[LEDE-DEV] [PATCH] dropbear: make syslog support configurable

Hans Dedecker dedeckeh at gmail.com
Fri Nov 3 05:46:14 PDT 2017 

By default dropbear logs to syslog which discloses info about account names
when doing connection attempts (e.g. "Bad password attempt for 'engineer' from
x.x.x.x:y")
As this facilitates brute force attempts against account names; make syslog
support configurable in order not to leak sensitive info via syslog.

Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
---
 package/network/services/dropbear/Config.in | 6 ++++++
 package/network/services/dropbear/Makefile  | 7 ++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index ca0af9d..95316b9 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE
 	help
 		Dropbear will use pututline() to write the utmp structure into the utmp file.
 
+config DROPBEAR_DISABLE_SYSLOG
+	bool "Disable syslog logging"
+	default n
+	help
+		Disables syslog log support; log messages will be redirected to stderr.
+
 endmenu
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 2db2f81..32efa7b 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2017.75
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
@@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
 	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
-	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
+	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
+	CONFIG_DROPBEAR_DISABLE_SYSLOG
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -69,7 +70,7 @@ endef
 CONFIGURE_ARGS += \
 	--disable-pam \
 	--enable-openpty \
-	--enable-syslog \
+	$(if $(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \
 	--disable-lastlog \
 	--disable-utmpx \
 	$(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
-- 
1.9.1

More information about the Lede-dev mailing list