Menu
▾
▴
Re: [Sshguard-users] sshguard and syslog-ng on gentoo
|
From: Andreas S. <and...@na...> - 2010-01-18 21:12:43
|
Hi again! :-)
I've found out, that it works when a user isn't existent on the system...
But it doesn't catch for example a root (or other known user) bruteforce!
My guess is that its because i don't get a third log-line (the
explanation why the auth failed actually) when it was just the wrong
password...
But to be honest, i don't know how that behavior could be changed!?!?
This example gets blocked:
Jan 18 22:31:12 sdb sshd[29953]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
Jan 18 22:31:14 sdb sshd[29949]: error: PAM: Authentication failure
for illegal user bla from 192.168.0.3
Jan 18 22:31:14 sdb sshd[29949]: Failed keyboard-interactive/pam for
invalid user bla from 192.168.0.3 port 40559 ssh2
This doesn't:
Jan 18 22:32:26 sdb sshd[29958]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.196
user=cron
Jan 18 22:32:28 sdb sshd[29956]: error: PAM: Authentication failure
for cron from 192.168.0.196
Any advice would be appreciated!
Thanks once more.
Andreas
Zitat von Andreas Schuerch <ma...@na...>:
> 1.0 ist the one marked as stable for me right now... :-/
>
> This is what i get in the auth-log, apparently it looks quite like
> your example, and i tried from different hosts so they won't get
> suppressed as duplicate...
> But still the same debug output!
>
> Jan 13 21:56:57 sdb sshd[16629]: Accepted keyboard-interactive/pam
> for root from 192.168.0.196 port 35271 ssh2
> Jan 13 21:56:57 sdb sshd[16629]: pam_unix(sshd:session): session
> opened for user root by (uid=0)
> Jan 13 23:12:20 sdb sshd[31245]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
> user=root
> Jan 13 23:12:22 sdb sshd[31225]: error: PAM: Authentication failure
> for root from 192.168.0.3
> Jan 13 23:12:28 sdb sshd[31624]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
> user=root
> Jan 13 23:12:30 sdb sshd[31225]: error: PAM: Authentication failure
> for root from 192.168.0.3
> Jan 13 23:12:55 sdb sshd[3565]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
> user=root
> Jan 13 23:12:57 sdb sshd[3553]: error: PAM: Authentication failure
> for root from 192.168.0.1
> Jan 13 23:12:58 sdb sshd[3948]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
> user=root
> Jan 13 23:13:00 sdb sshd[3553]: error: PAM: Authentication failure
> for root from 192.168.0.1
>
> Oh, it doesn't crash via syslogger... I was just a bit confused from
> all those debug-messages! ;-)
>
> Thanks so far!
>
> Andreas
>
>
> Zitat von Mij <mi...@ss...>:
>
>> Hi Andreas,
>>
>> 1.0 is older than me, so old that it's even antecedent to the
>> current repository :)
>>
>> My best record is that the log message you are trying was removed as
>> redundant. I.e., when the authentication failure occurs, there is another
>> message generated that goes detected.
>>
>> Looking through the attack submission database, I find this example:
>> Jan 28 18:36:57 hostname sshd[11616]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=mail.host.cn
>> Jan 28 18:36:58 hostname sshd[11616]: Failed password for invalid
>> user username from 1.2.3.4 port 43065 ssh2
>>
>> Intuitively, the first message is generated by the PAM module performing the
>> concrete auth lookup, and the second is generated by sshd itself when pam
>> returns the failure to its caller.
>> Of course, feel free to bitch back here if your logs say anything different.
>>
>> I assume that by "crash" you mean that the pattern is not recognized. The
>> output you paste is totally standard when a message is not recognized.
>>
>>
>> On Jan 13, 2010, at 13:37 , Andreas Schuerch wrote:
>>
>>> Hi,
>>>
>>> i get an error with sshguard and syslog-ng on gentoo.
>>> The version 1.0 works without problems, but version 1.4 and 1.5beta2
>>> just seems to crash when invoked directly from the syslogger!
>>> If i start them via "tail -n0 -F /var/log/auth.log | tee -a
>>> /dev/stderr | env SSHGUARD_DEBUG="" /usr/sbin/sshguard" i get the
>>> following output:
>>>
>>> Run command "iptables -L": exited 0.
>>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
>>> Jan 13 14:10:22 sdb sshd[21506]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>>> user=root
>>> Starting parse
>>> Entering state 0
>>> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:22 sdb
>>> sshd[21506]:")
>>> Next token is token SYSLOG_BANNER_PID ()
>>> Shifting token SYSLOG_BANNER_PID ()
>>> Entering state 1
>>> Reading a token: --accepting rule at line 186 (" ")
>>> --accepting rule at line 185 ("pam_unix")
>>> Next token is token WORD ()
>>> Error: popping token SYSLOG_BANNER_PID ()
>>> Stack now 0
>>> Cleanup: discarding lookahead token WORD ()
>>> Stack now 0
>>> Jan 13 14:10:24 sdb sshd[21504]: error: PAM: Authentication failure
>>> for root from 192.168.0.1
>>> Starting parse
>>> Entering state 0
>>> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:24 sdb
>>> sshd[21504]:")
>>> Next token is token SYSLOG_BANNER_PID ()
>>> Shifting token SYSLOG_BANNER_PID ()
>>> Entering state 1
>>> Reading a token: --accepting rule at line 186 (" ")
>>> --accepting rule at line 185 ("error")
>>> Next token is token WORD ()
>>> Error: popping token SYSLOG_BANNER_PID ()
>>> Stack now 0
>>> Cleanup: discarding lookahead token WORD ()
>>> Stack now 0
>>>
>>>
>>> What could be wrong here!?
>>>
>>> Thanks in advance,
>>> Andreas
>>> --------------------------
>>> --> NativeMail System <---
>>> --------------------------
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Verizon Developer Community
>>> Take advantage of Verizon's best-in-class app development support
>>> A streamlined, 14 day to market process makes app distribution
>>> fast and easy
>>> Join now and get one step closer to millions of Verizon customers
>>> http://p.sf.net/sfu/verizon-dev2dev
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Verizon Developer Community
>> Take advantage of Verizon's best-in-class app development support
>> A streamlined, 14 day to market process makes app distribution fast and easy
>> Join now and get one step closer to millions of Verizon customers
>> http://p.sf.net/sfu/verizon-dev2dev
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
>
> --------------------------
> --> NativeMail System <---
> --------------------------
>
>
--------------------------
--> NativeMail System <---
--------------------------
|
