Menu
▾
▴
Re: [Sshguard-users] Proftpd and ipfilter blocking failures
|
From: Mij <mi...@bi...> - 2009-02-02 12:12:54
|
Alia,
please try this:
1) cd sshguard/src/ and edit attack_scanner.c
2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
{HOSTADDR}" ("[^\[]+"["
3) run
flex attack_scanner.l
bison -vd attack_parser.y
then recompile and use "sshguard -d" as you did for reporting.
Please report again if that does not fix.
On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> Hello to everyone!
>
> Just started using sshguard. I've managed to configure it to monitor
> SSH brute force attack. My problem now is to monitor the FTP brute
> force attack. I'm using sshguard with ipfilter. I'm using proftpd
> for FTP.
>
> I'm 100% sure that logging is working because I used the tail -f /
> var/log/auth.log command to monitor if failed ftp logins are being
> logged.
>
> I've used the debug command to check where the problem is and I
> found these lines:
>
> Run command "grep -qE '^##sshguard-begin##
> ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
>
> I think the problem lies in the accepting rule at line 147. It just
> reads a blank character or line or a space. I've checked my auth.log
> file and found these lines:
>
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - FTP session closed.
>
> I've checked the attack_scanner.l file. I saw these lines:
>
> /* ProFTPd */
> ({WORD}\.)+{WORD}" ("[^\[]
> +"[" { BEGIN(proftpd_loginerr);
> return PROFTPD_LOGINERR_PREF; }
> <proftpd_loginerr>"]) -".*" no such user found ".+
> { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
>
> I'm guessing it's reading the second line instead of the first line
> (in the auth.log file). Cause if it's reading the first line, it
> should be able to monitor the failed ftp logins or attempts right?
>
> Can someone help me about my problem on how I could fix this issue?
> I'm starting to like sshguard and this is what I really need because
> it has support for ipfilter.
>
> Thanks in advance!
>
> Regards,
> alia
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
