Menu
▾
▴
Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces
|
From: Mij <mi...@bi...> - 2009-07-30 21:19:10
|
Hi Tobi please have a look at the current head. On Jul 29, 2009, at 14:00 , Tobias Lott wrote: > Thanks for looking into it, I've submitted both like suggested. > > Hope it really got submitted, since I only got a blank site response, > maybe a lil response like "Input submitted" would help to be sure that > you guys really got the needed Informations. > > On Fri, 24 Jul 2009 11:00:01 +0200 > Mij <mi...@bi...> wrote: > >> This is an exemplar post -- precise description of the problem, >> validation wrt >> the SVN version, and supply of the necessary data. >> >> Yes, please submit to >> http://sshguard.sourceforge.net/newattackpatt.php >> >> We periodically use that for new inclusions and fixes or updates of >> the patterns. Posting to the ml may give some more highlight, but the >> reference source for us is that one. >> >> We'll have a look before releasing 1.4. >> >> >> On Jul 23, 2009, at 01:33 , Tobias Lott wrote: >> >>> Hi >>> >>> I'm using sshguard for more then a year now, worked without a >>> problem. But lately I've noticed alot of proftpd and dovecot >>> bruteforces not getting blocked. >>> >>> I've checked if sshguard gets the correct log informations with tee, >>> tried FreeBSD Port (1.3 >>> http://www.freshports.org/security/sshguard-pf/) and latest svn >>> (revision 121) both with the same result. >>> >>> >>> dovecot log: >>> Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login >>> (auth >>> failed, 2 attempts): user=<lala@lala>, method=PLAIN, >>> rip=CC.CC.CC.CC, lip=SS.SS.SS.SS >>> >>> >>> proftpd log: >>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no >>> such user found from client_hostname [::ffff:XX.XX.XX.XX] >>> to ::ffff:XX.XX.XX.XX:21 >>> >>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login >>> failed): Limit access denies login >>> >>> >>> syslog.conf: >>> auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee >>> -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300 >>> >>> Debug Output: >>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. >>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no >>> such user found from client_hostname [::ffff:XX.XX.XX.XX] >>> to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a >>> token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname >>> proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting >>> token SYSLOG_BANNER_PID () Entering state 1 >>> Reading a token: --accepting rule at line 173 (" ") >>> --accepting rule at line 144 ("server_hostname >>> (client_hostname[") Next token is token >>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () >>> Entering state 15 >>> Reading a token: --accepting rule at line 159 ("::ffff:XX") >>> Next token is token IPv6 () >>> Shifting token IPv6 () >>> Entering state 39 >>> Reducing stack by rule 17 (line 111): >>> $1 = token IPv6 () >>> -> $$ = nterm addr () >>> Stack now 0 1 15 >>> Entering state 52 >>> Reading a token: --accepting rule at line 176 (".") >>> Next token is token $undefined () >>> Error: popping nterm addr () >>> Stack now 0 1 15 >>> Error: popping token PROFTPD_LOGINERR_PREF () >>> Stack now 0 1 >>> Error: popping token SYSLOG_BANNER_PID () >>> Stack now 0 >>> Cleanup: discarding lookahead token $undefined () >>> Stack now 0 >>> >>> >>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login >>> failed): Limit access denies login Starting parse Entering state 0 >>> Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37 >>> server_hostname proftpd[69967]:") Next token is token >>> SYSLOG_BANNER_PID >>> () Shifting token SYSLOG_BANNER_PID () >>> Entering state 1 >>> Reading a token: --accepting rule at line 173 (" ") >>> --accepting rule at line 144 ("server_hostname >>> (client_hostname[") Next token is token >>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () >>> Entering state 15 >>> Reading a token: --accepting rule at line 159 ("::ffff:XX") >>> Next token is token IPv6 () >>> Shifting token IPv6 () >>> Entering state 39 >>> Reducing stack by rule 17 (line 111): >>> $1 = token IPv6 () >>> -> $$ = nterm addr () >>> Stack now 0 1 15 >>> Entering state 52 >>> Reading a token: --accepting rule at line 176 (".") >>> Next token is token $undefined () >>> Error: popping nterm addr () >>> Stack now 0 1 15 >>> Error: popping token PROFTPD_LOGINERR_PREF () >>> Stack now 0 1 >>> Error: popping token SYSLOG_BANNER_PID () >>> Stack now 0 >>> Cleanup: discarding lookahead token $undefined () >>> Stack now 0 >>> </proftpd> >>> >>> <dovecot> >>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. >>> Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth >>> failed, >>> 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, >>> lip=87.230.101.86 Starting parse Entering state 0 >>> Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 >>> spirit dovecot:") Next token is token SYSLOG_BANNER () >>> Shifting token SYSLOG_BANNER () >>> Entering state 2 >>> Reading a token: --accepting rule at line 173 (" ") >>> --accepting rule at line 129 ("imap-login: Aborted login (auth >>> failed, 2 attempts): user=<lala@lala>, method=PLAIN, >>> rip=87.154.167.190, lip=") >>> Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token >>> DOVECOT_IMAP_LOGINERR_PREF () Entering state 11 >>> Reading a token: --(end of buffer or a NUL) >>> --accepting rule at line 157 ("87.230.101.86") >>> Next token is token IPv4 () >>> Shifting token IPv4 () >>> Entering state 38 >>> Reducing stack by rule 16 (line 107): >>> $1 = token IPv4 () >>> -> $$ = nterm addr () >>> Stack now 0 2 11 >>> Entering state 48 >>> Reading a token: --(end of buffer or a NUL) >>> --accepting rule at line 173 (" >>> ") >>> --(end of buffer or a NUL) >>> --EOF (start condition 4) >>> Now at end of input. >>> Error: popping nterm addr () >>> Stack now 0 2 11 >>> Error: popping token DOVECOT_IMAP_LOGINERR_PREF () >>> Stack now 0 2 >>> Error: popping token SYSLOG_BANNER () >>> Stack now 0 >>> Stack now 0 >>> >>> >>> Should I post the syslog messages via newattackpatt? >>> Or is this another Problem? >>> >>> Greetings >>> >>> -- Tobias Lott >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > -- Tobias Lott > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
