Menu
▾
▴
[Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces
|
From: Tobias L. <tl...@ga...> - 2009-07-22 23:48:47
|
Hi I'm using sshguard for more then a year now, worked without a problem. But lately I've noticed alot of proftpd and dovecot bruteforces not getting blocked. I've checked if sshguard gets the correct log informations with tee, tried FreeBSD Port (1.3 http://www.freshports.org/security/sshguard-pf/) and latest svn (revision 121) both with the same result. dovecot log: Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login (auth failed, 2 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC, lip=SS.SS.SS.SS proftpd log: Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no such user found from client_hostname [::ffff:XX.XX.XX.XX] to ::ffff:XX.XX.XX.XX:21 Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login failed): Limit access denies login syslog.conf: auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300 Debug Output: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no such user found from client_hostname [::ffff:XX.XX.XX.XX] to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting token SYSLOG_BANNER_PID () Entering state 1 Reading a token: --accepting rule at line 173 (" ") --accepting rule at line 144 ("server_hostname (client_hostname[") Next token is token PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () Entering state 15 Reading a token: --accepting rule at line 159 ("::ffff:XX") Next token is token IPv6 () Shifting token IPv6 () Entering state 39 Reducing stack by rule 17 (line 111): $1 = token IPv6 () -> $$ = nterm addr () Stack now 0 1 15 Entering state 52 Reading a token: --accepting rule at line 176 (".") Next token is token $undefined () Error: popping nterm addr () Stack now 0 1 15 Error: popping token PROFTPD_LOGINERR_PREF () Stack now 0 1 Error: popping token SYSLOG_BANNER_PID () Stack now 0 Cleanup: discarding lookahead token $undefined () Stack now 0 Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login failed): Limit access denies login Starting parse Entering state 0 Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37 server_hostname proftpd[69967]:") Next token is token SYSLOG_BANNER_PID () Shifting token SYSLOG_BANNER_PID () Entering state 1 Reading a token: --accepting rule at line 173 (" ") --accepting rule at line 144 ("server_hostname (client_hostname[") Next token is token PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () Entering state 15 Reading a token: --accepting rule at line 159 ("::ffff:XX") Next token is token IPv6 () Shifting token IPv6 () Entering state 39 Reducing stack by rule 17 (line 111): $1 = token IPv6 () -> $$ = nterm addr () Stack now 0 1 15 Entering state 52 Reading a token: --accepting rule at line 176 (".") Next token is token $undefined () Error: popping nterm addr () Stack now 0 1 15 Error: popping token PROFTPD_LOGINERR_PREF () Stack now 0 1 Error: popping token SYSLOG_BANNER_PID () Stack now 0 Cleanup: discarding lookahead token $undefined () Stack now 0 </proftpd> <dovecot> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth failed, 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, lip=87.230.101.86 Starting parse Entering state 0 Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 spirit dovecot:") Next token is token SYSLOG_BANNER () Shifting token SYSLOG_BANNER () Entering state 2 Reading a token: --accepting rule at line 173 (" ") --accepting rule at line 129 ("imap-login: Aborted login (auth failed, 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, lip=") Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token DOVECOT_IMAP_LOGINERR_PREF () Entering state 11 Reading a token: --(end of buffer or a NUL) --accepting rule at line 157 ("87.230.101.86") Next token is token IPv4 () Shifting token IPv4 () Entering state 38 Reducing stack by rule 16 (line 107): $1 = token IPv4 () -> $$ = nterm addr () Stack now 0 2 11 Entering state 48 Reading a token: --(end of buffer or a NUL) --accepting rule at line 173 (" ") --(end of buffer or a NUL) --EOF (start condition 4) Now at end of input. Error: popping nterm addr () Stack now 0 2 11 Error: popping token DOVECOT_IMAP_LOGINERR_PREF () Stack now 0 2 Error: popping token SYSLOG_BANNER () Stack now 0 Stack now 0 Should I post the syslog messages via newattackpatt? Or is this another Problem? Greetings -- Tobias Lott |
