Menu
▾
▴
Re: [Sshguard-users] Proftpd and ipfilter blocking failures
|
From: Mij <mi...@bi...> - 2009-02-06 11:16:15
|
I'll have a look and commit, thanks. The ipfilter backend has a narrow
user base,
please report again in future if you find some lack of functionality.
On Feb 5, 2009, at 6:53 AM, alia rapirap wrote:
> Hi,
>
> Thanks again for replying. ~_~
>
> I used the SVN version and I'm so happy to inform you that it
> worked! I just edited a file to make the proftpd monitoring work.
> Here are the things I did to make it work:
>
> - I edited the src/fwalls/command_ipfilter.h (since i'm using
> ipfilter).
> - I added another case statement or option for proftpd. Both for
> COMMAND_BLOCK and COMMAND_RELEASE
>
> #define COMMAND_BLOCK "if test $SSHG_ADDRKIND != 4; then exit
> 1 ; fi ; case $SSHG_SERVICE in 100) TMP=`mktemp
> /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/ { print
> \"block in quick proto tcp from '\"$SSHG_ADDR\"' to any port =
> 22\" }' <" IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE
> " ;; 310) TMP=`mktemp /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-
> begin##$/ { print \"block in quick proto tcp from '\"$SSHG_ADDR
> \"' to any port = 21\" }' <" IPFILTER_CONFFILE " > $TMP && mv $TMP "
> IPFILTER_CONFFILE " ;; *) exit 0 ;; esac && " IPFPATH "/ipf -Fa && "
> IPFPATH /ipf -f " IPFILTER_CONFFILE
>
> #define COMMAND_RELEASE "if test $SSHG_ADDRKIND != 4; then exit
> 1 ; fi ; case $SSHG_SERVICE in 100) TMP=`mktemp /tmp/ipfconf.XX` &&
> awk 'BEGIN { copy = 1 } copy ; /^##sshguard-begin##$/ { copy =
> 0 ; next } !copy { if ($0 !~ /'\"$SSHG_ADDR\"'.*22/) print $0 } /
> ^##sshguard-end##$/ { copy = 1 }' <" IPFILTER_CONFFILE " >$TMP ; mv
> $TMP " IPFILTER_CONFFILE " ;; 310) TMP=`mktemp /tmp/ipfconf.XX` &&
> awk 'BEGIN { copy = 1 } copy ; /^##sshguard-begin##$/ { copy =
> 0 ; next } !copy { if ($0 !~ /'\"$SSHG_ADDR\"'.*21/) print $0 } /
> ^##sshguard-end##$/ { copy = 1 }' <" IPFILTER_CONFFILE " >$TMP ; mv
> $TMP " IPFILTER_CONFFILE " ;; esac ; " IPFPATH "/ipf -Fa && "
> IPFPATH "/ipf -f " IPFILTER_CONFFILE
>
> NOTE: I think there is an easier way to add the proftpd service
> using the scripts/sshguard_backendgen.sh script. Haven't tested that
> but I did tried to run that script before.
>
> - Save the changes I've made in the command_ipfilter.h file
> - Reconfigure sshguard
> - Make and make install clean
> - Rehash (since I'm using FreeBSD)
> - Then run sshguard manually using the tail -f ...| sshguard command
> - Tried making a failed ssh login and failed proftpd login. Sshguard
> is now blocking both service when maximum failed attempts is reached.
>
> Thanks for your help Mij! Thanks for replying to my messages. I'll
> just post again if I have a problem. But I think everything is good
> now. Thank you very much! ~_~
>
> Regards,
> Alia
>
> > Date: Tue, 3 Feb 2009 20:35:32 +0100
> > From: Mij <mi...@bi...>
> > Subject: Re: [Sshguard-users] Proftpd and ipfilter blocking failures
> > To: ssh...@li...
> > Message-ID: <A60...@bi...>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Please try with the SVN version, see
> >
> > http://sshguard.sourceforge.net/svn.html
> >
> >
> > On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:
> >
> > Hi,
> >
> > Thank you very much for replying. ~_~
> >
> > I did what you suggested me to do but I had problems while
> > reconfiguring sshguard. Here's the error:
> >
> > Making all in src
> > make all-recursive
> > Making all in fwalls
> > gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -O2 -g -O2 -MT
> > command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> > mv -f .deps/command.Tpo .deps/command.Po
> > rm -f libfwall.a
> > ar cru libfwall.a command.o
> > ranlib libfwall.a
> > gcc -DHAVE_CONFIG_H -I. -I. -O2 -g -O2 -MT attack_parser.o -MD -
> > MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> > mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> > /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> > gcc -DHAVE_CONFIG_H -I. -I. -O2 -g -O2 -MT attack_scanner.o -
> MD -
> > MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o
> > attack_scanner.c
> > In file included from attack_scanner.c:2279:
> > /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> > attack_scanner.l:25: error: previous implicit declaration of
> > 'strtol' was here
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3.
> >
> > I think it has something to do with the data type that is being
> > passed?
> > Not sure though. Still trying to make it work.
> >
> > > Alia,
> > >
> > > please try this:
> > > 1) cd sshguard/src/ and edit attack_scanner.c
> > > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > > {HOSTADDR}" ("[^\[]+"["
> > > 3) run
> > > flex attack_scanner.l
> > > bison -vd attack_parser.y
> > >
> > > then recompile and use "sshguard -d" as you did for reporting.
> > > Please report again if that does not fix.
> > >
> > >
> > > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> > >
> > > Hello to everyone!
> > >
> > > Just started using sshguard. I've managed to configure it to
> monitor
> > > SSH brute force attack. My problem now is to monitor the FTP brute
> > > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > > for FTP.
> > >
> > > I'm 100% sure that logging is working because I used the tail -f /
> > > var/log/auth.log command to monitor if failed ftp logins are being
> > > logged.
> > >
> > > I've used the debug command to check where the problem is and I
> > > found these lines:
> > >
> > > Run command "grep -qE '^##sshguard-begin##
> > > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > > Starting parse
> > > Entering state 0
> > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > > sample proftpd[12194]:")
> > > Next token is token SYSLOG_BANNER_PID ()
> > > Shifting token SYSLOG_BANNER_PID ()
> > > Entering state 1
> > > Reading a token: --accepting rule at line 147 (" ")
> > > --accepting rule at line 136 ("localhost")
> > > Next token is token HOSTADDR ()
> > > Error: popping token SYSLOG_BANNER_PID ()
> > > Stack now 0
> > > Cleanup: discarding lookahead token HOSTADDR ()
> > > Stack now 0
> > > Starting parse
> > > Entering state 0
> > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > > sample proftpd[12194]:")
> > > Next token is token SYSLOG_BANNER_PID ()
> > > Shifting token SYSLOG_BANNER_PID ()
> > > Entering state 1
> > > Reading a token: --accepting rule at line 147 (" ")
> > > --accepting rule at line 136 ("localhost")
> > > Next token is token HOSTADDR ()
> > > Error: popping token SYSLOG_BANNER_PID ()
> > > Stack now 0
> > > Cleanup: discarding lookahead token HOSTADDR ()
> > > Stack now 0
> > >
> > > I think the problem lies in the accepting rule at line 147. It
> just
> > > reads a blank character or line or a space. I've checked my
> auth.log
> > > file and found these lines:
> > >
> > > Jan 29 14:30:34 sample proftpd[12194]: localhost
> (x.x.x.x[x.x.x.x])
> > > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > > Jan 29 14:30:34 sample proftpd[12194]: localhost
> (x.x.x.x[x.x.x.x])
> > > - FTP session closed.
> > >
> > > I've checked the attack_scanner.l file. I saw these lines:
> > >
> > > /* ProFTPd */
> > > ({WORD}\.)+{WORD}" ("[^\[]
> > > +"[" { BEGIN(proftpd_loginerr);
> > > return PROFTPD_LOGINERR_PREF; }
> > > <proftpd_loginerr>"]) -".*" no such user found ".+
> > > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> > >
> > > I'm guessing it's reading the second line instead of the first
> line
> > > (in the auth.log file). Cause if it's reading the first line, it
> > > should be able to monitor the failed ftp logins or attempts right?
> > >
> > > Can someone help me about my problem on how I could fix this
> issue?
> > > I'm starting to like sshguard and this is what I really need
> because
> > > it has support for ipfilter.
> > >
> > > Thanks in advance!
> > >
> > > Regards,
> > > alia
> > >
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills
> and code to
> build responsive, highly engaging applications that combine the
> power of local
> resources and data with the reach of the web. Download the Adobe AIR
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
