Menu
▾
▴
Re: [Sshguard-users] Problems with ProFTPD
|
From: Mij <mi...@bi...> - 2008-09-27 15:21:15
|
Thanks for this report. The bug of blocking the wrong service will be fixed later. The sensitivity to auth messages instead of other ones is the idea -- unfortunately I have few means of inferring where the messages submitted by the users on http://sshguard.sourceforge.net/newattackpatt.php appear on. Please try the version in the SCM, it should be sensitive to the line you reported appearing with auth facility. Moreover, you shouldn't find anymore the problem with autoconf incompatibility that you reported before. mkdir sshguard cd sshguard svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard . then compile and test as usual. michele On 24 Sep 2008, at 20:33, Andy Berkvam wrote: > I have a server running ProFTPD 1.3.0a running in inetd mode. I > have > found that sshguard is not blocking FTP attacks. I have found two > causes > for this. > > First, in a default install of sshguard, sshguard never gets the log > messages that it's looking for. ProFTPD sends multiple messages to > multiple syslog facilities. sshguard seems to be looking for logfile > entries like this: > > Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com > (66.170.1.11[66.170.1.11]) - no such user 'andyb' > > Messages of that form are being sent to daemon.info and normally > sshguard only watches auth.info and authpriv.info. I have modified my > installation to watch daemon.info as well and it detects the attack > now. > > It would be more convenient if sshguard matched the log message that > gets sent to the authpriv.info facility. Then sshguard would match > it by > default. That message is in the form: > > Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com > (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from > 66.170.1.11 [66.170.1.11] to 192.168.0.100:21 > > Second, sshguard is blocking the wrong service. When I simulate > an FTP > attack the following entry gets put in my hosts.allow file: > > ###sshguard### > sshd : 66.170.1.11 : DENY > ###sshguard### > > Obviously this should start with "proftpd", not "sshd". > > Thank you, > > Andy > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win > great prizes > Grand prize is a trip for two to an Open Source event anywhere in > the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
