Menu
▾
▴
Re: [Sshguard-users] sshguard and syslog-ng on gentoo
|
From: Andreas S. <and...@na...> - 2010-01-13 21:52:37
|
1.0 ist the one marked as stable for me right now... :-/
This is what i get in the auth-log, apparently it looks quite like
your example, and i tried from different hosts so they won't get
suppressed as duplicate...
But still the same debug output!
Jan 13 21:56:57 sdb sshd[16629]: Accepted keyboard-interactive/pam for
root from 192.168.0.196 port 35271 ssh2
Jan 13 21:56:57 sdb sshd[16629]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Jan 13 23:12:20 sdb sshd[31245]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
user=root
Jan 13 23:12:22 sdb sshd[31225]: error: PAM: Authentication failure
for root from 192.168.0.3
Jan 13 23:12:28 sdb sshd[31624]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
user=root
Jan 13 23:12:30 sdb sshd[31225]: error: PAM: Authentication failure
for root from 192.168.0.3
Jan 13 23:12:55 sdb sshd[3565]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
user=root
Jan 13 23:12:57 sdb sshd[3553]: error: PAM: Authentication failure for
root from 192.168.0.1
Jan 13 23:12:58 sdb sshd[3948]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
user=root
Jan 13 23:13:00 sdb sshd[3553]: error: PAM: Authentication failure for
root from 192.168.0.1
Oh, it doesn't crash via syslogger... I was just a bit confused from
all those debug-messages! ;-)
Thanks so far!
Andreas
Zitat von Mij <mi...@ss...>:
> Hi Andreas,
>
> 1.0 is older than me, so old that it's even antecedent to the
> current repository :)
>
> My best record is that the log message you are trying was removed as
> redundant. I.e., when the authentication failure occurs, there is another
> message generated that goes detected.
>
> Looking through the attack submission database, I find this example:
> Jan 28 18:36:57 hostname sshd[11616]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=mail.host.cn
> Jan 28 18:36:58 hostname sshd[11616]: Failed password for invalid
> user username from 1.2.3.4 port 43065 ssh2
>
> Intuitively, the first message is generated by the PAM module performing the
> concrete auth lookup, and the second is generated by sshd itself when pam
> returns the failure to its caller.
> Of course, feel free to bitch back here if your logs say anything different.
>
> I assume that by "crash" you mean that the pattern is not recognized. The
> output you paste is totally standard when a message is not recognized.
>
>
> On Jan 13, 2010, at 13:37 , Andreas Schuerch wrote:
>
>> Hi,
>>
>> i get an error with sshguard and syslog-ng on gentoo.
>> The version 1.0 works without problems, but version 1.4 and 1.5beta2
>> just seems to crash when invoked directly from the syslogger!
>> If i start them via "tail -n0 -F /var/log/auth.log | tee -a
>> /dev/stderr | env SSHGUARD_DEBUG="" /usr/sbin/sshguard" i get the
>> following output:
>>
>> Run command "iptables -L": exited 0.
>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
>> Jan 13 14:10:22 sdb sshd[21506]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>> user=root
>> Starting parse
>> Entering state 0
>> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:22 sdb
>> sshd[21506]:")
>> Next token is token SYSLOG_BANNER_PID ()
>> Shifting token SYSLOG_BANNER_PID ()
>> Entering state 1
>> Reading a token: --accepting rule at line 186 (" ")
>> --accepting rule at line 185 ("pam_unix")
>> Next token is token WORD ()
>> Error: popping token SYSLOG_BANNER_PID ()
>> Stack now 0
>> Cleanup: discarding lookahead token WORD ()
>> Stack now 0
>> Jan 13 14:10:24 sdb sshd[21504]: error: PAM: Authentication failure
>> for root from 192.168.0.1
>> Starting parse
>> Entering state 0
>> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:24 sdb
>> sshd[21504]:")
>> Next token is token SYSLOG_BANNER_PID ()
>> Shifting token SYSLOG_BANNER_PID ()
>> Entering state 1
>> Reading a token: --accepting rule at line 186 (" ")
>> --accepting rule at line 185 ("error")
>> Next token is token WORD ()
>> Error: popping token SYSLOG_BANNER_PID ()
>> Stack now 0
>> Cleanup: discarding lookahead token WORD ()
>> Stack now 0
>>
>>
>> What could be wrong here!?
>>
>> Thanks in advance,
>> Andreas
>> --------------------------
>> --> NativeMail System <---
>> --------------------------
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Verizon Developer Community
>> Take advantage of Verizon's best-in-class app development support
>> A streamlined, 14 day to market process makes app distribution fast and easy
>> Join now and get one step closer to millions of Verizon customers
>> http://p.sf.net/sfu/verizon-dev2dev
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
--------------------------
--> NativeMail System <---
--------------------------
|
