NetBSD Problem Report #2075
From gnats Tue Feb 13 15:49:11 1996
Received: from rupert.oscs.montana.edu by pain.lcs.mit.edu (8.6.12/8.6.12) with ESMTP id OAA24615 for <gnats-bugs@gnats.netbsd.org>; Tue, 13 Feb 1996 14:44:26 -0500
Message-Id: <199602131943.MAA06491@rupert.oscs.montana.edu>
Date: Tue, 13 Feb 1996 12:43:59 -0700
From: Chris Jones <cjones@rupert.oscs.montana.edu>
Reply-To: cjones@netbsd.org
To: gnats-bugs@gnats.netbsd.org
Subject: change root login failures to LOG_WARNING?
X-Send-Pr-Version: 3.95
>Number: 2075
>Category: security
>Synopsis: change root login failures to LOG_WARNING?
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: cjones
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Feb 13 15:50:01 +0000 1996
>Closed-Date: Mon Aug 15 17:16:29 +0000 2005
>Last-Modified: Mon Aug 15 17:16:29 +0000 2005
>Originator: Chris Jones
>Release: 1.1
>Organization:
***********************cjones@rupert.oscs.montana.edu*********************
* Chris | "You can't say that Microsoft hasn't ever put the buggy *
* Jones | before the horse." -Mark Wistey *
**************************************************************************
>Environment:
System: NetBSD rupert.oscs.montana.edu 1.1 NetBSD 1.1 (SLIM) #0: Wed Nov 22 13:02:54 MST 1995 cjones@rupert.oscs.montana.edu:/home/src/sys/arch/mac68k/compile/SLIM mac68k
>Description:
Maybe root login failures should be changed from LOG_NOTICE to
LOG_WARNING, to put them in a separate class from general login
failures. I'd think that most sysadmins would be much more concerned
about root login failures than other login failures.
>How-To-Repeat:
I can either get a log of all login (and su) failures, or I can get a
log of none. I'd like to be able to get a log of only the ones that
could represent a serious security breach, though.
>Fix:
This will require changing login, su, and probably some kerberos
things. I could make up a patch for login and su, but it would take a
while, since I'm not familiar with them and don't have tons of free
time. If I get around to it, I'll submit another pr.
>Release-Note:
>Audit-Trail:
From: Chris Jones <cjones@rupert.oscs.montana.edu>
To: gnats-bugs@NetBSD.ORG, netbsd-bugs@NetBSD.ORG
Cc: Subject: Re: bin/2075: change root login failures to LOG_WARNING?
Date: Wed, 14 Feb 1996 18:59:38 -0700
Here's a patch for /usr/src/usr.bin/login/login.c. Please don't close
the PR yet, as su and kerberos still need to be patched.
*** login.c Wed Feb 14 18:42:53 1996
--- login.c.old Wed Feb 14 17:31:50 1996
***************
*** 302,312 ****
"%s login refused on this terminal.\n",
pwd->pw_name);
if (hostname)
! syslog(LOG_WARNING,
"LOGIN %s REFUSED FROM %s ON TTY %s",
pwd->pw_name, hostname, tty);
else
! syslog(LOG_WARNING,
"LOGIN %s REFUSED ON TTY %s",
pwd->pw_name, tty);
continue;
--- 302,312 ----
"%s login refused on this terminal.\n",
pwd->pw_name);
if (hostname)
! syslog(LOG_NOTICE,
"LOGIN %s REFUSED FROM %s ON TTY %s",
pwd->pw_name, hostname, tty);
else
! syslog(LOG_NOTICE,
"LOGIN %s REFUSED ON TTY %s",
pwd->pw_name, tty);
continue;
***************
*** 640,665 ****
badlogin(name)
char *name;
{
- int loglevel;
-
- /* root login failures are a bigger deal than others: */
- if (pwd->pw_uid == 0)
- loglevel = LOG_WARNING;
- else
- loglevel = LOG_NOTICE;
-
if (failures == 0)
return;
if (hostname) {
! syslog(loglevel, "%d LOGIN FAILURE%s FROM %s",
failures, failures > 1 ? "S" : "", hostname);
! syslog(LOG_AUTHPRIV|loglevel,
"%d LOGIN FAILURE%s FROM %s, %s",
failures, failures > 1 ? "S" : "", hostname, name);
} else {
! syslog(loglevel, "%d LOGIN FAILURE%s ON %s",
failures, failures > 1 ? "S" : "", tty);
! syslog(LOG_AUTHPRIV|loglevel,
"%d LOGIN FAILURE%s ON %s, %s",
failures, failures > 1 ? "S" : "", tty, name);
}
--- 640,657 ----
badlogin(name)
char *name;
{
if (failures == 0)
return;
if (hostname) {
! syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s",
failures, failures > 1 ? "S" : "", hostname);
! syslog(LOG_AUTHPRIV|LOG_NOTICE,
"%d LOGIN FAILURE%s FROM %s, %s",
failures, failures > 1 ? "S" : "", hostname, name);
} else {
! syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s",
failures, failures > 1 ? "S" : "", tty);
! syslog(LOG_AUTHPRIV|LOG_NOTICE,
"%d LOGIN FAILURE%s ON %s, %s",
failures, failures > 1 ? "S" : "", tty, name);
}
From: Chris Jones <cjones@rupert.oscs.montana.edu>
To: gnats-bugs@NetBSD.ORG, netbsd-bugs@NetBSD.ORG
Cc: Subject: Re: bin/2075: change root login failures to LOG_WARNING?
Date: Wed, 14 Feb 1996 19:59:53 -0700
Here's a patch for su. Please note that this doesn't directly fix the
problem in my pr; incorrect passwords are all reported at a priority
of LOG_WARNING. I did, however, change the kerberos section of su so
that it will report incorrect passwords with the same priority,
instead of LOG_NOTICE, which was the previous. Maybe this should be
in a different pr...
It's also possible that su should report bad passwords to both
LOG_AUTH and LOG_AUTHPRIV, like login does. That's a judgment call
that I'm not going to make.
As for kerberos, I'm not familiar with it, and consequently I don't
know which, if any, files should be changed. Please either close the
pr if this all doesn't apply to kerberos, or leave it open if it does.
*** su.c.old Wed Feb 14 17:31:56 1996
--- su.c Wed Feb 14 19:29:55 1996
***************
*** 364,370 ****
}
(void)fprintf(stderr, "su: unable to su: %s\n",
krb_err_txt[kerno]);
! syslog(LOG_NOTICE|LOG_AUTH,
"BAD Kerberos SU: %s to %s%s: %s",
username, user, ontty(), krb_err_txt[kerno]);
return (1);
--- 364,370 ----
}
(void)fprintf(stderr, "su: unable to su: %s\n",
krb_err_txt[kerno]);
! syslog(LOG_WARNING|LOG_AUTH,
"BAD Kerberos SU: %s to %s%s: %s",
username, user, ontty(), krb_err_txt[kerno]);
return (1);
***************
*** 398,404 ****
} else if (kerno != KSUCCESS) {
(void)fprintf(stderr, "Unable to use TGT: %s\n",
krb_err_txt[kerno]);
! syslog(LOG_NOTICE|LOG_AUTH, "failed su: %s to %s%s: %s",
username, user, ontty(), krb_err_txt[kerno]);
dest_tkt();
return (1);
--- 398,404 ----
} else if (kerno != KSUCCESS) {
(void)fprintf(stderr, "Unable to use TGT: %s\n",
krb_err_txt[kerno]);
! syslog(LOG_WARNING|LOG_AUTH, "failed su: %s to %s%s: %s",
username, user, ontty(), krb_err_txt[kerno]);
dest_tkt();
return (1);
***************
*** 416,422 ****
(void)fprintf(stderr,
"su: unable to verify rcmd ticket: %s\n",
krb_err_txt[kerno]);
! syslog(LOG_NOTICE|LOG_AUTH,
"failed su: %s to %s%s: %s", username,
user, ontty(), krb_err_txt[kerno]);
dest_tkt();
--- 416,422 ----
(void)fprintf(stderr,
"su: unable to verify rcmd ticket: %s\n",
krb_err_txt[kerno]);
! syslog(LOG_WARNING|LOG_AUTH,
"failed su: %s to %s%s: %s", username,
user, ontty(), krb_err_txt[kerno]);
dest_tkt();
State-Changed-From-To: open->analyzed
State-Changed-By: fair
State-Changed-When: Tue Jul 7 23:25:56 PDT 1998
State-Changed-Why:
This looks like a reasonable change to make; are there any other subsystems
which need to be patched to deal? ftpd? rshd? I've also adjusted the
category of this PR from "bin" to "security" since that's what the issue is.
Responsible-Changed-From-To: bin-bug-people->security-officer
Responsible-Changed-By: fair
Responsible-Changed-When: Thu Jan 14 01:13:24 PST 1999
Responsible-Changed-Why:
New lucky sot.
Responsible-Changed-From-To: security-officer->cjones
Responsible-Changed-By: fair
Responsible-Changed-When: Sun Jan 30 12:50:53 PST 2000
Responsible-Changed-Why:
The submitter is now a developer. One proviso, though: be mindful that every
poor system administrator has to read a lot of log data, and too many notices
is often a worse state of affairs than too few, in that things are more easily
lost in the noise.
From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: tech-security@netbsd.org
Subject: re: security/2075
Date: Sun, 14 Aug 2005 20:52:25 +0300
Hi,
I'm about to close this PR for the following reasons:
1. Maybe in 1996 a failed root login was an anomaly; today it's just
noise.
2. The proposed fix, or any fix for the outlines ``problem'' in the PR,
would require changes in too many parts of the tree which may not be
desired by most admins.
3. Public keys, disallowing remote root logins in ssh, ftp, are common
practice.
4. An attacker trying to brute-force an account password (with or
without a master.passwd), let alone the root password, is very
uncommon; I believe the majority, if not all, of inexperienced
attackers today will attempt to run their arsenal of exploits on a
target system.
Experienced attackers will attempt their *private* arsenal of
exploits on a target system. :)
5. Many tools allow specifying log facility and/or priority; if any
modification is to be done at all, and I certainly think that there
should be *no* modification (!), it should be to allow an admin
specify log facility/priority. Changing the default is bad.
6. There are a variety of log monitoring tools and brute-force attack
mitigation methods; if an admin cares enough, there are better
ways to handle with it.
7. Filtering what a specific admin cares about from the logfiles should
be done by log monitoring tools. If an admin does it manually,
probably using ``egrep'', it certainly makes no difference in what
file these logs are in.
And there are plenty more.. :)
-e.
--
Elad Efrat
PGP Key ID: 0x666EB914
State-Changed-From-To: analyzed->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Mon, 15 Aug 2005 17:16:29 +0000
State-Changed-Why:
http://mail-index.netbsd.org/tech-security/2005/08/14/0000.html
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.