Menu
▾
▴
Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces
|
From: Mij <mi...@bi...> - 2009-07-24 09:00:17
|
This is an exemplar post -- precise description of the problem, validation wrt the SVN version, and supply of the necessary data. Yes, please submit to http://sshguard.sourceforge.net/newattackpatt.php We periodically use that for new inclusions and fixes or updates of the patterns. Posting to the ml may give some more highlight, but the reference source for us is that one. We'll have a look before releasing 1.4. On Jul 23, 2009, at 01:33 , Tobias Lott wrote: > Hi > > I'm using sshguard for more then a year now, worked without a > problem. But lately I've noticed alot of proftpd and dovecot > bruteforces not getting blocked. > > I've checked if sshguard gets the correct log informations with tee, > tried FreeBSD Port (1.3 http://www.freshports.org/security/sshguard-pf/) > and latest svn (revision 121) both with the same result. > > > dovecot log: > Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login > (auth > failed, 2 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC, > lip=SS.SS.SS.SS > > > proftpd log: > Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname > (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no > such user found from client_hostname [::ffff:XX.XX.XX.XX] > to ::ffff:XX.XX.XX.XX:21 > > Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname > (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login > failed): Limit access denies login > > > syslog.conf: > auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee > -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300 > > Debug Output: > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname > (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no > such user found from client_hostname [::ffff:XX.XX.XX.XX] > to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a > token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname > proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting > token SYSLOG_BANNER_PID () Entering state 1 > Reading a token: --accepting rule at line 173 (" ") > --accepting rule at line 144 ("server_hostname > (client_hostname[") Next token is token > PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () > Entering state 15 > Reading a token: --accepting rule at line 159 ("::ffff:XX") > Next token is token IPv6 () > Shifting token IPv6 () > Entering state 39 > Reducing stack by rule 17 (line 111): > $1 = token IPv6 () > -> $$ = nterm addr () > Stack now 0 1 15 > Entering state 52 > Reading a token: --accepting rule at line 176 (".") > Next token is token $undefined () > Error: popping nterm addr () > Stack now 0 1 15 > Error: popping token PROFTPD_LOGINERR_PREF () > Stack now 0 1 > Error: popping token SYSLOG_BANNER_PID () > Stack now 0 > Cleanup: discarding lookahead token $undefined () > Stack now 0 > > > Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname > (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login > failed): Limit access denies login Starting parse Entering state 0 > Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37 > server_hostname proftpd[69967]:") Next token is token > SYSLOG_BANNER_PID > () Shifting token SYSLOG_BANNER_PID () > Entering state 1 > Reading a token: --accepting rule at line 173 (" ") > --accepting rule at line 144 ("server_hostname > (client_hostname[") Next token is token > PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () > Entering state 15 > Reading a token: --accepting rule at line 159 ("::ffff:XX") > Next token is token IPv6 () > Shifting token IPv6 () > Entering state 39 > Reducing stack by rule 17 (line 111): > $1 = token IPv6 () > -> $$ = nterm addr () > Stack now 0 1 15 > Entering state 52 > Reading a token: --accepting rule at line 176 (".") > Next token is token $undefined () > Error: popping nterm addr () > Stack now 0 1 15 > Error: popping token PROFTPD_LOGINERR_PREF () > Stack now 0 1 > Error: popping token SYSLOG_BANNER_PID () > Stack now 0 > Cleanup: discarding lookahead token $undefined () > Stack now 0 > </proftpd> > > <dovecot> > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth > failed, > 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, > lip=87.230.101.86 Starting parse Entering state 0 > Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 spirit > dovecot:") Next token is token SYSLOG_BANNER () > Shifting token SYSLOG_BANNER () > Entering state 2 > Reading a token: --accepting rule at line 173 (" ") > --accepting rule at line 129 ("imap-login: Aborted login (auth failed, > 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, > lip=") > Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token > DOVECOT_IMAP_LOGINERR_PREF () Entering state 11 > Reading a token: --(end of buffer or a NUL) > --accepting rule at line 157 ("87.230.101.86") > Next token is token IPv4 () > Shifting token IPv4 () > Entering state 38 > Reducing stack by rule 16 (line 107): > $1 = token IPv4 () > -> $$ = nterm addr () > Stack now 0 2 11 > Entering state 48 > Reading a token: --(end of buffer or a NUL) > --accepting rule at line 173 (" > ") > --(end of buffer or a NUL) > --EOF (start condition 4) > Now at end of input. > Error: popping nterm addr () > Stack now 0 2 11 > Error: popping token DOVECOT_IMAP_LOGINERR_PREF () > Stack now 0 2 > Error: popping token SYSLOG_BANNER () > Stack now 0 > Stack now 0 > > > Should I post the syslog messages via newattackpatt? > Or is this another Problem? > > Greetings > > -- > Tobias Lott > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
