Menu
▾
▴
Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed
|
From: Mij <mi...@ss...> - 2010-07-05 10:30:42
|
Hi Robert, I cannot reproduce this problem on any of my machines, but here is the most likely explanation. Log Validation works as follows: 1. recognize an attack signature 2. extract generating PID from it (logPID) 3. compare logPID with the genuine PID genPID (from the pidfile). Match => ACCEPT The algorithm ideally stops here, but some daemons (like sshd) delegate connection processing to children. So the algorithm goes on: 4. ask the system for the parent-child process table 5. check if logPID is child of genPID. Match => ACCEPT 6. REJECT For daemons delegating client handling to children, what's likely happening on your machine is that sshguard receives the message when the child has already died after sending its log message. Sshguard has then no way to tell. With log sucking this is more likely to happen under non-BSD systems, where the logic is implemented with proactive non-blocking polls (on BSD it's reactive on kqueue()). I will consider collapsing this in a single libevent logic in the near future. michele On May 14, 2010, at 11:19 , Robert S wrote: > Hi. > > I have tried this with log sucking and direct feed from a FIFO with > similar results. This is certainly a lot better, but there are still > some false positives: > > May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193' > has been forged for service 100. > May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not > allowed because none of user's groups are listed in AllowGroups > May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for >> 630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses > over 12s). > May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341' > has been forged for service 100. > May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not > allowed because none of user's groups are listed in AllowGroups > May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for >> 630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses > over 5s). > May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376' > has been forged for service 100. > May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130 > not allowed because none of user's groups are listed in AllowGroups > May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4 > for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 > abuses over 9s). > May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not > allowed because none of user's groups are listed in AllowGroups > May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for >> 630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses > over 11s). > > Robert. > > ------------------------------------------------------------------------------ > > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
