[LEDE-DEV] [PATCH] dropbear: make syslog support configurable
Philip Prindeville
philipp_subx at redfish-solutions.com
Sat Nov 4 10:58:52 PDT 2017
NAK, inline:
> On Nov 3, 2017, at 6:46 AM, Hans Dedecker <dedeckeh at gmail.com> wrote:
>
> By default dropbear logs to syslog which discloses info about account names
> when doing connection attempts (e.g. "Bad password attempt for 'engineer' from
> x.x.x.x:y")
> As this facilitates brute force attempts against account names; make syslog
> support configurable in order not to leak sensitive info via syslog.
>
> Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
> ---
> package/network/services/dropbear/Config.in | 6 ++++++
> package/network/services/dropbear/Makefile | 7 ++++---
> 2 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
> index ca0af9d..95316b9 100644
> --- a/package/network/services/dropbear/Config.in
> +++ b/package/network/services/dropbear/Config.in
> @@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE
> help
> Dropbear will use pututline() to write the utmp structure into the utmp file.
>
> +config DROPBEAR_DISABLE_SYSLOG
> + bool "Disable syslog logging"
> + default n
> + help
> + Disables syslog log support; log messages will be redirected to stderr.
> +
Not logging attacks at all is the worst possible option. See the rational for auditing and logging in the NSA’s Red Book.
Better fix is a patch which logs different message contents (i.e. maybe one without the user name) based on a command-line option or that just logs this message at a different priority (info versus notice, for example) so they could be dropped just by raising the log level.
-Philip
> endmenu
> diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
> index 2db2f81..32efa7b 100644
> --- a/package/network/services/dropbear/Makefile
> +++ b/package/network/services/dropbear/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
> PKG_NAME:=dropbear
> PKG_VERSION:=2017.75
> -PKG_RELEASE:=4
> +PKG_RELEASE:=5
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
> PKG_SOURCE_URL:= \
> @@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0
> PKG_CONFIG_DEPENDS:= \
> CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
> CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
> - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
> + CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
> + CONFIG_DROPBEAR_DISABLE_SYSLOG
>
> include $(INCLUDE_DIR)/package.mk
>
> @@ -69,7 +70,7 @@ endef
> CONFIGURE_ARGS += \
> --disable-pam \
> --enable-openpty \
> - --enable-syslog \
> + $(if $(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \
> --disable-lastlog \
> --disable-utmpx \
> $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
> --
> 1.9.1
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
More information about the Lede-dev
mailing list