From 9085a944fed9bd96a384d773de42f1f4caee9e84 Mon Sep 17 00:00:00 2001 From: Bruno Randolf Date: Thu, 14 Sep 2017 15:22:21 +0100 Subject: [PATCH 1/3] Adapt regex for case when root login is not allowed Adapt regex of "Exit before auth" for the case when dropbear is configured to not allow root logins (RootLogin 'off'). The log entry in this case looks like this: Exit before auth (user 'root', 0 fails): Exited normally --- bearDropper | 4 ++-- src/bearDropper.sh | 4 ++-- src/config/bearDropper | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bearDropper b/bearDropper index 776e47c..3717119 100755 --- a/bearDropper +++ b/bearDropper @@ -197,7 +197,7 @@ getLogTime () { # extra validation, fails safe. Args: $1=log line getLogIP () { local logLine="$1" - local ebaPID=`echo "$logLine" | sed -n 's/^.*authpriv.info \(dropbear\[[0-9]*\]:\) Exit before auth:.*/\1/p'` + local ebaPID=`echo "$logLine" | sed -n 's/^.*authpriv.info \(dropbear\[[0-9]*\]:\) Exit before auth.*/\1/p'` [ -n "$ebaPID" ] && logLine=`$cmdLogreadEba | fgrep "${ebaPID} Child connection from "` echo "$logLine" | sed -n 's/^.*[^0-9]\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*$/\1/p' } @@ -429,7 +429,7 @@ exitStatus=0 fileRegex="/tmp/bearDropper.$$.regex" uciLoad logRegex 's/[`$"'\\\'']//g' '/has invalid shell, rejected$/d' \ '/^[A-Za-z ]+[0-9: ]+authpriv.warn dropbear\[.+([0-9]+\.){3}[0-9]+/p' \ - '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth:.*/p' > "$fileRegex" + '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth.*/p' > "$fileRegex" lastPersistentStateWrite="`date +%s`" loadState bddbCheckStatusAll diff --git a/src/bearDropper.sh b/src/bearDropper.sh index 2b58fbf..840824d 100755 --- a/src/bearDropper.sh +++ b/src/bearDropper.sh @@ -108,7 +108,7 @@ getLogTime () { # extra validation, fails safe. Args: $1=log line getLogIP () { local logLine="$1" - local ebaPID=`echo "$logLine" | sed -n 's/^.*authpriv.info \(dropbear\[[0-9]*\]:\) Exit before auth:.*/\1/p'` + local ebaPID=`echo "$logLine" | sed -n 's/^.*authpriv.info \(dropbear\[[0-9]*\]:\) Exit before auth.*/\1/p'` [ -n "$ebaPID" ] && logLine=`$cmdLogreadEba | fgrep "${ebaPID} Child connection from "` echo "$logLine" | sed -n 's/^.*[^0-9]\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\).*$/\1/p' } @@ -340,7 +340,7 @@ exitStatus=0 fileRegex="/tmp/bearDropper.$$.regex" uciLoad logRegex 's/[`$"'\\\'']//g' '/has invalid shell, rejected$/d' \ '/^[A-Za-z ]+[0-9: ]+authpriv.warn dropbear\[.+([0-9]+\.){3}[0-9]+/p' \ - '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth:.*/p' > "$fileRegex" + '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth.*/p' > "$fileRegex" lastPersistentStateWrite="`date +%s`" loadState bddbCheckStatusAll diff --git a/src/config/bearDropper b/src/config/bearDropper index 41159ea..64d79f5 100644 --- a/src/config/bearDropper +++ b/src/config/bearDropper @@ -54,7 +54,7 @@ config bearDropper list logRegex '/has invalid shell, rejected$/d' # delete (/d) - use to filter out # print (/p) - use to filter in list logRegex '/^[A-Za-z ]+[0-9: ]+authpriv.warn dropbear\[.+([0-9]+\.){3}[0-9]+/p' - list logRegex '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth:.*/p' + list logRegex '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth.*/p' # whitelist entries do not work yet; as a temporary workaround, put in a firewall rule upstream # From d3cb2daec7a24a4c957eac3481fac042feefa3e5 Mon Sep 17 00:00:00 2001 From: tievolu <78606440+tievolu@users.noreply.github.com> Date: Mon, 20 Sep 2021 16:32:17 +0100 Subject: [PATCH 2/3] Explicitly specify busybox date command bearDropper.sh currently fails on line 104 when coreutils-date is installed, because the GNU date command does not support the -D option. The solution is to explicitly specify the busybox date command. I think the change is only actually needed on line 104, but I've changed all the date commands for consistency. --- src/bearDropper.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/bearDropper.sh b/src/bearDropper.sh index 2b58fbf..f28a27d 100755 --- a/src/bearDropper.sh +++ b/src/bearDropper.sh @@ -101,7 +101,7 @@ logLine () { getLogTime () { local logDateString=`echo "$1" | sed -n \ 's/^[A-Z][a-z]* \([A-Z][a-z]* *[0-9][0-9]* *[0-9][0-9]*:[0-9][0-9]:[0-9][0-9] [0-9][0-9]*\) .*$/\1/p'` - date -d"$logDateString" -D"$formatLogDate" +%s || logLine 1 \ + busybox date -d"$logDateString" -D"$formatLogDate" +%s || logLine 1 \ "Error: logDateString($logDateString) malformed line ($1)" } @@ -171,7 +171,7 @@ wipeFirewall () { # state db should be more resiliant than the firewall in practice. # bddbCheckStatusAll () { - local now=`date +%s` + local now=`busybox date +%s` bddbGetAllIPs | while read ip ; do if [ `bddbGetStatus $ip` -eq 1 ] ; then logLine 3 "bddbCheckStatusAll($ip) testing banLength:$banLength + bddbGetTimes:`bddbGetTimes $ip` vs. now:$now" @@ -255,14 +255,14 @@ saveState () { if [ $bddbStateChange -gt 0 ] ; then logLine 3 "saveState() saving to temp state file" bddbSave "$fileStateTempPrefix" "$fileStateType" - logLine 3 "saveState() now=`date +%s` lPSW=$lastPersistentStateWrite pSWP=$persistentStateWritePeriod fP=$forcePersistent" + logLine 3 "saveState() now=`busybox date +%s` lPSW=$lastPersistentStateWrite pSWP=$persistentStateWritePeriod fP=$forcePersistent" fi if [ $persistentStateWritePeriod -gt 1 ] || [ $persistentStateWritePeriod -eq 0 -a $forcePersistent -eq 1 ] ; then - if [ $((`date +%s` - lastPersistentStateWrite)) -ge $persistentStateWritePeriod ] || [ $forcePersistent -eq 1 ] ; then + if [ $((`busybox date +%s` - lastPersistentStateWrite)) -ge $persistentStateWritePeriod ] || [ $forcePersistent -eq 1 ] ; then if [ ! -f "$fileStatePersist" ] || ! cmp -s "$fileStateTemp" "$fileStatePersist" ; then logLine 2 "saveState() writing to persistent state file" bddbSave "$fileStatePersistPrefix" "$fileStateType" - lastPersistentStateWrite="`date +%s`" + lastPersistentStateWrite="`busybox date +%s`" fi ; fi ; fi } @@ -341,7 +341,7 @@ fileRegex="/tmp/bearDropper.$$.regex" uciLoad logRegex 's/[`$"'\\\'']//g' '/has invalid shell, rejected$/d' \ '/^[A-Za-z ]+[0-9: ]+authpriv.warn dropbear\[.+([0-9]+\.){3}[0-9]+/p' \ '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth:.*/p' > "$fileRegex" -lastPersistentStateWrite="`date +%s`" +lastPersistentStateWrite="`busybox date +%s`" loadState bddbCheckStatusAll @@ -366,7 +366,7 @@ if [ "$logMode" = follow ] ; then [ -n "$line" ] && processLogLine "$line" logLine 3 "ReadComp:$readsSinceSave/$worstCaseReads" if [ $((++readsSinceSave)) -ge $worstCaseReads ] ; then - now="`date +%s`" + now="`busybox date +%s`" if [ $((now - lastCheckAll)) -ge $followModeCheckInterval ] ; then bddbCheckStatusAll lastCheckAll="$now" @@ -387,7 +387,7 @@ elif [ "$logMode" = entire ] ; then elif [ "$logMode" = today ] ; then logLine 1 "Running in today mode" # merge the egrep into sed with -e /^$formatTodayLogDateRegex/!d - $cmdLogread | egrep "`date +\'$formatTodayLogDateRegex\'`" | sed -nEf "$fileRegex" | while read line ; do + $cmdLogread | egrep "`busybox date +\'$formatTodayLogDateRegex\'`" | sed -nEf "$fileRegex" | while read line ; do processLogLine "$line" saveState done @@ -397,7 +397,7 @@ elif [ "$logMode" = today ] ; then elif isValidBindTime "$logMode" ; then logInterval=`expandBindTime $logMode` logLine 1 "Running in interval mode (reviewing $logInterval seconds of log entries)..." - timeStart=$((`date +%s` - logInterval)) + timeStart=$((`busybox date +%s` - logInterval)) $cmdLogread | sed -nEf "$fileRegex" | while read line ; do timeWhen=`getLogTime "$line"` [ $timeWhen -ge $timeStart ] && processLogLine "$line" From a8251789f5fb5f35f75f178db57822078fac37bc Mon Sep 17 00:00:00 2001 From: tievolu <78606440+tievolu@users.noreply.github.com> Date: Fri, 19 Aug 2022 09:47:12 +0100 Subject: [PATCH 3/3] Use specify busybox date --- bearDropper | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/bearDropper b/bearDropper index 3717119..76d7e97 100755 --- a/bearDropper +++ b/bearDropper @@ -190,7 +190,7 @@ logLine () { getLogTime () { local logDateString=`echo "$1" | sed -n \ 's/^[A-Z][a-z]* \([A-Z][a-z]* *[0-9][0-9]* *[0-9][0-9]*:[0-9][0-9]:[0-9][0-9] [0-9][0-9]*\) .*$/\1/p'` - date -d"$logDateString" -D"$formatLogDate" +%s || logLine 1 \ + busybox date -d"$logDateString" -D"$formatLogDate" +%s || logLine 1 \ "Error: logDateString($logDateString) malformed line ($1)" } @@ -260,7 +260,7 @@ wipeFirewall () { # state db should be more resiliant than the firewall in practice. # bddbCheckStatusAll () { - local now=`date +%s` + local now=`busybox date +%s` bddbGetAllIPs | while read ip ; do if [ `bddbGetStatus $ip` -eq 1 ] ; then logLine 3 "bddbCheckStatusAll($ip) testing banLength:$banLength + bddbGetTimes:`bddbGetTimes $ip` vs. now:$now" @@ -344,14 +344,14 @@ saveState () { if [ $bddbStateChange -gt 0 ] ; then logLine 3 "saveState() saving to temp state file" bddbSave "$fileStateTempPrefix" "$fileStateType" - logLine 3 "saveState() now=`date +%s` lPSW=$lastPersistentStateWrite pSWP=$persistentStateWritePeriod fP=$forcePersistent" + logLine 3 "saveState() now=`busybox date +%s` lPSW=$lastPersistentStateWrite pSWP=$persistentStateWritePeriod fP=$forcePersistent" fi if [ $persistentStateWritePeriod -gt 1 ] || [ $persistentStateWritePeriod -eq 0 -a $forcePersistent -eq 1 ] ; then - if [ $((`date +%s` - lastPersistentStateWrite)) -ge $persistentStateWritePeriod ] || [ $forcePersistent -eq 1 ] ; then + if [ $((`busybox date +%s` - lastPersistentStateWrite)) -ge $persistentStateWritePeriod ] || [ $forcePersistent -eq 1 ] ; then if [ ! -f "$fileStatePersist" ] || ! cmp -s "$fileStateTemp" "$fileStatePersist" ; then logLine 2 "saveState() writing to persistent state file" bddbSave "$fileStatePersistPrefix" "$fileStateType" - lastPersistentStateWrite="`date +%s`" + lastPersistentStateWrite="`busybox date +%s`" fi ; fi ; fi } @@ -430,7 +430,7 @@ fileRegex="/tmp/bearDropper.$$.regex" uciLoad logRegex 's/[`$"'\\\'']//g' '/has invalid shell, rejected$/d' \ '/^[A-Za-z ]+[0-9: ]+authpriv.warn dropbear\[.+([0-9]+\.){3}[0-9]+/p' \ '/^[A-Za-z ]+[0-9: ]+authpriv.info dropbear\[.+:\ Exit before auth.*/p' > "$fileRegex" -lastPersistentStateWrite="`date +%s`" +lastPersistentStateWrite="`busybox date +%s`" loadState bddbCheckStatusAll @@ -455,7 +455,7 @@ if [ "$logMode" = follow ] ; then [ -n "$line" ] && processLogLine "$line" logLine 3 "ReadComp:$readsSinceSave/$worstCaseReads" if [ $((++readsSinceSave)) -ge $worstCaseReads ] ; then - now="`date +%s`" + now="`busybox date +%s`" if [ $((now - lastCheckAll)) -ge $followModeCheckInterval ] ; then bddbCheckStatusAll lastCheckAll="$now" @@ -476,7 +476,7 @@ elif [ "$logMode" = entire ] ; then elif [ "$logMode" = today ] ; then logLine 1 "Running in today mode" # merge the egrep into sed with -e /^$formatTodayLogDateRegex/!d - $cmdLogread | egrep "`date +\'$formatTodayLogDateRegex\'`" | sed -nEf "$fileRegex" | while read line ; do + $cmdLogread | egrep "`busybox date +\'$formatTodayLogDateRegex\'`" | sed -nEf "$fileRegex" | while read line ; do processLogLine "$line" saveState done @@ -486,7 +486,7 @@ elif [ "$logMode" = today ] ; then elif isValidBindTime "$logMode" ; then logInterval=`expandBindTime $logMode` logLine 1 "Running in interval mode (reviewing $logInterval seconds of log entries)..." - timeStart=$((`date +%s` - logInterval)) + timeStart=$((`busybox date +%s` - logInterval)) $cmdLogread | sed -nEf "$fileRegex" | while read line ; do timeWhen=`getLogTime "$line"` [ $timeWhen -ge $timeStart ] && processLogLine "$line"