Menu
▾
▴
Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces
|
From: Tobias L. <tl...@ga...> - 2009-07-31 00:57:38
|
Dovecot looks fine: Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC, lip=SS.SS.SS.SS Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for >300secs: 1 failures over 0 seconds. # pfctl -t sshguard -T show CC.CC.CC.CC Proftpd doesn't look that fine: Jul 31 02:47:49 hostname proftpd[72114]: hostname (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login failed): Limit access denies login Jul 31 02:47:49 hostname sshguard[71965]: Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0 seconds. Jul 31 02:47:49 hostname proftpd[72114]: hostname (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed. Jul 31 02:48:05 hostname proftpd[72148]: hostname (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened. Jul 31 02:48:05 hostname proftpd[72148]: hostname (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login failed): Limit access denies login Jul 31 02:48:05 hostname sshguard[71965]: Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0 seconds. Jul 31 02:48:05 hostname sshguard[71965]: Offender '::ffff:CC.CC.CC.CC:6' seen 2 times. # pfctl -t sshguard -T show ::ffff:CC.CC.CC.CC On Thu, 30 Jul 2009 23:18:51 +0200 Mij <mi...@bi...> wrote: > Hi Tobi > > please have a look at the current head. > > > On Jul 29, 2009, at 14:00 , Tobias Lott wrote: > > > Thanks for looking into it, I've submitted both like suggested. > > > > Hope it really got submitted, since I only got a blank site > > response, maybe a lil response like "Input submitted" would help to > > be sure that you guys really got the needed Informations. > > > > On Fri, 24 Jul 2009 11:00:01 +0200 > > Mij <mi...@bi...> wrote: > > > >> This is an exemplar post -- precise description of the problem, > >> validation wrt > >> the SVN version, and supply of the necessary data. > >> > >> Yes, please submit to > >> http://sshguard.sourceforge.net/newattackpatt.php > >> > >> We periodically use that for new inclusions and fixes or updates of > >> the patterns. Posting to the ml may give some more highlight, but > >> the reference source for us is that one. > >> > >> We'll have a look before releasing 1.4. > >> > >> > >> On Jul 23, 2009, at 01:33 , Tobias Lott wrote: > >> > >>> Hi > >>> > >>> I'm using sshguard for more then a year now, worked without a > >>> problem. But lately I've noticed alot of proftpd and dovecot > >>> bruteforces not getting blocked. > >>> > >>> I've checked if sshguard gets the correct log informations with > >>> tee, tried FreeBSD Port (1.3 > >>> http://www.freshports.org/security/sshguard-pf/) and latest svn > >>> (revision 121) both with the same result. > >>> > >>> > >>> dovecot log: > >>> Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login > >>> (auth > >>> failed, 2 attempts): user=<lala@lala>, method=PLAIN, > >>> rip=CC.CC.CC.CC, lip=SS.SS.SS.SS > >>> > >>> > >>> proftpd log: > >>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname > >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no > >>> such user found from client_hostname [::ffff:XX.XX.XX.XX] > >>> to ::ffff:XX.XX.XX.XX:21 > >>> > >>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname > >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login > >>> failed): Limit access denies login > >>> > >>> > >>> syslog.conf: > >>> auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee > >>> -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300 > >>> > >>> Debug Output: > >>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > >>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname > >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no > >>> such user found from client_hostname [::ffff:XX.XX.XX.XX] > >>> to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a > >>> token: --accepting rule at line 97 ("Jul 23 00:38:26 > >>> server_hostname proftpd[67341]:") Next token is token > >>> SYSLOG_BANNER_PID () Shifting token SYSLOG_BANNER_PID () Entering > >>> state 1 Reading a token: --accepting rule at line 173 (" ") > >>> --accepting rule at line 144 ("server_hostname > >>> (client_hostname[") Next token is token > >>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () > >>> Entering state 15 > >>> Reading a token: --accepting rule at line 159 ("::ffff:XX") > >>> Next token is token IPv6 () > >>> Shifting token IPv6 () > >>> Entering state 39 > >>> Reducing stack by rule 17 (line 111): > >>> $1 = token IPv6 () > >>> -> $$ = nterm addr () > >>> Stack now 0 1 15 > >>> Entering state 52 > >>> Reading a token: --accepting rule at line 176 (".") > >>> Next token is token $undefined () > >>> Error: popping nterm addr () > >>> Stack now 0 1 15 > >>> Error: popping token PROFTPD_LOGINERR_PREF () > >>> Stack now 0 1 > >>> Error: popping token SYSLOG_BANNER_PID () > >>> Stack now 0 > >>> Cleanup: discarding lookahead token $undefined () > >>> Stack now 0 > >>> > >>> > >>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname > >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login > >>> failed): Limit access denies login Starting parse Entering state 0 > >>> Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37 > >>> server_hostname proftpd[69967]:") Next token is token > >>> SYSLOG_BANNER_PID > >>> () Shifting token SYSLOG_BANNER_PID () > >>> Entering state 1 > >>> Reading a token: --accepting rule at line 173 (" ") > >>> --accepting rule at line 144 ("server_hostname > >>> (client_hostname[") Next token is token > >>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF () > >>> Entering state 15 > >>> Reading a token: --accepting rule at line 159 ("::ffff:XX") > >>> Next token is token IPv6 () > >>> Shifting token IPv6 () > >>> Entering state 39 > >>> Reducing stack by rule 17 (line 111): > >>> $1 = token IPv6 () > >>> -> $$ = nterm addr () > >>> Stack now 0 1 15 > >>> Entering state 52 > >>> Reading a token: --accepting rule at line 176 (".") > >>> Next token is token $undefined () > >>> Error: popping nterm addr () > >>> Stack now 0 1 15 > >>> Error: popping token PROFTPD_LOGINERR_PREF () > >>> Stack now 0 1 > >>> Error: popping token SYSLOG_BANNER_PID () > >>> Stack now 0 > >>> Cleanup: discarding lookahead token $undefined () > >>> Stack now 0 > >>> </proftpd> > >>> > >>> <dovecot> > >>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > >>> Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth > >>> failed, > >>> 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, > >>> lip=87.230.101.86 Starting parse Entering state 0 > >>> Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 > >>> spirit dovecot:") Next token is token SYSLOG_BANNER () > >>> Shifting token SYSLOG_BANNER () > >>> Entering state 2 > >>> Reading a token: --accepting rule at line 173 (" ") > >>> --accepting rule at line 129 ("imap-login: Aborted login (auth > >>> failed, 2 attempts): user=<lala@lala>, method=PLAIN, > >>> rip=87.154.167.190, lip=") > >>> Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token > >>> DOVECOT_IMAP_LOGINERR_PREF () Entering state 11 > >>> Reading a token: --(end of buffer or a NUL) > >>> --accepting rule at line 157 ("87.230.101.86") > >>> Next token is token IPv4 () > >>> Shifting token IPv4 () > >>> Entering state 38 > >>> Reducing stack by rule 16 (line 107): > >>> $1 = token IPv4 () > >>> -> $$ = nterm addr () > >>> Stack now 0 2 11 > >>> Entering state 48 > >>> Reading a token: --(end of buffer or a NUL) > >>> --accepting rule at line 173 (" > >>> ") > >>> --(end of buffer or a NUL) > >>> --EOF (start condition 4) > >>> Now at end of input. > >>> Error: popping nterm addr () > >>> Stack now 0 2 11 > >>> Error: popping token DOVECOT_IMAP_LOGINERR_PREF () > >>> Stack now 0 2 > >>> Error: popping token SYSLOG_BANNER () > >>> Stack now 0 > >>> Stack now 0 > >>> > >>> > >>> Should I post the syslog messages via newattackpatt? > >>> Or is this another Problem? > >>> > >>> Greetings > >>> > >>> -- Tobias Lott > >>> > >>> ------------------------------------------------------------------------------ > >>> _______________________________________________ > >>> Sshguard-users mailing list > >>> Ssh...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users > >> > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Sshguard-users mailing list > >> Ssh...@li... > >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > > > -- Tobias Lott > > > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports > > 2008 30-Day > > trial. Simplify your report design, integration and deployment - > > and focus on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day trial. Simplify your report design, integration and deployment > - and focus on what you do best, core application coding. Discover > what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Tobias Lott |
