Menu
▾
▴
Re: [Sshguard-users] Problems with ProFTPD
|
From: Mij <mi...@bi...> - 2008-09-30 13:53:01
|
On 29 Sep 2008, at 19:51, Andy Berkvam wrote: > I updated to the SCM version this morning. I can confirm that the > authpriv.info/daemon.info issue and the autoconf issue are > resolved. As > you mentioned, the wrong service is still being blocked. This requires some further twiddling. The idea is, for all the backends the address is either blocked (at the network level) or free. For the "hosts" backend, this happens at the application layer, so the rule chain needs to be blasted by service type to indicate the relevant application name for blocking. This name is required to be known inside that backend as well then. There is another business that I'm thinking of that might match well with this, that is, making these lists of blocked addresses available in the API, and accompanying them with a more thorough information, eg on service names and blocking history. At the same time, I'm thinking of making this history possibly consistent on disk, so that "bad guys" are still known even after reboots of the server. The bottom line is, I'll stream this modification in a bigger design; this'll take some weeks. In the meantime, if you principally use sshguard for non- ssh services, I can advice as a workaround using another backend working at the network level. thanks for your feedback > Thank you, > > Andy > > On Sat, 27 Sep 2008, Mij wrote: > >> Thanks for this report. >> The bug of blocking the wrong service will be fixed later. The >> sensitivity to >> auth messages instead of other ones is the idea -- unfortunately I >> have few >> means of inferring where the messages submitted by the users on >> >> http://sshguard.sourceforge.net/newattackpatt.php >> >> appear on. >> >> Please try the version in the SCM, it should be sensitive to the line >> you reported >> appearing with auth facility. Moreover, you shouldn't find anymore >> the >> problem with >> autoconf incompatibility that you reported before. >> >> mkdir sshguard >> cd sshguard >> svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard . >> >> then compile and test as usual. >> >> michele >> >> >> On 24 Sep 2008, at 20:33, Andy Berkvam wrote: >> >>> I have a server running ProFTPD 1.3.0a running in inetd mode. I >>> have >>> found that sshguard is not blocking FTP attacks. I have found two >>> causes >>> for this. >>> >>> First, in a default install of sshguard, sshguard never gets the >>> log >>> messages that it's looking for. ProFTPD sends multiple messages to >>> multiple syslog facilities. sshguard seems to be looking for >>> logfile >>> entries like this: >>> >>> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com >>> (66.170.1.11[66.170.1.11]) - no such user 'andyb' >>> >>> Messages of that form are being sent to daemon.info and normally >>> sshguard only watches auth.info and authpriv.info. I have >>> modified my >>> installation to watch daemon.info as well and it detects the attack >>> now. >>> >>> It would be more convenient if sshguard matched the log message >>> that >>> gets sent to the authpriv.info facility. Then sshguard would match >>> it by >>> default. That message is in the form: >>> >>> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com >>> (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from >>> 66.170.1.11 [66.170.1.11] to 192.168.0.100:21 >>> >>> Second, sshguard is blocking the wrong service. When I simulate >>> an FTP >>> attack the following entry gets put in my hosts.allow file: >>> >>> ###sshguard### >>> sshd : 66.170.1.11 : DENY >>> ###sshguard### >>> >>> Obviously this should start with "proftpd", not "sshd". >>> >>> Thank you, >>> >>> Andy >>> >>> ------------------------------------------------------------------------- >>> This SF.Net email is sponsored by the Moblin Your Move Developer's >>> challenge >>> Build the coolest Linux based applications with Moblin SDK & win >>> great prizes >>> Grand prize is a trip for two to an Open Source event anywhere in >>> the world >>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer's >> challenge >> Build the coolest Linux based applications with Moblin SDK & win >> great prizes >> Grand prize is a trip for two to an Open Source event anywhere in >> the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win > great prizes > Grand prize is a trip for two to an Open Source event anywhere in > the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
