Menu
▾
▴
Re: [Sshguard-users] Problem with blocking "strings" not being IPs
|
From: Peter V. <sku...@gm...> - 2014-11-27 22:54:32
|
Hi all,
todays messages:
Nov 27 23:31:25 server sshguard[25526]: Releasing after 450 seconds.
Nov 27 23:31:25 server sshguard[25526]: Setting environment:
SSHG_ADDR=SSHG_ADDR=<E8>~a^GL^?;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Nov 27 23:31:25 server sshguard[25526]: Run command "case $SSHG_ADDRKIND in
4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac":
exited 2.
Nov 27 23:31:25 server sshguard[25526]: Release command failed. Exited: -1
Other strange messages:
Nov 27 23:34:16 server sshguard[25526]: Releasing after 621 seconds.
Nov 27 23:34:16 server sshguard[25526]: Setting environment:
SSHG_ADDR=0;SSHG_ADDRKIND=0;SSHG_SERVICE=0.
Nov 27 23:34:16 server sshguard[25526]: Run command "case $SSHG_ADDRKIND in
4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac":
exited 2.
Nov 27 23:34:16 server sshguard[25526]: Release command failed. Exited: -1
Both examples are for rules removal. There are no messages for
corresponding iptables inserts.
I do see some strange users as inputs.
"Failed password for invalid user rock123\r"
Could be that message strings are not handled appropriately and specially
crafted user accounts lead to unexpected results. Could anybody have a look
on that?
sshguard 1.4-2
syslog-ng 3.1.3-3
--
Peter Viskup
On Fri, Nov 14, 2014 at 9:09 PM, Peter Viskup <sku...@gm...> wrote:
> Hi Kevin,
> thanks for quick reply. Running syslog-ng version 3.1.3-3.
>
> filter sshlogs { facility(auth, authpriv) and not match("sshguard"
> value("MESSAGE")); };
> destination sshguardproc {
> program("/usr/sbin/sshguard -w <some_IP>/24"
> log { source(s_src); filter(sshlogs); destination(sshguardproc); };
>
> No other [white,black]listing.
>
>
> On Fri, Nov 14, 2014 at 9:02 PM, Kevin Zheng <kev...@gm...> wrote:
>
>> Hi Peter,
>>
>> On 11/14/2014 13:51, Peter Viskup wrote:
>> > anybody seeing/saw similar messages? Once this occur the SSH isn't
>> > accessible at least our Zabbix monitoring reporting that.
>> >
>> > Jun 4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after
>> 1372366479 seconds.
>> > Jun 4 21:31:43 server sshguard[8003]: Setting environment:
>> SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
>> > Jun 4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND
>> in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;;
>> > 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit
>> -2 ;; esac": exited 1.
>> > Jun 4 21:31:43 server sshguard[8003]: Release command failed. Exited:
>> -1
>>
>> This sounds like SSHGuard picking up some invalid IP addresses and
>> passing them on. Are you using Log Sucker or syslog?
>>
>> Additionally, something could have been happening with the blacklist
>> database. What whitelist/blacklist settings are you using?
>>
>> Thanks,
>> Kevin Zheng
>>
>> --
>> Kevin Zheng
>> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
>
|
