Menu
▾
▴
Re: [Sshguard-users] sshguard and syslog-ng on gentoo
|
From: Mij <mi...@ss...> - 2010-01-21 00:11:54
|
uhm. Let's nail this down:
Please extract the exact log snippet (= all and only the lines
resulting from the single action) for each of the following cases,
and send in the result
- connect with a non-existing user (ssh non...@ho...)
- connect with a non-allowed user (eg, one in DenyUsers or not in AllowUsers)
- connect with a valid and allowed user, failing the password once
- connect with a valid and allowed user, failing the password all three times
What's your gentoo & OpenSSH version?
Please do not obfuscate anything other than IP addresses. Feel free to send in
privately.
On Jan 18, 2010, at 22:06 , Andreas Schuerch wrote:
> Hi again! :-)
>
> I've found out, that it works when a user isn't existent on the system...
> But it doesn't catch for example a root (or other known user) bruteforce!
>
> My guess is that its because i don't get a third log-line (the
> explanation why the auth failed actually) when it was just the wrong
> password...
> But to be honest, i don't know how that behavior could be changed!?!?
>
>
> This example gets blocked:
> Jan 18 22:31:12 sdb sshd[29953]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
> Jan 18 22:31:14 sdb sshd[29949]: error: PAM: Authentication failure
> for illegal user bla from 192.168.0.3
> Jan 18 22:31:14 sdb sshd[29949]: Failed keyboard-interactive/pam for
> invalid user bla from 192.168.0.3 port 40559 ssh2
>
> This doesn't:
> Jan 18 22:32:26 sdb sshd[29958]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.196
> user=cron
> Jan 18 22:32:28 sdb sshd[29956]: error: PAM: Authentication failure
> for cron from 192.168.0.196
>
> Any advice would be appreciated!
>
> Thanks once more.
>
> Andreas
>
>
> Zitat von Andreas Schuerch <ma...@na...>:
>
>> 1.0 ist the one marked as stable for me right now... :-/
>>
>> This is what i get in the auth-log, apparently it looks quite like
>> your example, and i tried from different hosts so they won't get
>> suppressed as duplicate...
>> But still the same debug output!
>>
>> Jan 13 21:56:57 sdb sshd[16629]: Accepted keyboard-interactive/pam
>> for root from 192.168.0.196 port 35271 ssh2
>> Jan 13 21:56:57 sdb sshd[16629]: pam_unix(sshd:session): session
>> opened for user root by (uid=0)
>> Jan 13 23:12:20 sdb sshd[31245]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
>> user=root
>> Jan 13 23:12:22 sdb sshd[31225]: error: PAM: Authentication failure
>> for root from 192.168.0.3
>> Jan 13 23:12:28 sdb sshd[31624]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.3
>> user=root
>> Jan 13 23:12:30 sdb sshd[31225]: error: PAM: Authentication failure
>> for root from 192.168.0.3
>> Jan 13 23:12:55 sdb sshd[3565]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>> user=root
>> Jan 13 23:12:57 sdb sshd[3553]: error: PAM: Authentication failure
>> for root from 192.168.0.1
>> Jan 13 23:12:58 sdb sshd[3948]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>> user=root
>> Jan 13 23:13:00 sdb sshd[3553]: error: PAM: Authentication failure
>> for root from 192.168.0.1
>>
>> Oh, it doesn't crash via syslogger... I was just a bit confused from
>> all those debug-messages! ;-)
>>
>> Thanks so far!
>>
>> Andreas
>>
>>
>> Zitat von Mij <mi...@ss...>:
>>
>>> Hi Andreas,
>>>
>>> 1.0 is older than me, so old that it's even antecedent to the
>>> current repository :)
>>>
>>> My best record is that the log message you are trying was removed as
>>> redundant. I.e., when the authentication failure occurs, there is another
>>> message generated that goes detected.
>>>
>>> Looking through the attack submission database, I find this example:
>>> Jan 28 18:36:57 hostname sshd[11616]: pam_unix(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>>> rhost=mail.host.cn
>>> Jan 28 18:36:58 hostname sshd[11616]: Failed password for invalid
>>> user username from 1.2.3.4 port 43065 ssh2
>>>
>>> Intuitively, the first message is generated by the PAM module performing the
>>> concrete auth lookup, and the second is generated by sshd itself when pam
>>> returns the failure to its caller.
>>> Of course, feel free to bitch back here if your logs say anything different.
>>>
>>> I assume that by "crash" you mean that the pattern is not recognized. The
>>> output you paste is totally standard when a message is not recognized.
>>>
>>>
>>> On Jan 13, 2010, at 13:37 , Andreas Schuerch wrote:
>>>
>>>> Hi,
>>>>
>>>> i get an error with sshguard and syslog-ng on gentoo.
>>>> The version 1.0 works without problems, but version 1.4 and 1.5beta2
>>>> just seems to crash when invoked directly from the syslogger!
>>>> If i start them via "tail -n0 -F /var/log/auth.log | tee -a
>>>> /dev/stderr | env SSHGUARD_DEBUG="" /usr/sbin/sshguard" i get the
>>>> following output:
>>>>
>>>> Run command "iptables -L": exited 0.
>>>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
>>>> Jan 13 14:10:22 sdb sshd[21506]: pam_unix(sshd:auth): authentication
>>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
>>>> user=root
>>>> Starting parse
>>>> Entering state 0
>>>> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:22 sdb
>>>> sshd[21506]:")
>>>> Next token is token SYSLOG_BANNER_PID ()
>>>> Shifting token SYSLOG_BANNER_PID ()
>>>> Entering state 1
>>>> Reading a token: --accepting rule at line 186 (" ")
>>>> --accepting rule at line 185 ("pam_unix")
>>>> Next token is token WORD ()
>>>> Error: popping token SYSLOG_BANNER_PID ()
>>>> Stack now 0
>>>> Cleanup: discarding lookahead token WORD ()
>>>> Stack now 0
>>>> Jan 13 14:10:24 sdb sshd[21504]: error: PAM: Authentication failure
>>>> for root from 192.168.0.1
>>>> Starting parse
>>>> Entering state 0
>>>> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:24 sdb
>>>> sshd[21504]:")
>>>> Next token is token SYSLOG_BANNER_PID ()
>>>> Shifting token SYSLOG_BANNER_PID ()
>>>> Entering state 1
>>>> Reading a token: --accepting rule at line 186 (" ")
>>>> --accepting rule at line 185 ("error")
>>>> Next token is token WORD ()
>>>> Error: popping token SYSLOG_BANNER_PID ()
>>>> Stack now 0
>>>> Cleanup: discarding lookahead token WORD ()
>>>> Stack now 0
>>>>
>>>>
>>>> What could be wrong here!?
>>>>
>>>> Thanks in advance,
>>>> Andreas
>>>> --------------------------
>>>> --> NativeMail System <---
>>>> --------------------------
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Verizon Developer Community
>>>> Take advantage of Verizon's best-in-class app development support
>>>> A streamlined, 14 day to market process makes app distribution
>>>> fast and easy
>>>> Join now and get one step closer to millions of Verizon customers
>>>> http://p.sf.net/sfu/verizon-dev2dev
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Verizon Developer Community
>>> Take advantage of Verizon's best-in-class app development support
>>> A streamlined, 14 day to market process makes app distribution fast and easy
>>> Join now and get one step closer to millions of Verizon customers
>>> http://p.sf.net/sfu/verizon-dev2dev
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>
>>
>> --------------------------
>> --> NativeMail System <---
>> --------------------------
>>
>>
>
>
> --------------------------
> --> NativeMail System <---
> --------------------------
>
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
