security/sshit/files/patch-sshit.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

--- sshit.orig	2007-11-07 13:56:13.000000000 +0800
+++ sshit	2007-11-07 13:56:16.000000000 +0800
@@ -283,7 +283,7 @@
 				if ($list{$ip}{n} < $MAX_COUNT) {
 					# delete all ip's that hasn't reached $MAX_COUNT within time
 					if (time() - $list{$ip}{time} > $WITHIN_TIME) {
-						syslog(LOG_ERR, "janitor deleted $ip (did not reach $MAX_COUNT attempts within $WITHIN_TIME seconds)\n");
+						syslog(LOG_INFO, "janitor deleted $ip (did not reach $MAX_COUNT attempts within $WITHIN_TIME seconds)\n");
 						delete($list{$ip});
 					}
 				} else {
@@ -297,7 +297,7 @@
 					        } elsif ($FIREWALL_TYPE =~ /^pf$/i) {
 						  	system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip");
 						}
-						syslog(LOG_ERR, "janitor removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n");
+						syslog(LOG_INFO, "janitor removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n");
 						delete($list{$ip});
 					}
 				}
@@ -317,7 +317,7 @@
 
 while (<>) {
 	chomp;
-	if (/(failed|Invalid user) .*from (\d+\.\d+\.\d+\.\d+|[\da-fA-F:]+)/i ) { # IPv4 & IPv6
+	if (/(failed|error|Invalid user) .*from (\d+\.\d+\.\d+\.\d+|[\da-f:]*:[\da-f:]+|([\da-z-]+\.)+[a-z]{2,4})/i ) { # IPv4 & IPv6
 		$ip = $2;
 		if ($list{$ip}{name}) {
 			if ($list{$ip}{n} >= $MAX_COUNT) {
@@ -339,17 +339,17 @@
 						# Assign a rule number and do the actual block
 						$list{$ip}{rulenr} = $ipfw_rulenr;
 						system("$IPFW_CMD add $ipfw_rulenr deny tcp from $ip to me 21,22 > /dev/null");
-						syslog(LOG_ERR, "BLOCKING $ip, rule $ipfw_rulenr\n");
+						syslog(LOG_INFO, "BLOCKING $ip, rule $ipfw_rulenr\n");
 						$ipfw_rulenr++;
 						if ($ipfw_rulenr > $IPFW_RULE_END) { $ipfw_rulenr = $IPFW_RULE_START; }
 
 					} elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) {
 					  	system("$IPFW2_CMD table $IPFW2_TABLE_NO add $ip");
-						syslog(LOG_ERR, "BLOCKING $ip with ipfw2\n");
+						syslog(LOG_INFO, "BLOCKING $ip with ipfw2\n");
 
 					} elsif ($FIREWALL_TYPE =~ /^pf$/i) {
 					  	system("$PFCTL_CMD -t $PF_TABLE -Tadd $ip");
-						syslog(LOG_ERR, "BLOCKING $ip with pf\n");
+						syslog(LOG_INFO, "BLOCKING $ip with pf\n");
 					}
 				}
 			}
@@ -364,7 +364,7 @@
 	}
 }
 
-syslog(LOG_ERR, "fd closed. clean up");
+syslog(LOG_INFO, "fd closed. clean up");
 foreach $ip (keys %list) {
 	if($FIREWALL_TYPE =~ /^ipfw$/i)
 	{
@@ -374,7 +374,7 @@
 	} elsif ($FIREWALL_TYPE =~ /^pf$/i) {
 		system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip");
 	}
-	syslog(LOG_ERR, "main removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n");
+	syslog(LOG_INFO, "main removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n");
 	delete($list{$ip});
 }