sshcure-discuss Mailing List for SSHCure

Flow-based SSH Intrusion Detection System

Brought to you by: drike, rickhofstede

sshcure-discuss — Discussions about SSHCure

This list is closed, nobody may subscribe to it.

2012	_Jan	_Feb	_Mar	_Apr	_May (1)	_Jun (1)	_Jul	_Aug (1)	_Sep	_Oct	_Nov	_Dec
2013	_Jan	_Feb	_Mar	_Apr (5)	_May (2)	_Jun (9)	_Jul (2)	_Aug	_Sep (6)	_Oct (1)	_Nov (1)	_Dec (3)
2014	_Jan (2)	_Feb	_Mar	_Apr	_May	_Jun (3)	_Jul	_Aug	_Sep (4)	_Oct (6)	_Nov	_Dec (10)
2015	_Jan	_Feb (2)	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec
2016	_Jan	_Feb	_Mar	_Apr	_May	_Jun (2)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec (2)
2017	_Jan	_Feb	_Mar	_Apr	_May	_Jun (3)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec
2020	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec (3)

Flat | Threaded

1 2 3 > >> (Page 1 of 3)

Re: [Sshcure-discuss] Installer return error due MaxMind license

From: José M. G. <jm...@gi...> - 2020-12-20 11:09:14

I've followed the manual installation,

doing:

ln -s /usr/share/GeoIP/GeoIP.dat 
/var/www/nfsen/plugins/SSHCure/lib/MaxMind/GeoLiteCity.dat

ln -s /usr/share/GeoIP/GeoIPv6.dat 
/var/www/nfsen/plugins/SSHCure/lib/MaxMind/GeoLiteCityv6.dat


But the plugin seems is not working, as never loads any data: 
https://ginernet.cdnbox.net/images/added/1608462409.png

I'm running:
Debian 10
PHP 7.3 (maybe this is the problem?)
nfsen 1.3.8

Thanks for the info!


On 20/12/2020 11:43, José Manuel Giner via Sshcure-discuss wrote:
> Just for info:
> 
> - Download geoipupdate: https://github.com/maxmind/geoipupdate/releases/
> wget 
> https://github.com/maxmind/geoipupdate/releases/download/v4.6.0/geoipupdate_4.6.0_linux_amd64.deb 
> 
> 
> - Place your license in:
> /etc/GeoIP.conf
> 
> - Install:
> dpkg -i geoipupdate_4.6.0_linux_amd64.deb
> 
> - database stored in: /usr/share/GeoIP/
> 
> ls -lh /usr/share/GeoIP
> total 75M
> -rw-r--r-- 1 root root 1.6M Nov  8  2018 GeoIP.dat
> -rw-r--r-- 1 root root 6.2M Nov  8  2018 GeoIPv6.dat
> -rw-r--r-- 1 root root  63M Dec 20 11:38 GeoLite2-City.mmdb
> -rw-r--r-- 1 root root 3.8M Dec 20 11:37 GeoLite2-Country.mmdb
> 
> I'm checking with a sshcure manual installation..
> 
> 
> On 20/12/2020 11:34, José Manuel Giner via Sshcure-discuss wrote:
>> Hello,
>>
>> the sshcure installer doesn't work due a error getting the Maxmind 
>> database.
>>
>> More info: 
>> https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ 
>>
>>
>> In my case, I have a user account at maxmind, the price is practically 
>> mull, it is calculated based on the number of times you download an 
>> updated file, once a week is enough... I would like to have an updated 
>> sshcure installer that allows to download the maxmind database with 
>> license.
>>
>> Thank you!
>>
>>
> 

-- 
José Manuel Giner
https://ginernet.com

Re: [Sshcure-discuss] Installer return error due MaxMind license

From: José M. G. <jm...@gi...> - 2020-12-20 10:43:47

Just for info:

- Download geoipupdate: https://github.com/maxmind/geoipupdate/releases/
wget 
https://github.com/maxmind/geoipupdate/releases/download/v4.6.0/geoipupdate_4.6.0_linux_amd64.deb

- Place your license in:
/etc/GeoIP.conf

- Install:
dpkg -i geoipupdate_4.6.0_linux_amd64.deb

- database stored in: /usr/share/GeoIP/

ls -lh /usr/share/GeoIP
total 75M
-rw-r--r-- 1 root root 1.6M Nov  8  2018 GeoIP.dat
-rw-r--r-- 1 root root 6.2M Nov  8  2018 GeoIPv6.dat
-rw-r--r-- 1 root root  63M Dec 20 11:38 GeoLite2-City.mmdb
-rw-r--r-- 1 root root 3.8M Dec 20 11:37 GeoLite2-Country.mmdb

I'm checking with a sshcure manual installation..


On 20/12/2020 11:34, José Manuel Giner via Sshcure-discuss wrote:
> Hello,
> 
> the sshcure installer doesn't work due a error getting the Maxmind 
> database.
> 
> More info: 
> https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/ 
> 
> 
> In my case, I have a user account at maxmind, the price is practically 
> mull, it is calculated based on the number of times you download an 
> updated file, once a week is enough... I would like to have an updated 
> sshcure installer that allows to download the maxmind database with 
> license.
> 
> Thank you!
> 
> 

-- 
José Manuel Giner
https://ginernet.com

[Sshcure-discuss] Installer return error due MaxMind license

From: José M. G. <jm...@gi...> - 2020-12-20 10:34:45

Hello,

the sshcure installer doesn't work due a error getting the Maxmind database.

More info: 
https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

In my case, I have a user account at maxmind, the price is practically 
mull, it is calculated based on the number of times you download an 
updated file, once a week is enough... I would like to have an updated 
sshcure installer that allows to download the maxmind database with 
license.

Thank you!


-- 
José Manuel Giner
https://ginernet.com

Re: [Sshcure-discuss] Error in plugin processing

From: Brian M. <Bri...@to...> - 2017-06-23 19:30:52

Attachments: smime.p7s

An additional data-point: I'm still not getting any alerts even after
running an ncrack ssh attack for the last half-hour, resulting in hundreds
of flows to a single host that I can see in NFSen.

SSHCure status graph shows ~75k flows processed per run. Syslog shows
"SSHCure: Finished data processing; time needed: 1 second(s), flow records
processed: 72453, ongoing attacks: 0"

 

Nfdump shows (truncated in the middle) :

 

nfdump filter:

dst host 10.1.30.126 and port 22

Command line switch -s overwrites -a

 

Aggregated flows 285

Top 500 flows ordered by flows:

Date first seen          Duration Proto      Src IP Addr:Port           Dst
IP Addr:Port   Out Pkt   In Pkt Out Byte  In Byte Flows

2017-06-23 12:10:25.344     0.282 TCP         10.1.20.6:54475 <->
10.1.30.126:22           0     1024        0   122880     2

2017-06-23 12:18:48.440     0.549 TCP         10.1.20.6:56157 <->
10.1.30.126:22           0     1024        0   813056     2

2017-06-23 12:09:48.448     0.039 TCP         10.1.20.6:54339 <->
10.1.30.126:22           0     1024        0   813056     2

2017-06-23 12:19:13.984     0.324 TCP         10.1.20.6:56247 <->
10.1.30.126:22           0     1024        0    88064     2

2017-06-23 12:16:39.318     0.000 TCP         10.1.20.6:55742 <->
10.1.30.126:22           0     1024        0    79872     2

2017-06-23 12:12:49.810     4.206 TCP         10.1.20.6:54968 <->
10.1.30.126:22           0     1024        0    81920     2

2017-06-23 12:18:29.258     0.000 TCP         10.1.20.6:56104 <->
10.1.30.126:22           0     1024        0    83968     2

2017-06-23 12:09:22.342     0.094 TCP         10.1.20.6:54242 <->
10.1.30.126:22           0     1024        0    75776     2

2017-06-23 12:08:10.601     0.065 TCP         10.1.20.6:53947 <->
10.1.30.126:22           0     1024        0   280576     2

2017-06-23 12:14:26.903     0.139 TCP         10.1.20.6:55284 <->
10.1.30.126:22           0     1024        0    98304     2

2017-06-23 12:08:43.889     0.000 TCP         10.1.20.6:54080 <->
10.1.30.126:22           0     1024        0   114688     2

.

.

.

2017-06-23 12:19:43.797     0.000 TCP         10.1.20.6:56339 <->
10.1.30.126:22           0      512        0    46080     1

2017-06-23 12:16:21.022     0.000 TCP         10.1.20.6:55684 <->
10.1.30.126:22           0      512        0    35840     1

2017-06-23 12:11:18.676     0.000 TCP         10.1.20.6:54651 <->
10.1.30.126:22           0      512        0    35840     1

2017-06-23 12:11:01.832     0.000 TCP         10.1.20.6:54601 <->
10.1.30.126:22           0      512        0    46080     1

2017-06-23 12:14:06.311     0.000 TCP         10.1.20.6:55214 <->
10.1.30.126:22           0      512        0   777216     1

2017-06-23 12:18:09.605     0.000 TCP         10.1.20.6:56038 <->
10.1.30.126:22           0      512        0    46080     1

2017-06-23 12:10:49.256     0.000 TCP         10.1.20.6:54558 <->
10.1.30.126:22           0      512        0    44032     1

Summary: total flows: 299, total bytes: 32264192, total packets: 153088, avg
bps: 304953, avg pps: 180, avg bpp: 210

Time window: 2017-06-23 11:45:00 - 2017-06-23 12:19:59

Total flows processed: 506079, Blocks skipped: 0, Bytes read: 32469504

Sys: 0.056s flows/second: 9037125.0  Wall: 0.048s flows/second: 10533656.6

 

Any help would be appreciated, I'd like to get this system working.

Thanks!

 

   -Brian Marshall

 

From: Brian Marshall [mailto:Bri...@to...] 
Sent: Friday, June 23, 2017 11:49 AM
To: ssh...@li...
Subject: Re: [Sshcure-discuss] Error in plugin processing

 

To answer my own question, the problem was in Bruteforce.pm, line 166 :

                return if $preselection_tuples == 0;

 

it was not returning a Future in this case. I have changed it to :

                return Future->wrap() if $preselection_tuples == 0;

 

Now a further question: I can't make it detect an SSH portscan from an
unrelated machine on the network. How does detection work in theory, and how
can I manufacture a test case?

I used nmap -p22 on a /24 subnet. I can see the traffic in NFSen, but it
doesn't show up as an attack or scan attempt in SSHCure. What are the
thresholds and how can I modify them?

 

Thanks!

 

   -Brian Marshall

 

 

Hello list,

 

Installer says I have everything I need.

 

Running Debian Jessie nfsen: 1.3.7 $Id: nfsen 66 2014-04-23 10:57:22Z peter
$

 

I have to comment out this in SSHCure.pm:

 

#    scan_detection($sources, $sources_path, $timeslot,
$corrected_interval)->then( sub {

#        bruteforce_detection($sources, $sources_path, $timeslot,
$corrected_interval);

#    })->then( sub {

#        compromise_detection($sources, $sources_path, $timeslot,
$corrected_interval);

#    })->get();

 

Or else I get:

 

Jun 22 17:05:12 wlmonitoring nfsen[16974]: Plugin: Error while running
plugin 'SSHCure': Expected __ANON__(/usr/local/nfsen/plugins/SSHCure.pm line
368) to return a Future

 

Any advice on this?

Thanks!

 

   -Brian Marshall

 

PS : I also had to install libdbd-sqlite3-perl to get things to work. It
wasn't checked by the install script

 

For Debian users here is my apt-get :

 

apt-get install perl-json libjson-perl libnet-ip-perl libmime-lite-perl
libtry-tiny-perl libfuture-perl libio-asy librpc-xml-perl
libdbd-sqlite3-perl

Re: [Sshcure-discuss] Error in plugin processing

From: Brian M. <Bri...@to...> - 2017-06-23 18:48:51

Attachments: smime.p7s

To answer my own question, the problem was in Bruteforce.pm, line 166 :

                return if $preselection_tuples == 0;

 

it was not returning a Future in this case. I have changed it to :

                return Future->wrap() if $preselection_tuples == 0;

 

Now a further question: I can't make it detect an SSH portscan from an
unrelated machine on the network. How does detection work in theory, and how
can I manufacture a test case?

I used nmap -p22 on a /24 subnet. I can see the traffic in NFSen, but it
doesn't show up as an attack or scan attempt in SSHCure. What are the
thresholds and how can I modify them?

 

Thanks!

 

   -Brian Marshall

 

 

Hello list,

 

Installer says I have everything I need.

 

Running Debian Jessie nfsen: 1.3.7 $Id: nfsen 66 2014-04-23 10:57:22Z peter
$

 

I have to comment out this in SSHCure.pm:

 

#    scan_detection($sources, $sources_path, $timeslot,
$corrected_interval)->then( sub {

#        bruteforce_detection($sources, $sources_path, $timeslot,
$corrected_interval);

#    })->then( sub {

#        compromise_detection($sources, $sources_path, $timeslot,
$corrected_interval);

#    })->get();

 

Or else I get:

 

Jun 22 17:05:12 wlmonitoring nfsen[16974]: Plugin: Error while running
plugin 'SSHCure': Expected __ANON__(/usr/local/nfsen/plugins/SSHCure.pm line
368) to return a Future

 

Any advice on this?

Thanks!

 

   -Brian Marshall

 

PS : I also had to install libdbd-sqlite3-perl to get things to work. It
wasn't checked by the install script

 

For Debian users here is my apt-get :

 

apt-get install perl-json libjson-perl libnet-ip-perl libmime-lite-perl
libtry-tiny-perl libfuture-perl libio-asy librpc-xml-perl
libdbd-sqlite3-perl

[Sshcure-discuss] Error in plugin processing

From: Brian M. <Bri...@to...> - 2017-06-23 02:44:47

Attachments: smime.p7s

Hello list,

 

Installer says I have everything I need.

 

Running Debian Jessie nfsen: 1.3.7 $Id: nfsen 66 2014-04-23 10:57:22Z peter
$

 

I have to comment out this in SSHCure.pm:

 

#    scan_detection($sources, $sources_path, $timeslot,
$corrected_interval)->then( sub {

#        bruteforce_detection($sources, $sources_path, $timeslot,
$corrected_interval);

#    })->then( sub {

#        compromise_detection($sources, $sources_path, $timeslot,
$corrected_interval);

#    })->get();

 

Or else I get:

 

Jun 22 17:05:12 wlmonitoring nfsen[16974]: Plugin: Error while running
plugin 'SSHCure': Expected __ANON__(/usr/local/nfsen/plugins/SSHCure.pm line
368) to return a Future

 

Any advice on this?

Thanks!

 

   -Brian Marshall

 

PS : I also had to install libdbd-sqlite3-perl to get things to work. It
wasn't checked by the install script

 

For Debian users here is my apt-get :

 

apt-get install perl-json libjson-perl libnet-ip-perl libmime-lite-perl
libtry-tiny-perl libfuture-perl libio-asy librpc-xml-perl
libdbd-sqlite3-perl

[Sshcure-discuss] Spinning arrows Loading... Message

From: Simon P. <Sim...@co...> - 2016-12-20 09:16:23

Hi All,
Resending as plain text, sorry for the html previously.

Great project, thanks for the efforts!

I've been using 2.4.1 for a long time. I tried upgrading to 3.0
I'm on Ubuntu 14.04.5 LTS
I used the install.sh script.
I needed:
sudo apt install libmime-lite-perl libxml-writer-perl

I also needed to do:
https://sourceforge.net/p/nfsen/bugs/31/ 
Replace:
import Socket6; 
With:
Socket6->import(qw(pack_sockaddr_in6 unpack_sockaddr_in6 inet_pton
getaddrinfo));
(files "libexec/AbuseWhois.pm" and "libexec/Lookup.pm")

The new interface looks good, but on the dashboard, I have spinning
arrows, and no data in the "incoming attacks" and "Outgoing attacks" 
(The Attacks, Top targets Compromise and Bruit force all have content)

Apache error log says this when trying to load the dashboard:

[Mon Dec 19 14:42:50.188238 2016] [:error] [pid 26125] [client
192.168.1.101:52324] PHP Fatal error:  Call to a member function
bindParam() on a non-object in
/var/www/nfsen/plugins/SSHCure/json/data/get_incoming_attacks_plot.php
on line 21, referer:
http://192.168.1.168/nfsen/plugins/SSHCure/index.php?action=dashboard

[Mon Dec 19 14:42:50.189933 2016] [:error] [pid 26123] [client
192.168.1.101:52327] PHP Fatal error:  Call to a member function
execute() on a non-object in
/var/www/nfsen/plugins/SSHCure/json/data/get_attacks.php on line 39,
referer:
http://192.168.1.168/nfsen/plugins/SSHCure/index.php?action=dashboard

[Mon Dec 19 14:42:50.193582 2016] [:error] [pid 26588] [client
192.168.1.101:52326] PHP Fatal error:  Call to a member function
execute() on a non-object in
/var/www/nfsen/plugins/SSHCure/json/data/get_attacks.php on line 39,
referer:
http://192.168.1.168/nfsen/plugins/SSHCure/index.php?action=dashboard

[Mon Dec 19 14:42:50.195469 2016] [:error] [pid 26391] [client
192.168.1.101:52329] PHP Fatal error:  Call to a member function
execute() on a non-object in
/var/www/nfsen/plugins/SSHCure/json/data/get_top_targets_compromise.php
on line 20, referer:
http://192.168.1.168/nfsen/plugins/SSHCure/index.php?action=dashboard

[Mon Dec 19 14:42:50.195714 2016] [:error] [pid 26462] [client
192.168.1.101:52325] PHP Fatal error:  Call to a member function
execute() on a non-object in
/var/www/nfsen/plugins/SSHCure/json/data/get_top_targets_bruteforce.php
on line 21, referer:
http://192.168.1.168/nfsen/plugins/SSHCure/index.php?action=dashboard


I tried removing the SSHCURE/data content, and when nfsen starts, the
SSHCure.sqlite3 is created but remains empty.

Is there something you can see what I've done wrong/missing
requirement/bug?
Many thanks,
Simon




-- 
Mae'r e-bost hwn ac unrhyw ffeiliau atodedig yn gyfrinachol ac at sylw'r
unigolyn neu'r sefydliad a enwir uchod. Bydd 
unrhyw farn neu sylwadau a fynegir yn perthyn i'r awdur yn unig ac ni
chynrychiolant o anghenraid farn Coleg Sir Gâr. 
Os ydych chi wedi derbyn yr e-bost hwn ar gam, rhowch sylw i'r
gweinyddwr ar y cyfeiriad canlynol:
pos...@co... 

Cysidrwch yr amgylchedd - a oes wir angen argraffu'r ebost hwn?

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to 
whom they are addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Coleg Sir
Gâr. If you have received this email in error please notify the
administrator on the following address:
pos...@co... 

Please consider the environment - do you really need to print this
email?.

Re: [Sshcure-discuss] SSCure backend problem

From: Rick H. <r.j...@ut...> - 2016-06-29 05:51:06

Dear Zenon,

You’re running an outdated version of SSHCure, so please try to upgrade to our latest and greatest version first. You may get it from https://github.com/sshcure/sshcure <https://github.com/sshcure/sshcure>.

—
Rick Hofstede

> On 28 Jun 2016, at 20:32, Zenon Matuszyk <zen...@ne...> wrote:
> 
> Hello,
> 
> I have a problem, after install plugin, he look like ok, but if I click 
> STATUS a have error and show me: http://pl.tinypic.com/r/9ar9xd/9
> 
>   nfsen[2299]: comm server started: 2706
>  nfsen[2706]: Cmd Decode: SSHCure::get_backend_errors
>  nfsen[2299]: comm child[2706] terminated Exit: 0, Signal: 13, Core: 0
>  nfsen[2299]: connection on UNIX socket
>  nfsen[2299]: comm server started: 2710
>  nfsen[2710]: Cmd Decode: SSHCure::get_backend_init_time
>  nfsen[2299]: comm child[2710] terminated Exit: 0, Signal: 13, Core: 0
>  nfsen[2299]: connection on UNIX socket
>  nfsen[2299]: comm server started: 2714
>  nfsen[2714]: Cmd Decode: SSHCure::get_db_max_size
>  nfsen[2299]: comm child[2714] terminated Exit: 0, Signal: 13, Core: 0
> 
> help :)
> 
> -- 
> Z poważaniem / Yours sincerely
> Zenon Matuszyk
> mobile: 00 48 797 004 938
> e-mail: zen...@ne...
> www: http://www.networkers.pl
> 
> 
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Sshcure-discuss mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshcure-discuss

[Sshcure-discuss] SSCure backend problem

From: Zenon M. <zen...@ne...> - 2016-06-28 18:48:47

Hello,

I have a problem, after install plugin, he look like ok, but if I click 
STATUS a have error and show me: http://pl.tinypic.com/r/9ar9xd/9

   nfsen[2299]: comm server started: 2706
  nfsen[2706]: Cmd Decode: SSHCure::get_backend_errors
  nfsen[2299]: comm child[2706] terminated Exit: 0, Signal: 13, Core: 0
  nfsen[2299]: connection on UNIX socket
  nfsen[2299]: comm server started: 2710
  nfsen[2710]: Cmd Decode: SSHCure::get_backend_init_time
  nfsen[2299]: comm child[2710] terminated Exit: 0, Signal: 13, Core: 0
  nfsen[2299]: connection on UNIX socket
  nfsen[2299]: comm server started: 2714
  nfsen[2714]: Cmd Decode: SSHCure::get_db_max_size
  nfsen[2299]: comm child[2714] terminated Exit: 0, Signal: 13, Core: 0

help :)

-- 
Z poważaniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zen...@ne...
www: http://www.networkers.pl

Re: [Sshcure-discuss] SSHCure Error

From: Rick H. <r.j...@ut...> - 2015-02-05 07:12:41

Dear Ali,

Please provide us with some more information so that we can help you troubleshooting the issue.

*) On which operating system have you installed SSHCure?
*) Did you perform a manual installation, or did you use the provided installation scripts?
*) Please provide us with both syslog and your Web server's error log. You may consider sending those in a separate message to me (so not via the mailing list).

--
Rick

> On 04 Feb 2015, at 16:41, Kapucu, Ali <ak...@ke...> wrote:
> 
> Hi,
> 
> 
> I am using SSHCure 2.4.1 and I am getting error. Its not giving and data
> 
> 
> 
> A server-sided problem has occurred. Check your Web server's error log and report this problem in case it persists.
> 
> Please restart your Web server and reload SSHCure.
> 
> What should i do?
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Sshcure-discuss mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshcure-discuss

[Sshcure-discuss] SSHCure Error

From: Kapucu, A. <ak...@ke...> - 2015-02-04 18:15:57

Hi,


I am using SSHCure 2.4.1 and I am getting error. Its not giving and data



A server-sided problem has occurred. Check your Web server's error log and report this problem in case it persists.

Please restart your Web server and reload SSHCure.


What should i do?