Hi
Got some entries like this in the logs this morning
sshd[12398]: Invalid user <!-- from 180.186.74.94
The result was that everything in the epylog report after the "User Failures" header was treated as a comment and not displayed.
It's simple enough to post edit the report to replace <!-- with <!--- but I was wondering if there's a better way of handling cases like this.
Thanks -- Ian
On Wed, 2012-04-04 at 00:50 +0000, Ian Mortimer wrote:
Hi
Got some entries like this in the logs this morning
sshd[12398]: Invalid user <!-- from 180.186.74.94
The result was that everything in the epylog report after the "User Failures" header was treated as a comment and not displayed.
It's simple enough to post edit the report to replace <!-- with <!--- but I was wondering if there's a better way of handling cases like this.
Hi, Ian:
This doesn't sound right. The following code runs against all unparsed strings (publishers.py:81):
if unparsed is not None: logger.put(3, 'Regexing <, > and &') unparsed = re.sub(re.compile('&'), '&', unparsed) unparsed = re.sub(re.compile('<'), '<', unparsed) unparsed = re.sub(re.compile('>'), '>', unparsed) logger.put(3, 'Wrapping unparsed strings into <pre>') unparsed = '<pre>\n%s</pre>' % unparsed
(Let's ignore the use of re.sub instead of simple string.replace here :)).
Something else is going on here. Can you send me the offending log strings from syslog?
Best,
On Tue, Apr 10, 2012 at 01:19:28PM -0400, Konstantin Ryabitsev wrote:
Something else is going on here. Can you send me the offending log strings from syslog?
I got hit with the same problem as Ian did (same IP address in China, even) on two occasions about a week ago. Here are the raw syslog entries featuring this "username":
Apr 2 17:52:50 hostname sshd[8179]: Invalid user <!-- from 180.186.74.94 Apr 2 17:52:50 hostname sshd[8180]: input_userauth_request: invalid user <!-- Apr 2 17:52:50 hostname sshd[8179]: pam_unix(sshd:auth): bad username [<!--] Apr 2 17:52:50 hostname sshd[8179]: pam_succeed_if(sshd:auth): error retrieving information about user <!-- Apr 2 17:52:50 hostname sshd[8179]: Failed password for invalid user <!-- from 180.186.74.94 port 52102 ssh2
cheers, - Paul
On Tue, 2012-04-10 at 13:19 -0400, Konstantin Ryabitsev wrote:
Something else is going on here. Can you send me the offending log strings from syslog?
My log entries are identical to the ones Paul Stauffer posted.
This was with epylog 1.0.3 on CentOS 6 (from EPEL) so I tested with 1.0.7 and got the same result.
The output html has this under Logins:
<h2>Logins</h2> <table width="100%" rules="cols" cellpadding="2"><tr><th align="left" colspan="3 "><h3><font color="red">User Failures</font></h3></th></tr> <tr bgcolor="#dddddd"><td valign="top" width="15%"><!--</td><td valign="top" wid th="15%">ssh2(pw)</td><td width="70%">hostname(1)</td></tr>
Nothing displays in the html after the h3 header 'User Failures" because of the comment code.
However further down under Unparsed Strings there's:
sshd[12345]: input_userauth_request: invalid user <!--
So it looks like the comment string is being substituted in Unparsed strings but not under Logins/User Failures.
Thanks
-
Ian Mortimer -
Konstantin Ryabitsev -
Paul Stauffer