Menu
▾
▴
Re: [Sshguard-users] Proftpd and ipfilter blocking failures
|
From: Mij <mi...@bi...> - 2009-02-03 19:35:39
|
Please try with the SVN version, see http://sshguard.sourceforge.net/svn.html On Feb 3, 2009, at 7:30 AM, alia rapirap wrote: > Hi, > > Thank you very much for replying. ~_~ > > I did what you suggested me to do but I had problems while > reconfiguring sshguard. Here's the error: > > Making all in src > make all-recursive > Making all in fwalls > gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -O2 -g -O2 -MT > command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c > mv -f .deps/command.Tpo .deps/command.Po > rm -f libfwall.a > ar cru libfwall.a command.o > ranlib libfwall.a > gcc -DHAVE_CONFIG_H -I. -I. -O2 -g -O2 -MT attack_parser.o -MD - > MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c > mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po > /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex > gcc -DHAVE_CONFIG_H -I. -I. -O2 -g -O2 -MT attack_scanner.o -MD - > MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o > attack_scanner.c > In file included from attack_scanner.c:2279: > /usr/include/stdlib.h:109: error: conflicting types for 'strtol' > attack_scanner.l:25: error: previous implicit declaration of > 'strtol' was here > *** Error code 1 > > Stop in /x/x/x/sshguard-1.3/src. > *** Error code 1 > > Stop in /x/x/x/sshguard-1.3/src. > *** Error code 1 > > Stop in /x/x/x/sshguard-1.3/src. > *** Error code 1 > > Stop in /x/x/x/sshguard-1.3. > > I think it has something to do with the data type that is being > passed? > Not sure though. Still trying to make it work. > > > Alia, > > > > please try this: > > 1) cd sshguard/src/ and edit attack_scanner.c > > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to > > {HOSTADDR}" ("[^\[]+"[" > > 3) run > > flex attack_scanner.l > > bison -vd attack_parser.y > > > > then recompile and use "sshguard -d" as you did for reporting. > > Please report again if that does not fix. > > > > > > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote: > > > > Hello to everyone! > > > > Just started using sshguard. I've managed to configure it to monitor > > SSH brute force attack. My problem now is to monitor the FTP brute > > force attack. I'm using sshguard with ipfilter. I'm using proftpd > > for FTP. > > > > I'm 100% sure that logging is working because I used the tail -f / > > var/log/auth.log command to monitor if failed ftp logins are being > > logged. > > > > I've used the debug command to check where the problem is and I > > found these lines: > > > > Run command "grep -qE '^##sshguard-begin## > > ##sshguard-end##$' < /etc/ipf.rules": exited 0. > > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan. > > Starting parse > > Entering state 0 > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 > > sample proftpd[12194]:") > > Next token is token SYSLOG_BANNER_PID () > > Shifting token SYSLOG_BANNER_PID () > > Entering state 1 > > Reading a token: --accepting rule at line 147 (" ") > > --accepting rule at line 136 ("localhost") > > Next token is token HOSTADDR () > > Error: popping token SYSLOG_BANNER_PID () > > Stack now 0 > > Cleanup: discarding lookahead token HOSTADDR () > > Stack now 0 > > Starting parse > > Entering state 0 > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 > > sample proftpd[12194]:") > > Next token is token SYSLOG_BANNER_PID () > > Shifting token SYSLOG_BANNER_PID () > > Entering state 1 > > Reading a token: --accepting rule at line 147 (" ") > > --accepting rule at line 136 ("localhost") > > Next token is token HOSTADDR () > > Error: popping token SYSLOG_BANNER_PID () > > Stack now 0 > > Cleanup: discarding lookahead token HOSTADDR () > > Stack now 0 > > > > I think the problem lies in the accepting rule at line 147. It just > > reads a blank character or line or a space. I've checked my auth.log > > file and found these lines: > > > > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) > > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx > > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21 > > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) > > - FTP session closed. > > > > I've checked the attack_scanner.l file. I saw these lines: > > > > /* ProFTPd */ > > ({WORD}\.)+{WORD}" ("[^\[] > > +"[" { BEGIN(proftpd_loginerr); > > return PROFTPD_LOGINERR_PREF; } > > <proftpd_loginerr>"]) -".*" no such user found ".+ > > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; } > > > > I'm guessing it's reading the second line instead of the first line > > (in the auth.log file). Cause if it's reading the first line, it > > should be able to monitor the failed ftp logins or attempts right? > > > > Can someone help me about my problem on how I could fix this issue? > > I'm starting to like sshguard and this is what I really need because > > it has support for ipfilter. > > > > Thanks in advance! > > > > Regards, > > alia > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by: > > SourcForge Community > > SourceForge wants to tell your story. > > http://p.sf.net/sfu/sf-spreadtheword_______________________________________________ > > Sshguard-users mailing list > > Sshguard-users@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > ------------------------------------------------------------------------------ > Create and Deploy Rich Internet Apps outside the browser with > Adobe(R)AIR(TM) > software. With Adobe AIR, Ajax developers can use existing skills > and code to > build responsive, highly engaging applications that combine the > power of local > resources and data with the reach of the web. Download the Adobe AIR > SDK and > Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
