Menu
▾
▴
Re: [Sshguard-users] Problem with blocking "strings" not being IPs
|
From: Kevin Z. <kev...@gm...> - 2014-11-27 23:36:14
|
Hi Peter, Sorry I haven't gotten back to you on an earlier email. On 11/27/2014 16:54, Peter Viskup wrote: > todays messages: > Nov 27 23:31:25 server sshguard[25526]: Releasing after 450 seconds. > Nov 27 23:31:25 server sshguard[25526]: Setting environment: > SSHG_ADDR=SSHG_ADDR=<E8>~a^GL^?;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Nov 27 23:31:25 server sshguard[25526]: Run command "case $SSHG_ADDRKIND > in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec > /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; > esac": exited 2. > Nov 27 23:31:25 server sshguard[25526]: Release command failed. Exited: -1 If random characters made it in, this failure isn't surprising since the code uses the system(3) call. > Other strange messages: > Nov 27 23:34:16 server sshguard[25526]: Releasing after 621 seconds. > Nov 27 23:34:16 server sshguard[25526]: Setting environment: > SSHG_ADDR=0;SSHG_ADDRKIND=0;SSHG_SERVICE=0. > Nov 27 23:34:16 server sshguard[25526]: Run command "case $SSHG_ADDRKIND > in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec > /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; > esac": exited 2. > Nov 27 23:34:16 server sshguard[25526]: Release command failed. Exited: -1 This seems like the same problem as above. > Both examples are for rules removal. There are no messages for > corresponding iptables inserts. I'm baffled that there are no inserts, but removals. I'm not very familiar with the iptables backend; if this happens frequently try flushing the rules or the blacklist file (if any). > I do see some strange users as inputs. > "Failed password for invalid user rock123\r" I'm not sure if these characters make it in or not; if they do, then this is the culprit. This sounds dangerous, too. > Could be that message strings are not handled appropriately and > specially crafted user accounts lead to unexpected results. Could > anybody have a look on that? I'll be taking a look! Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
