Menu
▾
▴
[Sshguard-users] Problems with ProFTPD
|
From: Andy B. <abe...@be...> - 2008-09-24 19:33:37
|
I have a server running ProFTPD 1.3.0a running in inetd mode. I have found that sshguard is not blocking FTP attacks. I have found two causes for this. First, in a default install of sshguard, sshguard never gets the log messages that it's looking for. ProFTPD sends multiple messages to multiple syslog facilities. sshguard seems to be looking for logfile entries like this: Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com (66.170.1.11[66.170.1.11]) - no such user 'andyb' Messages of that form are being sent to daemon.info and normally sshguard only watches auth.info and authpriv.info. I have modified my installation to watch daemon.info as well and it detects the attack now. It would be more convenient if sshguard matched the log message that gets sent to the authpriv.info facility. Then sshguard would match it by default. That message is in the form: Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from 66.170.1.11 [66.170.1.11] to 192.168.0.100:21 Second, sshguard is blocking the wrong service. When I simulate an FTP attack the following entry gets put in my hosts.allow file: ###sshguard### sshd : 66.170.1.11 : DENY ###sshguard### Obviously this should start with "proftpd", not "sshd". Thank you, Andy |
