[LEDE-DEV] [PATCH] dropbear: make syslog support configurable

Philip Prindeville philipp_subx at redfish-solutions.com
Sat Nov 4 10:58:52 PDT 2017


NAK, inline:


> On Nov 3, 2017, at 6:46 AM, Hans Dedecker <dedeckeh at gmail.com> wrote:
> 
> By default dropbear logs to syslog which discloses info about account names
> when doing connection attempts (e.g. "Bad password attempt for 'engineer' from
> x.x.x.x:y")
> As this facilitates brute force attempts against account names; make syslog
> support configurable in order not to leak sensitive info via syslog.
> 
> Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
> ---
> package/network/services/dropbear/Config.in | 6 ++++++
> package/network/services/dropbear/Makefile  | 7 ++++---
> 2 files changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
> index ca0af9d..95316b9 100644
> --- a/package/network/services/dropbear/Config.in
> +++ b/package/network/services/dropbear/Config.in
> @@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE
> 	help
> 		Dropbear will use pututline() to write the utmp structure into the utmp file.
> 
> +config DROPBEAR_DISABLE_SYSLOG
> +	bool "Disable syslog logging"
> +	default n
> +	help
> +		Disables syslog log support; log messages will be redirected to stderr.
> +


Not logging attacks at all is the worst possible option.  See the rational for auditing and logging in the NSA’s Red Book.

Better fix is a patch which logs different message contents (i.e. maybe one without the user name) based on a command-line option or that just logs this message at a different priority (info versus notice, for example) so they could be dropped just by raising the log level.

-Philip



> endmenu
> diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
> index 2db2f81..32efa7b 100644
> --- a/package/network/services/dropbear/Makefile
> +++ b/package/network/services/dropbear/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
> 
> PKG_NAME:=dropbear
> PKG_VERSION:=2017.75
> -PKG_RELEASE:=4
> +PKG_RELEASE:=5
> 
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
> PKG_SOURCE_URL:= \
> @@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0
> PKG_CONFIG_DEPENDS:= \
> 	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
> 	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
> -	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
> +	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
> +	CONFIG_DROPBEAR_DISABLE_SYSLOG
> 
> include $(INCLUDE_DIR)/package.mk
> 
> @@ -69,7 +70,7 @@ endef
> CONFIGURE_ARGS += \
> 	--disable-pam \
> 	--enable-openpty \
> -	--enable-syslog \
> +	$(if $(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \
> 	--disable-lastlog \
> 	--disable-utmpx \
> 	$(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
> -- 
> 1.9.1
> 
> 
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev




More information about the Lede-dev mailing list