Bug 518988

Summary:	app-admin/sshguard with app-admin/metalog - fails to parse logs on day numbers starting with 0
Product:	Gentoo Linux	Reporter:	Amyas <phyoure>
Component:	Current packages	Assignee:	Gentoo Netmon project <netmon>
Status:	RESOLVED FIXED
Severity:	normal	Keywords:	PATCH
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	patch for sshguard-1.5-r2.ebuild

Description Amyas 2014-08-03 23:37:35 UTC

Created attachment 382190 [details, diff]
patch for sshguard-1.5-r2.ebuild

See http://sourceforge.net/p/sshguard/mailman/message/30545709/

Reproducible: always

Steps to reproduce: 
1) emerge sshguard
2) env SSHGUARD_DEBUG=foo /usr/sbin/sshguard #this runs sshguard in interactive debug mode
3) #Paste this string into the console and press enter: "Aug 03 17:24:50 [sshd] error: PAM: authentication failure for mario from 6.6.6.0"

Expected behavior: There should be a response including the string "Matched address 6.6.6.0:4 attacking service 100, dangerousness 10."

Actual behavior: The above string does not appear in the response.


Comments:

This occurs because the sshguard source has a regex typo that does not recognize 2 digit day numbers starting with 0, so sshguard will fail to recognize metalog logs of ssh brute force attacks on any single-digit day.

This very trivial bug has been reported upstream and a patch has been submitted in the sourceforge link above over a year ago, but has not been fixed yet. However, a simple sed command in the ebuild would do the trick. Attached is a patch for the latest ebuild (1.5-r2) that inserts the sed command.

Amyas

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-08-05 10:13:08 UTC

Comment on attachment 382190 [details, diff]
patch for sshguard-1.5-r2.ebuild

Please attach a unified diff next time

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2014-08-05 10:22:39 UTC

Applied in -r3. Thanks for the patch!