessed it) OpenSSH and as it turns out, the CloudLinux version of OpenSSH does not write the short hostname of the server in the log entry. In other words:

A log entry created by CentOS' OpenSSH begins with:

Feb 10 03:35:10 XXX sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root

where 'XXX' is the short hostname (hostname -s) of the server and of course is what [^\s\.]+ is matched against. However, the same log entry would be made by CloudLinux's OpenSSH like without the short hostname like so:

Feb 10 03:35:10 sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root

So we obviously need to take this up with CloudLinux :)

Cheers,
Michael

Re: Problem With regex.pm and SSH on CentOS 5

Posted: 13 Feb 2013, 09:36
by ForumAdmin
I've modified the regexes to deal with this for the next csf release.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited