Add "contrib" files for RHEL 5.4
These are basically identical to the files for RHEL 5.3 with one
exception: the regular expressions have been changed to match only
failed password attempts and not "none" or "publickey" attempts.
This is because in practice most SSH clients will first try "none", then
"publickey" before falling back to "password" (see the
"PreferredAuthentications" setting in the ssh_config man page). As such
even for legitimate users who access with a correct password it is
normal to see log entries like these:
sshd[18294]: Connection from w.x.y.z port 63735
sshd[18294]: Failed none for example_user from w.x.y.z port 63735 ssh2
sshd[18294]: Failed publickey for example_user from w.x.y.z port 63735
ssh2
sshd[18294]: Accepted password for example_user from w.x.y.z port
63735 ssh2
sshd[18294]: User child is on pid 18311
bansshee[18288]: Failed password attempt for user (example_user) from
IP w.x.y.z (1 attempt(s) so far)
bansshee[18288]: Failed password attempt for user (example_user) from
IP w.x.y.z (2 attempt(s) so far)
As this artificially inflates the failed attempt count for legitimate
IPs, and given that the principal purpose of Bansshee is as a
countermeasure for _dictionary_ brute force attacks (the only type of
bruteforce attack that I have really seen in the wild), the change to
the regular expressions to catch only failed password attempts is
justified.
If non-password brute force attacks start to appear in the wild, we can
always revert this change and slightly raise the number of allowed
attempts to compensate, or modify the Bansshee code to discount failed
"none" and "publickey" attempts provided that they are immediately
followed by a successful "password" attempt.
Signed-off-by: Wincent Colaiuta <win@wincent.com>
git.wincent.com / bansshee.git / commit
