Menu
▾
▴
Re: [Sshguard-users] I can't get it to work.
|
From: Mij <mi...@bi...> - 2007-03-15 00:43:37
|
> On 3/14/07, Mij <mi...@bi...> wrote: >> >> > Hi all. >> > >> > I installed sshguard on Open suse. by >> > >> >> chmod +s /usr/sbin/sshguard >> >> > please don't make sshguard setuid. Besides being useless, this is very >> > lame and dangerous. A local user could simply run sshguard and feed it >> > some crafted lines of text with arbitrary IP addresses and make the >> > machine block them. This is a major mistake. >> I agree, i followed the README file when that did not worked for me, I >> followed what the article on > > http://applications.linux.com/article.pl?sid=07/02/27/1957242&tid=129&tid=47&tid=100&tid=35 > > > "Lastly, since sshguard needs to be able to tell iptables to add > and > drop dynamic rules, it needs permission to do so. Use the chmod command to > make the program run as root: > > chmod +s /usr/local/sbin/sshguard" I will put a note on the website discouraging to follow this > >> >> ln -s /usr/sbin/ip* /sbin/ >> >> >not idea what this orrible thing should serve for :) > > > When i tried version sshguard 0.9 with the scons.py > > python scons.py -Q FIREWALLTYPE=iptables > > I noticed this on my log file > > "sshguard[9731]:Started successfully [(a,p,s)=(3, 3, 1200)], now ready to > scan. > sshguard[9731]: Got exit signal, flushing blocked addresses and exiting... > sshguard[9731]: Running command "/sbin/iptables" > sshguard[9733]: Unable to exec(): No such file or directory > sshguard[9736]: Started successfully [(a,p,s)=(3, 3, 1200)], now ready to > scan. > " > after i created a link from /usr/sbin/ip*tables* to /sbin > that exec() error did not show in my logs any more. I assumed iptables being in always in /sbin under linux, as both the Linux hosts I tested on (Gentoo + debian) got iptables in there. I will make this ./configure -able in version 1.0. In the meantime, you can easily adjust the expected path in sshguard: 1) download and extract sshguard v. 0.91 2) run "./configure --with-firewall=iptables" 3) edit fwalls/command.h and replace all "/sbin/" tokens with "/usr/sbin/" 4) run "make && make install" > sshguard detects attackers by analyzing log entries it's given in its >> standard input. If it's not started by syslog-ng, the problem is in >> syslog-ng configuration. But for spotting this problem, just try to run >> sshguard manually like this (as root!): >> >> tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard >> >> replace auth.log with the file in which sshd logs to, find it with: >> >> cd /var/log >> grep -rl 'sshd\[' . >> >> >> > After i tried it on a redhat 3.0 AS test server. with a few variations >> to >> > the configuration but again it did not start the sshguard nor it >> blocked >> > the >> > ip. >> > >> > Did i missed anything on the configuration? >> > >> > Any help is appreciated. >> >> Please try to run sshguard as said above, try some logins as >> non-existent >> user for example, and report what happens. > > > on redhat 3.0 machine i ran it just like you suggested and it ran and > worked. > tail -n0 -F /var/log/secure | /usr/sbin/sysguard > But is not being launched from syslog. > On opensuse > > sshd messages are sent to /var/log/messages and /var/log/warn > > i removed the .9 version of sshguard and i installed the .91 version > an di remove the links from /usr/sbin/iptables to /sbin/ > and i see > > sshguard[14201]: Running command "/sbin/iptables" > sshguard[14211]: Unable to exec(): No such file or directory > > Perhaps the iptable path can be specified on the configure script. > > anyways on suse i ran sshguard with the following command and it did not > block the users > tail -n0 -F /var/log/messges | /usr/sbin/sshguard > > and this is what i get > sshguard[14273]: Blocking 10.2.111.180: 4 failures over 1 seconds. > Mar 14 15:33:00 Zhadum sshguard[14273]: Running command "/sbin/iptables" > Mar 14 15:33:00 Zhadum sshguard[14298]: Matched IP address 10.2.111.180 > Mar 14 15:33:00 Zhadum sshguard[14298]: Matched IP address 10.2.111.180 > Mar 14 15:33:00 Zhadum sshguard[14298]: Blocking 10.2.111.180: 4 failures > over 1 seconds. > Mar 14 15:33:00 Zhadum sshguard[14298]: Running command "/sbin/iptables" > > but it does not block the ip i can still ssh from the other machine to > that one. logs say iptables can be started, but you say the address is not blocked: 1) did you make the proper settings to the firewall? If you did, please try the following: 1) iptables -A sshguard -s %%block-ip%% -j DROP (this is the command sshguard runs for blocking %%block-ip%%) 2) try telnetting the sshguard host from %%block-ip%% if you *can* telnet from the blocked IP, then everything works fine but the firewall chains are such that the blocking rules have no effect. You need to insert the sshguard chain into a higher priority in the INPUT table in this case. 2) if everything above behave as expected, then sshguard cannot run iptables successfully. For example, it's blocked for insufficient credentials. In this case, in syslog you should see a line like "Blocking command failed. Exited: 3." in this case, please report the exit value so we can identify what's wrong. > >> >> > >> > Giovanni >> > Sshguard-users mailing list >> > Ssh...@li... >> > https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > >> >> > |
