Menu
▾
▴
Re: [Sshguard-users] how to configure sshguard for proftpd?
|
From: Art S. <art...@gm...> - 2009-09-27 22:58:26
|
Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine scanning
sshd. I've recently installed proftpd 1.3.2a and would like to configure
sshguard to scan for proftpd log entries.
I have proftpd set to default syslog. Here are my configurations.
/etc/syslog-ng/syslog-ng.conf
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
#filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
destination sshguardproc {
program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
$MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
log { source(src); filter(f_proftpd); destination(sshguardproc); };
The log format shows up as
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
If pasted into a debug session of sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59 srvtwc
proftpd[9682]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 162 ("server.ip")
Next token is token IPv4 ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token IPv4 ()
Stack now 0
Any advice on what I'm doing wrong?
Thanks!
*Re: [Sshguard-users] how to configure sshguard for
proftpd?<http://sourceforge.net/mailarchive/message.php?msg_name=1ADA3E05-1ABC-4847-808F-DD8F68A46BC3%40sshguard.net>
*
From: Mij <mij@ss...> - 2009-09-27 11:45
> As I see it, the corresponding rule in the parser is made for
> hostnames instead of raw addresses.
> Some of us will modify it to catch raw addresses in the next days,
> keep an eye on the SVN if you care.
>
> Btw, out of curiosity: is that raw ip resulting from a missing PTR
> (see "dig +short -x <client.ip>") or
> you can configure ProFTP to not reverse look-up client addresses? In
> the latter case, is that the default
> on OpenSusy?
> thanks for reporting The raw ip is resulting from the use of the option
UseReverseDNS set to OFF in proftpd.conf. It is not the default in
OpenSuSE, I just happened to turn it off.
I resolved my issue by doing some testing in debug and taking a look at the
attack_scanner.l. It didn't like the hostname srvtwc, I found that
/etc/hosts had been misconfigured and then set it with FQDN
(srvtwc.xxx.xxx), after which scanning was working properly. Both with
UseReverseDNS on and off, everything works fine. When the ban occurs with
UseReverseDNS set to off, it still adds the host to iptables instead of the
raw ip, but like you said you guys are working on that part.
Regards,
Art
|
