Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[alia r. <ali...@gm...>]

Hi,

Thanks again for replying. ~_~

I used the SVN version and I'm so happy to inform you that it worked! I just
edited a file to make the proftpd monitoring work. Here are the things I did
to make it work:

- I edited the src/fwalls/command_ipfilter.h (since i'm using ipfilter).
- I added another case statement or option for proftpd. Both for
COMMAND_BLOCK and COMMAND_RELEASE

#define COMMAND_BLOCK      "if test $SSHG_ADDRKIND != 4; then exit 1 ; fi ;
case $SSHG_SERVICE in 100) TMP=`mktemp
/tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print \"block in
quick proto tcp from '\"$SSHG_ADDR\"' to any port = 22\" }' <"
IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE " ;; 310)
TMP=`mktemp /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print
\"block in quick proto tcp from '\"$SSHG_ADDR\"' to any port = 21\" }' <"
IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE " ;; *) exit 0 ;;
esac && " IPFPATH "/ipf -Fa && " IPFPATH /ipf -f " IPFILTER_CONFFILE

#define COMMAND_RELEASE    "if test $SSHG_ADDRKIND != 4; then exit 1 ; fi ;
case $SSHG_SERVICE in 100) TMP=`mktemp /tmp/ipfconf.XX` && awk 'BEGIN { copy
= 1 } copy ; /^##sshguard-begin##$/    { copy = 0 ; next } !copy { if ($0 !~
/'\"$SSHG_ADDR\"'.*22/) print $0 } /^##sshguard-end##$/  { copy = 1 }' <"
IPFILTER_CONFFILE " >$TMP ; mv $TMP " IPFILTER_CONFFILE " ;; 310)
TMP=`mktemp /tmp/ipfconf.XX` && awk 'BEGIN { copy = 1 } copy ;
/^##sshguard-begin##$/    { copy = 0 ; next } !copy { if ($0 !~
/'\"$SSHG_ADDR\"'.*21/) print $0 } /^##sshguard-end##$/  { copy = 1 }' <"
IPFILTER_CONFFILE " >$TMP ; mv $TMP " IPFILTER_CONFFILE " ;; esac ;
" IPFPATH "/ipf -Fa && " IPFPATH "/ipf -f " IPFILTER_CONFFILE

NOTE: I think there is an easier way to add the proftpd service using the
scripts/sshguard_backendgen.sh script. Haven't tested that but I did tried
to run that script before.

- Save the changes I've made in the command_ipfilter.h file
- Reconfigure sshguard
- Make and make install clean
- Rehash (since I'm using FreeBSD)
- Then run sshguard manually using the tail -f ...| sshguard command
- Tried making a failed ssh login and failed proftpd login. Sshguard is now
blocking both service when maximum failed attempts is reached.

Thanks for your help Mij! Thanks for replying to my messages. I'll just post
again if I have a problem. But I think everything is good now. Thank you
very much! ~_~

Regards,
Alia

> Date: Tue, 3 Feb 2009 20:35:32 +0100
> From: Mij <mi...@bi...>
> Subject: Re: [Sshguard-users] Proftpd and ipfilter blocking failures
> To: ssh...@li...
> Message-ID: <A60...@bi...>
> Content-Type: text/plain; charset="us-ascii"
>
> Please try with the SVN version, see
>
> http://sshguard.sourceforge.net/svn.html
>
>
> On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:
>
> Hi,
>
> Thank you very much for replying. ~_~
>
> I did what you suggested me to do but I had problems while
> reconfiguring sshguard. Here's the error:
>
> Making all in src
> make  all-recursive
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT
> command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> mv -f .deps/command.Tpo .deps/command.Po
> rm -f libfwall.a
> ar cru libfwall.a command.o
> ranlib libfwall.a
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -
> MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD -
> MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o
> attack_scanner.c
> In file included from attack_scanner.c:2279:
> /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> attack_scanner.l:25: error: previous implicit declaration of
> 'strtol' was here
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3.
>
> I think it has something to do with the data type that is being
> passed?
> Not sure though. Still trying to make it work.
>
> > Alia,
> >
> > please try this:
> > 1) cd sshguard/src/ and edit attack_scanner.c
> > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > {HOSTADDR}" ("[^\[]+"["
> > 3) run
> > flex attack_scanner.l
> > bison -vd attack_parser.y
> >
> > then recompile and use "sshguard -d" as you did for reporting.
> > Please report again if that does not fix.
> >
> >
> > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> >
> > Hello to everyone!
> >
> > Just started using sshguard. I've managed to configure it to monitor
> > SSH brute force attack. My problem now is to monitor the FTP brute
> > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > for FTP.
> >
> > I'm 100% sure that logging is working because I used the tail -f /
> > var/log/auth.log command to monitor if failed ftp logins are being
> > logged.
> >
> > I've used the debug command to check where the problem is and I
> > found these lines:
> >
> > Run command "grep -qE '^##sshguard-begin##
> > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> >
> > I think the problem lies in the accepting rule at line 147. It just
> > reads a blank character or line or a space. I've checked my auth.log
> > file and found these lines:
> >
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - FTP session closed.
> >
> > I've checked the attack_scanner.l file. I saw these lines:
> >
> > /* ProFTPd */
> > ({WORD}\.)+{WORD}" ("[^\[]
> > +"[" { BEGIN(proftpd_loginerr);
> > return PROFTPD_LOGINERR_PREF; }
> > <proftpd_loginerr>"]) -".*" no such user found ".+
> > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> >
> > I'm guessing it's reading the second line instead of the first line
> > (in the auth.log file). Cause if it's reading the first line, it
> > should be able to monitor the failed ftp logins or attempts right?
> >
> > Can someone help me about my problem on how I could fix this issue?
> > I'm starting to like sshguard and this is what I really need because
> > it has support for ipfilter.
> >
> > Thanks in advance!
> >
> > Regards,
> > alia
> >
> >
> >
> >
> >
> >