Re: [Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Hi Mij,

I have updated my init script to use the -d option and that is working. 
It does not appear to log to the auth.log file I am using, any details 
of the incoming blocked connections, I assume this is expected.

Further I am not sure how to snap the entries into sshguard when running 
with -d, can you detail what you want me to do there or provide a link?

Now here is an update as I have been watching this while running under 
the -d option. I got to 30 entries in the iptables chain and it stopped 
working. I was on the console and watching the logs go by from the -d 
output. I noticed at one point there  was no more updates from the 
console. I attempted to login incorrectly from a few remote locations 
and I never got blocked, I could attempt to login over and over and 
there was NO output from sshguard as before. The process was still 
running but it was like it was just doing nothing. It remained like this 
for a few hours until restart.

So our problem does not appear to be unrecognized entries but any entry 
after some time or some number of previous blocking events, it just stop 
s working.

I used the init to stop and start and tested and it is working again all 
fine. Let me know how you would like to proceed on gathering more data 
on this issue if interested.

Thanks,
greg



Mij wrote:
> Hello,
> 
> sorry for the latency, busy time.
> 
> Whenever you see some log entries that you expect to be "suspicious"  
> but are
> not recognized as such, you should repeat the manual check: pick the  
> log entry
> as-is, and snap it into sshguard run with -d. This takes few seconds  
> and both
> confirms whether the entry should be recognized, and if not shows why  
> with
> descriptive output.
> 
> Can you do this and, if failed, send in the precise log entry that  
> fails to be reported?
> 
> 
> On Mar 26, 2009, at 17:10 , Greg Parrish wrote:
> 
>> Greg Parrish wrote:
>>> Mij wrote:
>>>> As SimCList is used for recording those, there is no such limit by
>>>> design.
>>> Okay that is good to know. I check on another host we have  
>>> elsewhere and
>>> it has 72 entries in the table so it is not seeing this limit.
>>>
>>>> What evidence makes you think that (nothing logged, errors or else)?
>>> As mentioned there are entries showing in Logwatch for multiple  
>>> logins
>>> on valid user names that are not being prevented after 2 failed  
>>> logins.
>>> For example today:
>>>
>>>   ftp/password from 219.94.152.55: 7 Time(s)
>>>
>>> Once I noticed this I logged in from a remote location with an  
>>> invalid
>>> password and it does not initiate a block from my IP address. For  
>>> example:
>>>
>>> Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from
>>> 129.90.96.101 port 12156 ssh2
>>> Mar 17 08:07:13 arnold last message repeated 2 times
>>> Mar 17 08:07:13 arnold sshd[17505]: Connection closed by  
>>> 129.90.96.101
>>> Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>>> user=gparrish
>>> Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from
>>> 129.90.96.101 port 12186 ssh2
>>> Mar 17 08:07:23 arnold last message repeated 2 times
>>> Mar 17 08:07:23 arnold sshd[17509]: Connection closed by  
>>> 129.90.96.101
>>> Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>>> user=gparrish
>>>
>>>
>>>> Run sshguard in interactive mode (add -d) and paste attack lines
>>>> repeatedly, change address once one has been blocked, and please  
>>>> report what happens
>>>> at the 17th time.
>>> I botched it. I used the init script to take it down and it cleared  
>>> the
>>> iptables DROP list in the sshguard chain. I do have the new logging
>>> where this same IP is now blocked:
>>>
>>>
>>> Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from
>>> 129.90.96.101 port 12353 ssh2
>>> Mar 17 08:11:33 arnold last message repeated 2 times
>>> Mar 17 08:11:33 arnold sshd[17697]: Connection closed by  
>>> 129.90.96.101
>>> Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>>> user=gparrish
>>> Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from
>>> 129.90.96.101 port 12362 ssh2
>>> Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2
>>> failures over 10 seconds.
>>>
>>>
>>> Once I get back to this point I will kill the process and initiate it
>>> with the -d option and report back.
>>>
>>> Using Centos 4.2 on 2.6.9-22.0.1.ELsmp
>>>
>>> -greg
>>>
>>>
>>>
>>>> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am using the following parameters for sshguard (v1.3). I know  
>>>>> the -p
>>>>> is huge and we dont mind blacklisting intruders for long periods. I
>>>>> noticed today in logwatch and from further testing that once we  
>>>>> reach
>>>>> about 16 entries in the accumulated list for iptables that no  
>>>>> further
>>>>> entries are being accepted.
>>>>>
>>>>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/
>>>>> sshguard.whitelist
>>>>>
>>>>> Please review and let me know if you need more information or logs.
>>>>> I am
>>>>> wondering if there is a limit somewhere in the binary or if this  
>>>>> is by
>>>>> design.
>>>>>
>>>>> Thanks,
>>>>> greg
>>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)  
>>> are
>>> powering Web 2.0 with engaging, cross-platform capabilities.  
>>> Quickly and
>>> easily build your RIAs with Flex Builder, the Eclipse(TM)based  
>>> development
>>> software that enables intelligent coding and step-through debugging.
>>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> Okay I have ran into this problem again. This time we have 12  
>> entries in
>> the drop table, last time was 16. Logwatch shows multiple root login
>> attempts from the same IP which does not happen when this is working.
>>
>> I ran the command with the -d option but I get no output. I tried
>> connecting to the host 7 times, with 3 failed logins each and nothing,
>> so of what I am seeing otherwise.
>>
>> /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w
>> /etc/sshguard.whitelist
>>
>>
>> SSH Guard Server Log from CLI:
>>
>> [hostname]# /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w
>> /etc/sshguard.whitelist
>> whitelist: add '192.168.122.234' as plain IPv4.
>> whitelist: add plain ip 192.168.122.234.
>> whitelist: add '127.0.0.1' as plain IPv4.
>> whitelist: add plain ip 127.0.0.1.
>> Started successfully [(a,p,s)=(2, 25920000, 1800)], now ready to scan.
>>
>> -greg
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users