[Sshguard-users] sshguard blacklists automatically (sshgaurd behaviour)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

From the documentation I would think that the blocked time still keeps
increasing, unless the '-b ' option is given.  The IP is blocked, then
released, then blocked for a longer time, etc...  Man page on web
site:

  "For example, if address A attacks repeatedly and the base blocking
  time is 420 seconds, A will be blocked for 420 seconds (7 mins) at
  the first abuse, 2*420 (14 mins) the second, 2*2*420 (28 mins) the
  third ... and 2^(n-1)*420 the n-th time."

But that's not it.  By default an IP will be blacklisted after a few
failed logins.  I want it to keep on going instead.

So I've added some debug statements in *pardonBlocked(void *par).
In sshguard 1.15 as downloaded from the web site.

  for (pos = 0; pos < list_size(& hell); pos++) {
      tmpel = list_get_at(&hell, pos);
      /* skip blacklisted hosts (pardontime = infinite/0) */

      sshguard_log(LOG_DEBUG, "DEBUG: tmpel->pardontime: %d",
(int)tmpel->pardontime);

      if (tmpel->pardontime == 0) continue;
      /* process hosts with finite pardon time */

      sshguard_log(LOG_DEBUG, "DEBUG: now: %d tmpel->whenlast: %d
      tmpel->pardontime: %d ", (int)now, (int)tmpel->whenlast,
      (int)tmpel->pardontime);

      if (now - tmpel->whenlast > tmpel->pardontime) {
          /* pardon time passed, release block */

     [ ... ]

This time sshguard was started using the following parameters, to have
short debug cycles.  SSHGUARD_DEBUG was also set.

% sshguard -a 30 -p 5 -s 30 -l /var/log/auth.log

Started successfully [(a,p,s)=(30, 5, 30)], now ready to scan.

I've added '-s 30' in the hope that this will provoke the release of
any blocked IP, no matter what. 

ssh was used to connect to the device running sshguard, and wrong
passwords repeatedly entered.  Always fron the same IP.

After the third batch of failed logins (3 failed logins per batch) the
IP is never released.  fw_release() is never executed.  It never gets
executed because for some reason tmpel->pardontime, after being 15,
becomes 0, while sshguard still thinks it has to check it out.
Eg. the list used by the pardonBlocked() thread still has something in
it.

In other words, after three failed logis, the IP becomes blacklisted.

This is because the cumulated danger comes to equate the
opts.blacklist_threshold (120 for both) in report_address() and this
makes tempent->pardontime equal to 0.

And this happens because: 

#define DEFAULT_BLACKLIST_THRESHOLD (3 * DEFAULT_ABUSE_THRESHOLD)

With DEFAULT_ABUSE_THRESHOLD being 40.  The only thing that can change
that is by passing a value using the '-b ' option.

So what I did is to first define DEFAULT_BLACKLIST_THRESHOLD as 0.
Then comment out the check about it right below it.  Then I added:

if (opts.blacklist_threshold != 0) {
  if (offenderent->cumulated_danger >= opts.blacklist_threshold) {

This works OK for the use I'm concerned with, which is an
ever-increasing blocking time w/o any blacklisting.  The '-s ' switch
does not seem to work, though, as I would expect that information
about an IP would be erased after '-s n seconds', if I read the
documentation correctly.  In which case, I'm not sure I did.

Let me know if this makes sense, or if I'm totally wrong, or somewhere
in-between.

Thanks !

Some debug messages.  There's an error popping a token, but I haven't
paid attention to that.

2nd failed login:

 Matched address 10.200.22.27:4 attacking service 100, dangerousness 20.
 Purging stale attackers.
 Offender '10.200.22.27:4' scored 60 danger in 2 abuses.
 Blocking 10.200.22.27:4 for >10secs: 30 danger in 2 attacks over 7
seconds (all: 60d in 2 abuses over 59s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:21:35
thishost sshd[3791]: ") Next token is token SYSLOG_BANNER_PID ()
 Shifting token SYSLOG_BANNER_PID ()
 Entering state 1
 Reading a token: --accepting rule at line 220 ("PAM")
 Next token is token WORD ()
 Error: popping token SYSLOG_BANNER_PID ()
 Stack now 0
 Cleanup: discarding lookahead token WORD ()
 Stack now 0
 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149696  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149699  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149701  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149704  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149707  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 Releasing 10.200.22.27 after 12 seconds.
 Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip

3rd failed login:

 Offender '10.200.22.27:4' scored 90 danger in 3 abuses.
 Blocking 10.200.22.27:4 for >15secs: 30 danger in 2 attacks over 7
seconds (all: 90d in 3 abuses over 128s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:22:43
thishost sshd[4391]: ") Next token is token SYSLOG_BANNER_PID ()
 Shifting token SYSLOG_BANNER_PID ()
 Entering state 1
 Reading a token: --accepting rule at line 220 ("PAM")
 Next token is token WORD ()
 Error: popping token SYSLOG_BANNER_PID ()
 Stack now 0
 Cleanup: discarding lookahead token WORD ()
 Stack now 0
 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149764  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149766  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149769  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149772  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149775  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149777  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149780  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 Releasing 10.200.22.27 after 16 seconds.
 Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /s

4th failed login:

 Matched address 10.200.22.27:4 attacking service 100, dangerousness 20.
 Purging stale attackers.
 Blocking 10.200.22.27:4 for >0secs: 30 danger in 2 attacks over 8
seconds (all: 120d in 4 abuses over 198s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:23:53
thishost sshd[4976]: ") Next token is token SYSLOG_BANNER_PID ()
 Shifting token SYSLOG_BANNER_PID ()
 Entering state 1
 Reading a token: --accepting rule at line 220 ("PAM")
 Next token is token WORD ()
 Error: popping token SYSLOG_BANNER_PID ()
 Stack now 0
 Cleanup: discarding lookahead token WORD ()
 Stack now 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 Read line from '/var/log/auth.log'.
 Starting parse
 Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:24:01
thishost CRON[5201]: ") Next token is token SYSLOG_BANNER_PID ()

Now sshguard checks for pardon time in the thread, which is always
repeated:

 Stack now 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
[...]
 Read line from '/var/log/auth.log'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:25:01
thishost CRON[5737]: ") Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("pam_unix")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0

[Sshguard-users] sshguard blacklists automatically (sshgaurd behaviour)

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] sshguard blacklists automatically (sshgaurd behaviour)