Menu
▾
▴
Re: [Sshguard-users] new installation
|
From: Adam C. <ada...@be...> - 2009-04-17 22:57:10
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Running interactively seems to work fine. <br>
<br>
In my log, the message for the release that failed shows an incomplete
IP. (see "Releaseing 4...." below)<br>
It looks like the IP address might not have been parsed out completely?<br>
<br>
Also, not sure how to report this, but my version of Redhat generates a
message that sshguard isn't catching. They look like this:<br>
<br>
<div class="moz-text-html" lang="x-western"><tt>Apr 17 14:42:41 prod-02
sshd[12923]: Failed password for invalid user staff from 209.9.188.68
port 54513 ssh2<br>
</tt></div>
<br>
Can additional scanning rules be added by the user (me?) I will look
at the source in svn to see how this is structured.<br>
<br>
thanks<br>
Adam<br>
<br>
<br>
Mij wrote:
<blockquote cite="mid:2EE...@bi..."
type="cite">
<pre wrap="">On Apr 16, 2009, at 19:09 , Adam Cohen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">greetings,
I've recently installed sshguard 1x. on a Redhat box and it seems to
be
working well. However, I noticed the following on my system log:
Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402
seconds.
Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed.
Exited: -1
Seems like the dynamic removal of blocked hosts from iptables is
failing. iptables -L shows multiple entries for the same host on the
sshguard chain. Is this a valid conclusion?
</pre>
</blockquote>
<pre wrap=""><!---->
yes, reasonable if releasing fails.
</pre>
<blockquote type="cite">
<pre wrap="">Any ideas on why or how to fix?
</pre>
</blockquote>
<pre wrap=""><!---->
can you run sshguard manually, as root:
/usr/local/bin/sshguard -d -a2 -p10
and then paste *2 times* as its input one line like:
Apr 12 10:11:12 foo sshd[1234]: Invalid user root from 1.2.3.4
it should block the address. Wait some seconds, it should release it.
If you still see the "Release command failed. Exited: -1", there
should now be more debug info. Please send that in.
</pre>
<blockquote type="cite">
<pre wrap="">thanks
--
Adam Cohen
IT Manager
Energy Biosciences Institute
109 Calvin Lab
642-7709
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
</pre>
</blockquote>
<pre wrap=""><!---->
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
</pre>
</body>
</html>
|
