Attacker IP is not listed in all log rules

[ghost]

From rsprooten on January 15, 2013 15:44:13

What steps will reproduce the problem? 1. Login to the system

2. Check the log 3. What is the expected output? What do you see instead? An IP of the attacker should be listed in all the log rules. This will make the log grep-able for automated abuse reports. What version of the product are you using? On what operating system? Latest SVN version on Ubuntu linux 12.04 Please provide any additional information below. The downloadable 0.5 version does list the IP at crucial information. Please see the examples below:

Old log:

2013-01-14 23:57:41+0100 [SSHService ssh-userauth on HoneyPotTransport,270,10.10.10.10] root trying auth password 2013-01-14 23:57:41+0100 [SSHService ssh-userauth on HoneyPotTransport,270,10.10.10.10] login attempt [root/123456] succeeded 2013-01-14 23:57:41+0100 [SSHService ssh-userauth on HoneyPotTransport,270,10.10.10.10] root authenticated with password 2013-01-14 23:57:41+0100 [SSHService ssh-userauth on HoneyPotTransport,270,10.10.10.10] starting service ssh-connection 2013-01-14 23:57:41+0100 [SSHService ssh-connection on HoneyPotTransport,270,10.10.10.10] got channel session request

New Log:

2013-01-15 14:34:28+0100 [SSHService ssh-userauth on HoneyPotTransport (ProtocolWrapper)] root trying auth none 2013-01-15 14:34:28+0100 [SSHService ssh-userauth on HoneyPotTransport (ProtocolWrapper)] root trying auth keyboard-interactive 2013-01-15 14:34:35+0100 [SSHService ssh-userauth on HoneyPotTransport (ProtocolWrapper)] login attempt [root/123456] succeeded 2013-01-15 14:34:35+0100 [SSHService ssh-userauth on HoneyPotTransport (ProtocolWrapper)] root authenticated with keyboard-interactive 2013-01-15 14:34:35+0100 [SSHService ssh-userauth on HoneyPotTransport (ProtocolWrapper)] starting service ssh-connection

Original issue: http://code.google.com/p/kippo/issues/detail?id=64

[ghost]

From rsprooten on January 15, 2013 23:30:31

i got the logging back to the old version by reverting this change in the kippo.tac file: https://code.google.com/p/kippo/source/diff?spec=svn229&r=229&format=side&path=/trunk/kippo.tac

[ghost]

From desaster on January 17, 2013 10:31:58

hmm weird, actually...

this is from my debian box:

2013-01-17 20:29:39+0200 [SSHService ssh-userauth on ProtocolWrapper,0,127.0.0.2] root trying auth none

Will test with other twisted versions... they've probably changed the logging when using a wrapper.

[ghost]

From desaster on January 17, 2013 10:32:13

Status: Accepted

[ghost]

From rsprooten on January 18, 2013 06:19:58

here is my version infor on the install python-twisted

root@X:/home/X# dpkg -l |grep twisted ii python-twisted 11.1.0-1ubuntu2 Event-based framework for internet applications (dependency package) ii python-twisted-bin 11.1.0-1ubuntu2 Event-based framework for internet applications ii python-twisted-conch 1:11.1.0-1 Twisted SSH Implementation ii python-twisted-core 11.1.0-1ubuntu2 Event-based framework for internet applications ii python-twisted-lore 11.1.0-1 Documentation generator with HTML and LaTeX support ii python-twisted-mail 11.1.0-1 SMTP, IMAP and POP protocol implementation ii python-twisted-names 11.1.0-1 DNS protocol implementation with client and server ii python-twisted-news 11.1.0-1 NNTP protocol implementation with client and server ii python-twisted-runner 11.1.0-1 Process management, including an inetd server ii python-twisted-web 11.1.0-1 HTTP protocol implementation together with clients and servers ii python-twisted-words 11.1.0-1 Chat and Instant Messaging

[ghost]

From desaster on January 21, 2013 04:43:39

Reverted the change in r232 , since it also breaks dblog. I'll keep the bug open until I add a proper fix.