Menu
▾
▴
[Sshguard-users] Proftpd and ipfilter blocking failures
|
From: alia r. <ali...@gm...> - 2009-01-30 06:37:10
|
Hello to everyone!
Just started using sshguard. I've managed to configure it to monitor SSH
brute force attack. My problem now is to monitor the FTP brute force attack.
I'm using sshguard with ipfilter. I'm using proftpd for FTP.
I'm 100% sure that logging is working because I used the tail -f
/var/log/auth.log command to monitor if failed ftp logins are being logged.
I've used the debug command to check where the problem is and I found these
lines:
Run command "grep -qE '^##sshguard-begin##
##sshguard-end##$' < /etc/ipf.rules": exited 0.
Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 sample
proftpd[12194]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 147 (" ")
--accepting rule at line 136 ("localhost")
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0
Starting parse
Entering state 0
Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 sample
proftpd[12194]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 147 (" ")
--accepting rule at line 136 ("localhost")
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0
I think the problem lies in the accepting rule at line 147. It just reads a
blank character or line or a space. I've checked my auth.log file and found
these lines:
Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) - USER
jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx [xx.xx.xx.xxx] to
xx.xx.xx.xxx:21
Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) - FTP
session closed.
I've checked the attack_scanner.l file. I saw these lines:
/* ProFTPd */
({WORD}\.)+{WORD}" ("[^\[]+"[" {
BEGIN(proftpd_loginerr); return PROFTPD_LOGINERR_PREF; }
<proftpd_loginerr>"]) -".*" no such user found ".+ {
BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
I'm guessing it's reading the second line instead of the first line (in the
auth.log file). Cause if it's reading the first line, it should be able to
monitor the failed ftp logins or attempts right?
Can someone help me about my problem on how I could fix this issue? I'm
starting to like sshguard and this is what I really need because it has
support for ipfilter.
Thanks in advance!
Regards,
alia
|
