Home / Browse / sshguard / Mail / Archive

sshguard

Email Archive: sshguard-users (read-only)

2007:	_Jan	_Feb	_Mar (10)	_Apr (7)	_May (6)	_Jun (13)	_Jul (4)	_Aug	_Sep	_Oct (17)	_Nov (5)	_Dec (4)
2008:	_Jan (2)	_Feb	_Mar	_Apr (4)	_May (2)	_Jun (7)	_Jul (10)	_Aug (4)	_Sep (14)	_Oct	_Nov (1)	_Dec (7)
2009:	_Jan (17)	_Feb (20)	_Mar (11)	_Apr (14)	_May (8)	_Jun (3)	_Jul (22)	_Aug (9)	_Sep (8)	_Oct (6)	_Nov (4)	_Dec (8)
2010:	_Jan (17)	_Feb (9)	_Mar (15)	_Apr (24)	_May (14)	_Jun (1)	_Jul (21)	_Aug (6)	_Sep (2)	_Oct (2)	_Nov (6)	_Dec (9)
2011:	_Jan (11)	_Feb (1)	_Mar (3)	_Apr (4)	_May	_Jun	_Jul (2)	_Aug (3)	_Sep (2)	_Oct (29)	_Nov (1)	_Dec (1)
2012:	_Jan (1)	_Feb (1)	_Mar	_Apr (13)	_May (4)	_Jun (9)	_Jul (2)	_Aug (2)	_Sep (1)	_Oct (2)	_Nov (11)	_Dec (4)
2013:	_Jan (2)	_Feb (2)	_Mar (4)	_Apr (13)	_May (4)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Sshguard-users] Blocking Failures

From: Greg Parrish <greg.parrish@hc...> - 2009-01-25 19:51

I am having two issues with the 1.3 release as seen in the logs below. 
This is on a Centos4 host using the auth.log method piped to sshguard 
and not the syslog method.

1. Here the logs all have ffff in them and I am not sure why this is but 
it seems normal from some other posts out there but it fails to block. I 
have this running on a Centos3 host and it is working fine but there is 
no ffff in the log entries which I assume is causing the failure.

Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification string 
from ::ffff:192.168.122.234
Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification string 
from ::ffff:192.168.122.234
Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures 
over 0 seconds.
Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed. Exited: -1


2. The above is an internal host so I am not concerned about him other 
than the blocking is failing. From testing on an outside host it just 
registers the failed login but never even reports a block attempt there 
after I failed the login many times. Here are my params.

2 failures, in 30 minutes, block them for a month.
/usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800



Thanks,
greg

Re: [Sshguard-users] Blocking Failures

From: Mij <mij@bi...> - 2009-02-01 19:31

Hello Greg,

On Jan 20, 2009, at 15:34 , Greg Parrish wrote:

> I am having two issues with the 1.3 release as seen in the logs below.
> This is on a Centos4 host using the auth.log method piped to sshguard
> and not the syslog method.
>
> 1. Here the logs all have ffff in them and I am not sure why this is  
> but
> it seems normal from some other posts out there but it fails to  
> block. I
> have this running on a Centos3 host and it is working fine but there  
> is
> no ffff in the log entries which I assume is causing the failure.
>
> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification  
> string
> from ::ffff:192.168.122.234
> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification  
> string
> from ::ffff:192.168.122.234
> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures
> over 0 seconds.
> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed.  
> Exited: -1

do you have the system utility ip6tables ?
This is what sshguard needs to block IPv6 addresses.


> 2. The above is an internal host so I am not concerned about him other
> than the blocking is failing. From testing on an outside host it just
> registers the failed login but never even reports a block attempt  
> there
> after I failed the login many times. Here are my params.
>
> 2 failures, in 30 minutes, block them for a month.
> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800

1) Do you have debug-level entries for when you tried this?
2) what kind of log messages do you expect to cause blocking? Did
you try to inject them manually in "sshguard -d" and see if it detects
them?
3) "-p 25920000" : this is dangerous, use with care. If you want  
blacklisting,
have a look at sshguard 1.4 (from SVN) which has it out of the box


>
>
>
> Thanks,
> greg
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Sshguard-users@...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Blocking Failures

From: Greg Parrish <greg.parrish@hc...> - 2009-02-03 12:56

Mij wrote:
> Hello Greg,
> 
> On Jan 20, 2009, at 15:34 , Greg Parrish wrote:
> 
>> I am having two issues with the 1.3 release as seen in the logs below.
>> This is on a Centos4 host using the auth.log method piped to sshguard
>> and not the syslog method.
>>
>> 1. Here the logs all have ffff in them and I am not sure why this is  
>> but
>> it seems normal from some other posts out there but it fails to  
>> block. I
>> have this running on a Centos3 host and it is working fine but there  
>> is
>> no ffff in the log entries which I assume is causing the failure.
>>
>> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification  
>> string
>> from ::ffff:192.168.122.234
>> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification  
>> string
>> from ::ffff:192.168.122.234
>> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures
>> over 0 seconds.
>> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed.  
>> Exited: -1

Hi Mij,

> 
> do you have the system utility ip6tables ?

No this package is not installed.

> This is what sshguard needs to block IPv6 addresses.

Ok, good to know and that makes sense.

>> 2. The above is an internal host so I am not concerned about him other
>> than the blocking is failing. From testing on an outside host it just
>> registers the failed login but never even reports a block attempt  
>> there
>> after I failed the login many times. Here are my params.
>>
>> 2 failures, in 30 minutes, block them for a month.
>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800
> 
> 1) Do you have debug-level entries for when you tried this?

No I dont.

> 2) what kind of log messages do you expect to cause blocking? Did
> you try to inject them manually in "sshguard -d" and see if it detects
> them?

I expect it to stop normal brute attacks that I have tested on other 
hosts. I did not try and inject them.

> 3) "-p 25920000" : this is dangerous, use with care. If you want  
> blacklisting, have a look at sshguard 1.4 (from SVN) which has it out of the box

Sounds good and thanks. I am okay with this as ssh is limited to just a 
few users. I dont want the bad guys banging on our hosts more than once 
a week.

I was able to resolve this by disabling IPv6 in modules.conf and 
restarting the host so there are no IPv6 addresses on the interfaces and 
thus not in the logs.

-greg


> 
> 
>>
>>
>> Thanks,
>> greg
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Sshguard-users@...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Sshguard-users@...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users