Menu
▾
▴
Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces
|
From: Tobias L. <tl...@ga...> - 2009-07-29 12:10:03
|
Thanks for looking into it, I've submitted both like suggested. Hope it really got submitted, since I only got a blank site response, maybe a lil response like "Input submitted" would help to be sure that you guys really got the needed Informations. On Fri, 24 Jul 2009 11:00:01 +0200 Mij <mi...@bi...> wrote: > This is an exemplar post -- precise description of the problem, > validation wrt > the SVN version, and supply of the necessary data. > > Yes, please submit to > http://sshguard.sourceforge.net/newattackpatt.php > > We periodically use that for new inclusions and fixes or updates of > the patterns. Posting to the ml may give some more highlight, but the > reference source for us is that one. > > We'll have a look before releasing 1.4. > > > On Jul 23, 2009, at 01:33 , Tobias Lott wrote: > > > Hi > > > > I'm using sshguard for more then a year now, worked without a > > problem. But lately I've noticed alot of proftpd and dovecot > > bruteforces not getting blocked. > > > > I've checked if sshguard gets the correct log informations with tee, > > tried FreeBSD Port (1.3 > > http://www.freshports.org/security/sshguard-pf/) and latest svn > > (revision 121) both with the same result. > > > > > > dovecot log: > > Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login > > (auth > > failed, 2 attempts): user=<lala@lala>, method=PLAIN, > > rip=CC.CC.CC.CC, lip=SS.SS.SS.SS > > > > > > proftpd log: > > Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname > > (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no > > such user found from client_hostname [::ffff:XX.XX.XX.XX] > > to ::ffff:XX.XX.XX.XX:21 > > > > Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname > > (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login > > failed): Limit access denies login > > > > > > syslog.conf: > > auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee > > -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300 > > > > Debug Output: > > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > > Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname > > (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no > > such user found from client_hostname [::ffff:XX.XX.XX.XX] > > to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a > > token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname > > proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting > > token SYSLOG_BANNER_PID () Entering state 1 > > Reading a token: --accepting rule at line 173 (" ") > > --accepting rule at line 144 ("server_hostname > > (client_hostname[") Next token is token > > PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () > > Entering state 15 > > Reading a token: --accepting rule at line 159 ("::ffff:XX") > > Next token is token IPv6 () > > Shifting token IPv6 () > > Entering state 39 > > Reducing stack by rule 17 (line 111): > > $1 = token IPv6 () > > -> $$ = nterm addr () > > Stack now 0 1 15 > > Entering state 52 > > Reading a token: --accepting rule at line 176 (".") > > Next token is token $undefined () > > Error: popping nterm addr () > > Stack now 0 1 15 > > Error: popping token PROFTPD_LOGINERR_PREF () > > Stack now 0 1 > > Error: popping token SYSLOG_BANNER_PID () > > Stack now 0 > > Cleanup: discarding lookahead token $undefined () > > Stack now 0 > > > > > > Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname > > (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login > > failed): Limit access denies login Starting parse Entering state 0 > > Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37 > > server_hostname proftpd[69967]:") Next token is token > > SYSLOG_BANNER_PID > > () Shifting token SYSLOG_BANNER_PID () > > Entering state 1 > > Reading a token: --accepting rule at line 173 (" ") > > --accepting rule at line 144 ("server_hostname > > (client_hostname[") Next token is token > > PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () > > Entering state 15 > > Reading a token: --accepting rule at line 159 ("::ffff:XX") > > Next token is token IPv6 () > > Shifting token IPv6 () > > Entering state 39 > > Reducing stack by rule 17 (line 111): > > $1 = token IPv6 () > > -> $$ = nterm addr () > > Stack now 0 1 15 > > Entering state 52 > > Reading a token: --accepting rule at line 176 (".") > > Next token is token $undefined () > > Error: popping nterm addr () > > Stack now 0 1 15 > > Error: popping token PROFTPD_LOGINERR_PREF () > > Stack now 0 1 > > Error: popping token SYSLOG_BANNER_PID () > > Stack now 0 > > Cleanup: discarding lookahead token $undefined () > > Stack now 0 > > </proftpd> > > > > <dovecot> > > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > > Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth > > failed, > > 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, > > lip=87.230.101.86 Starting parse Entering state 0 > > Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 > > spirit dovecot:") Next token is token SYSLOG_BANNER () > > Shifting token SYSLOG_BANNER () > > Entering state 2 > > Reading a token: --accepting rule at line 173 (" ") > > --accepting rule at line 129 ("imap-login: Aborted login (auth > > failed, 2 attempts): user=<lala@lala>, method=PLAIN, > > rip=87.154.167.190, lip=") > > Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token > > DOVECOT_IMAP_LOGINERR_PREF () Entering state 11 > > Reading a token: --(end of buffer or a NUL) > > --accepting rule at line 157 ("87.230.101.86") > > Next token is token IPv4 () > > Shifting token IPv4 () > > Entering state 38 > > Reducing stack by rule 16 (line 107): > > $1 = token IPv4 () > > -> $$ = nterm addr () > > Stack now 0 2 11 > > Entering state 48 > > Reading a token: --(end of buffer or a NUL) > > --accepting rule at line 173 (" > > ") > > --(end of buffer or a NUL) > > --EOF (start condition 4) > > Now at end of input. > > Error: popping nterm addr () > > Stack now 0 2 11 > > Error: popping token DOVECOT_IMAP_LOGINERR_PREF () > > Stack now 0 2 > > Error: popping token SYSLOG_BANNER () > > Stack now 0 > > Stack now 0 > > > > > > Should I post the syslog messages via newattackpatt? > > Or is this another Problem? > > > > Greetings > > > > -- > > Tobias Lott > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Tobias Lott |
