Menu
▾
▴
Re: [Sshguard-users] how to configure sshguard for proftpd?
|
From: Mij <mi...@ss...> - 2009-09-27 11:45:13
|
As I see it, the corresponding rule in the parser is made for
hostnames instead of raw addresses.
Some of us will modify it to catch raw addresses in the next days,
keep an eye on the SVN if you care.
Btw, out of curiosity: is that raw ip resulting from a missing PTR
(see "dig +short -x <client.ip>") or
you can configure ProFTP to not reverse look-up client addresses? In
the latter case, is that the default
on OpenSusy?
thanks for reporting
On Sep 24, 2009, at 10:19 , Art Salihu wrote:
> Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine
> scanning sshd. I've recently installed proftpd 1.3.2a and would
> like to configure sshguard to scan for proftpd log entries.
>
> I have proftpd set to default syslog. Here are my configurations.
>
> /etc/syslog-ng/syslog-ng.conf
> filter sshlogs { facility(auth, authpriv) and match("sshd"); };
> #filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
> destination sshguardproc {
> program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
> $MESSAGE\n"));
> };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
> log { source(src); filter(f_proftpd); destination(sshguardproc); };
>
> The log format shows up as
> Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip
> [client.ip]) - USER asdfasdfasf: no such user found from client.ip
> [client.ip] to server.ip:21
>
> If pasted into a debug session of sshguard
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip
> [client.ip]) - USER asdfasdfasf: no such user found from client.ip
> [client.ip] to server.ip:21
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59
> srvtwc proftpd[9682]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 180 (" ")
> --accepting rule at line 162 ("server.ip")
> Next token is token IPv4 ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token IPv4 ()
> Stack now 0
>
>
> Any advice on what I'm doing wrong?
>
> Thanks!
|
