Re: [Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Greg Parrish wrote:
> Greg Parrish wrote:
>> Mij wrote:
>>> As SimCList is used for recording those, there is no such limit by  
>>> design.
>> Okay that is good to know. I check on another host we have elsewhere and 
>> it has 72 entries in the table so it is not seeing this limit.
>>
>>> What evidence makes you think that (nothing logged, errors or else)?
>> As mentioned there are entries showing in Logwatch for multiple logins 
>> on valid user names that are not being prevented after 2 failed logins. 
>> For example today:
>>
>>     ftp/password from 219.94.152.55: 7 Time(s)
>>
>> Once I noticed this I logged in from a remote location with an invalid 
>> password and it does not initiate a block from my IP address. For example:
>>
>> Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from 
>> 129.90.96.101 port 12156 ssh2
>> Mar 17 08:07:13 arnold last message repeated 2 times
>> Mar 17 08:07:13 arnold sshd[17505]: Connection closed by 129.90.96.101
>> Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
>> user=gparrish
>> Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from 
>> 129.90.96.101 port 12186 ssh2
>> Mar 17 08:07:23 arnold last message repeated 2 times
>> Mar 17 08:07:23 arnold sshd[17509]: Connection closed by 129.90.96.101
>> Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
>> user=gparrish
>>
>>
>>> Run sshguard in interactive mode (add -d) and paste attack lines  
>>> repeatedly, change address once one has been blocked, and please report what happens
>>> at the 17th time.
>> I botched it. I used the init script to take it down and it cleared the 
>> iptables DROP list in the sshguard chain. I do have the new logging 
>> where this same IP is now blocked:
>>
>>
>> Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from 
>> 129.90.96.101 port 12353 ssh2
>> Mar 17 08:11:33 arnold last message repeated 2 times
>> Mar 17 08:11:33 arnold sshd[17697]: Connection closed by 129.90.96.101
>> Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
>> user=gparrish
>> Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from 
>> 129.90.96.101 port 12362 ssh2
>> Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2 
>> failures over 10 seconds.
>>
>>
>> Once I get back to this point I will kill the process and initiate it 
>> with the -d option and report back.
>>
>> Using Centos 4.2 on 2.6.9-22.0.1.ELsmp
>>
>> -greg
>>
>>
>>
>>> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using the following parameters for sshguard (v1.3). I know the -p
>>>> is huge and we dont mind blacklisting intruders for long periods. I
>>>> noticed today in logwatch and from further testing that once we reach
>>>> about 16 entries in the accumulated list for iptables that no further
>>>> entries are being accepted.
>>>>
>>>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/ 
>>>> sshguard.whitelist
>>>>
>>>> Please review and let me know if you need more information or logs.  
>>>> I am
>>>> wondering if there is a limit somewhere in the binary or if this is by
>>>> design.
>>>>
>>>> Thanks,
>>>> greg
>>>>
>>
>> ------------------------------------------------------------------------------
>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
>> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
>> software that enables intelligent coding and step-through debugging.
>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> 
> Okay I have ran into this problem again. This time we have 12 entries in 
> the drop table, last time was 16. Logwatch shows multiple root login 
> attempts from the same IP which does not happen when this is working.
> 
> I ran the command with the -d option but I get no output. I tried 
> connecting to the host 7 times, with 3 failed logins each and nothing, 
> so of what I am seeing otherwise.
> 
> /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w 
> /etc/sshguard.whitelist
> 
> 
> SSH Guard Server Log from CLI:
> 
> [hostname]# /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w 
> /etc/sshguard.whitelist
> whitelist: add '192.168.122.234' as plain IPv4.
> whitelist: add plain ip 192.168.122.234.
> whitelist: add '127.0.0.1' as plain IPv4.
> whitelist: add plain ip 127.0.0.1.
> Started successfully [(a,p,s)=(2, 25920000, 1800)], now ready to scan.
> 
> -greg
> 
> 

I am still having this same issue as it continues every few days. This 
time had about 20 entries in the iptable sshguard chain before it stop 
working.

1. Start sshguard using init script
2. Runs fine and stops attacks for days (verified with logwatch)
3. New logwatch shows many ssh root login attempts from single IP
4. Restart sshgaurd using init, clears iptables chain and begins working

I have verified the above using my own failed login from outside hosts.

Again I stopped sshguard using pkill and then the init (which clears the 
chain filter list) and ran this manually as requested and it does 
nothing, no log, no screen output. Can I get some idea on how to better 
troubleshoot this issue please?



[root@hostname ~]# /usr/local/sbin/sshguard -d -a 2 -p 2592000 -s 1800 
-w /etc/sshguard.whitelist
whitelist: add '192.168.122.234' as plain IPv4.
whitelist: add plain ip 192.168.122.234.
whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain ip 127.0.0.1.
Started successfully [(a,p,s)=(2, 2592000, 1800)], now ready to scan.


After a few attacks from the outside (>2) there is no blocking, no log, 
nothing when running this manually as suggested previously as seen above.

Thanks much,
-greg