Menu
▾
▴
Re: [Sshguard-users] Problems with ProFTPD
|
From: Andy B. <abe...@be...> - 2008-09-29 18:51:40
|
I updated to the SCM version this morning. I can confirm that the authpriv.info/daemon.info issue and the autoconf issue are resolved. As you mentioned, the wrong service is still being blocked. Thank you, Andy On Sat, 27 Sep 2008, Mij wrote: > Thanks for this report. > The bug of blocking the wrong service will be fixed later. The > sensitivity to > auth messages instead of other ones is the idea -- unfortunately I > have few > means of inferring where the messages submitted by the users on > > http://sshguard.sourceforge.net/newattackpatt.php > > appear on. > > Please try the version in the SCM, it should be sensitive to the line > you reported > appearing with auth facility. Moreover, you shouldn't find anymore the > problem with > autoconf incompatibility that you reported before. > > mkdir sshguard > cd sshguard > svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard . > > then compile and test as usual. > > michele > > > On 24 Sep 2008, at 20:33, Andy Berkvam wrote: > >> I have a server running ProFTPD 1.3.0a running in inetd mode. I >> have >> found that sshguard is not blocking FTP attacks. I have found two >> causes >> for this. >> >> First, in a default install of sshguard, sshguard never gets the log >> messages that it's looking for. ProFTPD sends multiple messages to >> multiple syslog facilities. sshguard seems to be looking for logfile >> entries like this: >> >> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com >> (66.170.1.11[66.170.1.11]) - no such user 'andyb' >> >> Messages of that form are being sent to daemon.info and normally >> sshguard only watches auth.info and authpriv.info. I have modified my >> installation to watch daemon.info as well and it detects the attack >> now. >> >> It would be more convenient if sshguard matched the log message that >> gets sent to the authpriv.info facility. Then sshguard would match >> it by >> default. That message is in the form: >> >> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com >> (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from >> 66.170.1.11 [66.170.1.11] to 192.168.0.100:21 >> >> Second, sshguard is blocking the wrong service. When I simulate >> an FTP >> attack the following entry gets put in my hosts.allow file: >> >> ###sshguard### >> sshd : 66.170.1.11 : DENY >> ###sshguard### >> >> Obviously this should start with "proftpd", not "sshd". >> >> Thank you, >> >> Andy >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer's >> challenge >> Build the coolest Linux based applications with Moblin SDK & win >> great prizes >> Grand prize is a trip for two to an Open Source event anywhere in >> the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
