Re: [Sshguard-users] sshguard 1.4.4 blocking attempts only when "it's sunny" (lol)

[Mij <mi...@ss...>]

Hi Teuxe

On Feb 7, 2010, at 02:33 , Teuxe wrote:

> Hi,
> 
> [This mail contains log dumps, I first apologize for its length.]
> 
> I installed sshguard some days ago as a sysconf-ng.log service:
> 
> destination dp_sshguard {
>    program("/usr/local/sbin/sshguard -f 100:/var/run/sshd.pid"
>        template("$DATE $FULLHOST $MESSAGE\n"));
> };
> filter f_sshlogs {
>    facility(auth, authpriv)
>        and not match("sshguard");
> };
> log {
>        source(s_all);
>        filter(f_sshlogs);
>        destination(dp_sshguard);
> };
> 
> I kept default configuration (4 failures adding an entry in table 
> "sshguard") and I found it was working well (at first) since it blocked 
> a login attempt from a computer connected by Ethernet.
> Later on (there was a reboot on Feb 3 09:45), I noticed in auth.log that 
> a first attempt is well detected:
> 
> Feb  3 18:24:04 neo sshd[3234]: Address 212.156.65.78 maps to 
> static.turktelekom.com.tr, but this does not map back to the address - 
> POSSIBLE BREAK-IN ATTEMPT!
> Feb  3 18:24:04 neo sshd[3234]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
> Feb  3 18:24:06 neo sshd[3234]: Failed password for root from 
> 212.156.65.78 port 36865 ssh2
> Feb  3 18:24:07 neo sshd[3238]: Address 212.156.65.78 maps to 
> static.turktelekom.com.tr, but this does not map back to the address - 
> POSSIBLE BREAK-IN ATTEMPT!
> Feb  3 18:24:07 neo sshd[3238]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
> Feb  3 18:24:09 neo sshd[3238]: Failed password for root from 
> 212.156.65.78 port 37262 ssh2
> Feb  3 18:24:10 neo sshd[3242]: Address 212.156.65.78 maps to 
> static.turktelekom.com.tr, but this does not map back to the address - 
> POSSIBLE BREAK-IN ATTEMPT!
> Feb  3 18:24:10 neo sshd[3242]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
> Feb  3 18:24:12 neo sshd[3242]: Failed password for root from 
> 212.156.65.78 port 37674 ssh2
> Feb  3 18:24:13 neo sshd[3246]: Address 212.156.65.78 maps to 
> static.turktelekom.com.tr, but this does not map back to the address - 
> POSSIBLE BREAK-IN ATTEMPT!
> Feb  3 18:24:13 neo sshd[3246]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
> Feb  3 18:24:15 neo sshd[3246]: Failed password for root from 
> 212.156.65.78 port 38040 ssh2
> Feb  3 18:24:15 neo sshguard[2138]: Blocking 212.156.65.78:4 for 
>> 420secs: 4 failures over 9 seconds.
> 
> ... but the following are not AT ALL (there are plenty of such attempts 
> in bulk):
> 
> Feb  4 00:53:19 neo sshd[3927]: Did not receive identification string 
> from 163.43.128.225
> Feb  4 00:57:14 neo sshd[3930]: Invalid user admin from 163.43.128.225
> Feb  4 00:57:14 neo sshd[3930]: pam_unix(sshd:auth): check pass; user 
> unknown
> Feb  4 00:57:14 neo sshd[3930]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
> Feb  4 00:57:15 neo sshd[3930]: Failed password for invalid user admin 
> from 163.43.128.225 port 48550 ssh2
> Feb  4 00:57:23 neo sshd[3932]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225  
> user=root
> Feb  4 00:57:25 neo sshd[3932]: Failed password for root from 
> 163.43.128.225 port 49018 ssh2
> Feb  4 00:57:32 neo sshd[3934]: Invalid user stud from 163.43.128.225
> Feb  4 00:57:32 neo sshd[3934]: pam_unix(sshd:auth): check pass; user 
> unknown
> Feb  4 00:57:32 neo sshd[3934]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
> Feb  4 00:57:34 neo sshd[3934]: Failed password for invalid user stud 
> from 163.43.128.225 port 49488 ssh2
> Feb  4 00:57:42 neo sshd[3936]: Invalid user trash from 163.43.128.225
> Feb  4 00:57:42 neo sshd[3936]: pam_unix(sshd:auth): check pass; user 
> unknown
> Feb  4 00:57:42 neo sshd[3936]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
> Feb  4 00:57:44 neo sshd[3936]: Failed password for invalid user trash 
> from 163.43.128.225 port 49962 ssh2
> Feb  4 00:57:51 neo sshd[3938]: Invalid user aaron from 163.43.128.225
> Feb  4 00:57:51 neo sshd[3938]: pam_unix(sshd:auth): check pass; user 
> unknown
> Feb  4 00:57:51 neo sshd[3938]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
> Feb  4 00:57:53 neo sshd[3938]: Failed password for invalid user aaron 
> from 163.43.128.225 port 50460 ssh2
> Feb  6 03:12:16 neo sshd[12669]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=xenmaster01.drecomm.nl  user=root
> Feb  6 03:12:17 neo sshd[12669]: Failed password for root from 
> 91.209.192.28 port 34608 ssh2
> Feb  6 03:12:17 neo sshd[12671]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=xenmaster01.drecomm.nl  user=root
> Feb  6 03:12:19 neo sshd[12671]: Failed password for root from 
> 91.209.192.28 port 34895 ssh2
> Feb  6 03:12:19 neo sshd[12673]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=xenmaster01.drecomm.nl  user=root
> Feb  6 03:12:22 neo sshd[12673]: Failed password for root from 
> 91.209.192.28 port 35196 ssh2
> 
> However after some time, it works again once (but after... 2 failures ONLY):
> 
> Feb  6 15:13:08 neo sshd[13617]: Invalid user lucus from 92.46.123.11
> Feb  6 15:13:08 neo sshd[13617]: pam_unix(sshd:auth): check pass; user 
> unknown
> Feb  6 15:13:08 neo sshd[13617]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.123.11
> Feb  6 15:13:09 neo sshd[13617]: Failed password for invalid user lucus 
> from 92.46.123.11 port 51418 ssh2
> Feb  6 15:13:16 neo sshd[13623]: Invalid user luis from 92.46.123.11
> Feb  6 15:13:16 neo sshd[13623]: pam_unix(sshd:auth): check pass; user 
> unknown
> Feb  6 15:13:16 neo sshd[13623]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.123.11
> Feb  6 15:13:18 neo sshd[13623]: Failed password for invalid user luis 
> from 92.46.123.11 port 55350 ssh2
> Feb  6 15:13:18 neo sshguard[12878]: Blocking 92.46.123.11:4 for >420secs: 4 failures over 10 seconds.

seems like sshguard is not receiving these messages.
For simplifying the investigation you can try to exclude syslog-ng
and get logs directly, either with the tail+sshguard combo
http://www.sshguard.net/docs/setup/getlogs/raw-file/
or with the Log Sucker (version 1.5, fetch from the SVN).

Since version 1.5 stable, the Log Sucker will be the recommended
mean to get log entries.


> I first checked that the daemon was still running using a "ps faux | 
> grep sshguard", it was still here. There was no reboot since the first 
> detect:
> # date -R; uptime
> Sun, 07 Feb 2010, 02:27:02 +0100
> 02:27:02 up 3 days, 16:40,  5 users,  load average: 0.43, 0.24, 0.20
> 
> I decided to attempt false ssh logins from localhost: none was detected, 
> while entries are present in auth.log:
> 
> Feb  7 01:57:39 neo sshd[17773]: Invalid user xxx from 127.0.0.1
> Feb  7 01:57:39 neo sshd[17773]: Failed none for invalid user xxx from 
> 127.0.0.1 port 37225 ssh2
> Feb  7 01:57:40 neo sshd[17773]: Failed password for invalid user xxx 
> from 127.0.0.1 port 37225 ssh2
> Feb  7 01:57:41 neo sshd[17773]: Failed password for invalid user xxx 
> from 127.0.0.1 port 37225 ssh2
> Feb  7 01:57:41 neo sshd[17773]: Failed password for invalid user xxx 
> from 127.0.0.1 port 37225 ssh2
> Feb  7 01:59:37 neo sshd[17802]: Failed password for root from 127.0.0.1 
> port 37232 ssh2
> Feb  7 01:59:37 neo sshd[17802]: Failed password for root from 127.0.0.1 
> port 37232 ssh2
> Feb  7 01:59:37 neo sshd[17802]: Failed password for root from 127.0.0.1 
> port 37232 ssh2
> Feb  7 01:59:40 neo sshd[17806]: Failed password for root from 127.0.0.1 
> port 37233 ssh2
> Feb  7 01:59:41 neo sshd[17806]: Failed password for root from 127.0.0.1 
> port 37233 ssh2
> Feb  7 01:59:42 neo sshd[17806]: Failed password for root from 127.0.0.1 
> port 37233 ssh2

localhost is unilaterally whitelisted a-priori by sshguard for security reasons.
Imagine what'd happen if you prevent traffic through 127.0.0.1 .


> --> I notice that traces are well different, pam_unix is not shown for 
> localhost attempts (maybe this is normal, due to localhost?).
> Currently I have no other computer to make an "external test" (the 
> previous one is dead :-/ ).
> 
> 
> Have you any idea on what can happen? Which tests can I do?
> Thanks a lot,
> 
> 
> Teuxe
> 
> PS. By the way I may have updated my standard system in-between, maybe 
> ssh log formats have changed?