Re: [Sshguard-users] sshguard does not detect SMTP attack

[Mij <mi...@ss...>]

Hello Robert,

These patterns are not known to sshguard. Please submit these samples to

http://www.sshguard.net/support/attacks/submit/

You find the list of recognised patters on

http://www.sshguard.net/docs/reference/attack-signatures/

-m


On Nov 19, 2012, at 21:11 , Robert S <rob...@gm...> wrote:

> I have the following sshguard config:
> 
> # /etc/syslog-ng/syslog-ng.conf
> destination authlog { pipe("/var/log/sshguard.fifo"); };
> 
> filter f_authpriv { facility(auth, authpriv); };
> log { source(src); filter(f_authpriv); destination(authlog); };
> 
> filter f_mail { facility(mail); };
> log { source(src); filter(f_mail); destination(authlog); };
> 
> 
> # cat /var/log/sshguard.fifo | /usr/sbin/sshguard -b
> /var/local/sshguard/blacklist.db -w /etc/sshguard.whitelist -f
> 100:/var/run/sshd.pid -f 250:/var/run/sendmail.pid -f
> 210:/var/run/dovecot/master.pid
> 
> Recently I got a lot of these in my syslog:
> 
> Nov 20 03:10:32 myserver sm-mta[24866]: qAJGAOu7024866:
> cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
> SMTP attack: command=AUTH, count=3
> Nov 20 03:12:43 myserver sm-mta[24906]: qAJGCZe6024906:
> cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
> SMTP attack: command=AUTH, count=3
> Nov 20 03:12:57 myserver saslauthd[5531]: do_auth : auth failure:
> [user=E!] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Nov 20 03:14:52 myserver sm-mta[24914]: qAJGEjAF024914:
> cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
> SMTP attack: command=AUTH, count=3
> Nov 20 03:15:08 myserver saslauthd[5528]: do_auth : auth failure:
> [user=E!] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Nov 20 03:17:02 myserver sm-mta[24926]: qAJGGtse024926:
> cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
> SMTP attack: command=AUTH, count=3
> Nov 20 03:17:17 myserver saslauthd[5532]: do_auth : auth failure:
> [user=E!] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> 
> .. but these were not detected by sshguard.
> 
> I have run sshguard in debug mode and the messages are getting
> through, and it is blocking ssh attacks successfully.  I am running
> sendmail 8.14.4 and sshguard 1.5 on gentoo linux.  Can somebody tell
> me where things are going wrong?
> 
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users