Menu
▾
▴
[Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures
|
From: Alan S. <st...@le...> - 2015-01-27 12:25:45
|
Dear all, I’m using the macports version (1.5.0) of sshguard under OSX 10.9.5 and it appears from the logs to successfully be picking up a number of attacks but not all. I have run the code in debug mode with the following outcomes Using an example of an attack that does not trigger shhguard directly from the system.log file (I’ve replaced some text with x and the ip of the ‘via’ machine): Jan 27 06:17:07 xxx.xxx.xxx.uk sshd[14815]: error: PAM: authentication error for root from 115.239.228.7 via 127.0.0.1 there’s a whole bunch of output and finally... Stack now 0 Entering state 23 Reading a token: --accepting rule at line 223 (" ") --accepting rule at line 222 ("via") Next token is token WORD () Error: popping nterm text () Stack now 0 Cleanup: discarding lookahead token WORD () Stack now 0 if i use error: PAM: authentication error for root from 115.239.228.7 via 127.0.0.1 I get a similar outcome to above (i.e. the final text is the same as above) but if I try just the following text error: PAM: authentication error for root from 115.239.228.7 I get (again after a bit of other output) Now at end of input. Stack now 0 23 Cleanup: popping nterm text () Matched address 115.239.228.7:4 attacking service 100, dangerousness 10. Purging stale attackers. If I then repeat the last version (i.e. error: PAM: authentication error for root from 115.239.228.7) a further three times I get First abuse of '115.239.228.7', adding to offenders list. Offender '115.239.228.7:4' scored 40 danger in 1 abuses. Blocking 115.239.228.7:4 for >630secs: 40 danger in 4 attacks over 133 seconds (all: 40d in 1 abuses over 133s). Setting environment: SSHG_ADDR=115.239.228.7;SSHG_ADDRKIND=4;SSHG_SERVICE=100. No ALTQ support in kernel ALTQ related functions disabled 1/1 addresses added. Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0. and one further time I get Matched address 115.239.228.7:4 attacking service 100, dangerousness 10. Purging stale attackers. Asked to block '115.239.228.7', which was already blocked to my account. Any thoughts on what I have setup incorrectly (if anything) or solutions? regards Alan |
