Menu
▾
▴
Re: [Sshguard-users] Proftpd and ipfilter blocking failures
|
From: alia r. <ali...@gm...> - 2009-02-03 06:30:42
|
Hi,
Thank you very much for replying. ~_~
I did what you suggested me to do but I had problems while reconfiguring
sshguard. Here's the error:
Making all in src
make all-recursive
Making all in fwalls
gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -O2 -g -O2 -MT command.o
-MD -MP -MF .deps/command.Tpo -c -o command.o command.c
mv -f .deps/command.Tpo .deps/command.Po
rm -f libfwall.a
ar cru libfwall.a command.o
ranlib libfwall.a
gcc -DHAVE_CONFIG_H -I. -I. -O2 -g -O2 -MT attack_parser.o -MD -MP -MF
.deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
/bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
gcc -DHAVE_CONFIG_H -I. -I. -O2 -g -O2 -MT attack_scanner.o -MD -MP -MF
.deps/attack_scanner.Tpo -c -o attack_scanner.o attack_scanner.c
In file included from attack_scanner.c:2279:
/usr/include/stdlib.h:109: error: conflicting types for 'strtol'
attack_scanner.l:25: error: previous implicit declaration of 'strtol' was
here
*** Error code 1
Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1
Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1
Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1
Stop in /x/x/x/sshguard-1.3.
I think it has something to do with the data type that is being passed?
Not sure though. Still trying to make it work.
> Alia,
>
> please try this:
> 1) cd sshguard/src/ and edit attack_scanner.c
> 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> {HOSTADDR}" ("[^\[]+"["
> 3) run
> flex attack_scanner.l
> bison -vd attack_parser.y
>
> then recompile and use "sshguard -d" as you did for reporting.
> Please report again if that does not fix.
>
>
> On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
>
> Hello to everyone!
>
> Just started using sshguard. I've managed to configure it to monitor
> SSH brute force attack. My problem now is to monitor the FTP brute
> force attack. I'm using sshguard with ipfilter. I'm using proftpd
> for FTP.
>
> I'm 100% sure that logging is working because I used the tail -f /
> var/log/auth.log command to monitor if failed ftp logins are being
> logged.
>
> I've used the debug command to check where the problem is and I
> found these lines:
>
> Run command "grep -qE '^##sshguard-begin##
> ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
>
> I think the problem lies in the accepting rule at line 147. It just
> reads a blank character or line or a space. I've checked my auth.log
> file and found these lines:
>
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - FTP session closed.
>
> I've checked the attack_scanner.l file. I saw these lines:
>
> /* ProFTPd */
> ({WORD}\.)+{WORD}" ("[^\[]
> +"[" { BEGIN(proftpd_loginerr);
> return PROFTPD_LOGINERR_PREF; }
> <proftpd_loginerr>"]) -".*" no such user found ".+
> { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
>
> I'm guessing it's reading the second line instead of the first line
> (in the auth.log file). Cause if it's reading the first line, it
> should be able to monitor the failed ftp logins or attempts right?
>
> Can someone help me about my problem on how I could fix this issue?
> I'm starting to like sshguard and this is what I really need because
> it has support for ipfilter.
>
> Thanks in advance!
>
> Regards,
> alia
>
>
>
>
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
>
http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Sshguard-users mailing list
> Sshguard-users@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
