Menu
▾
▴
Re: [Sshguard-users] sshguard won't work on debian or ubuntu
|
From: Mij <mi...@bi...> - 2007-06-27 10:24:15
|
On 27/giu/07, at 00:07, Robert S wrote: >> 2) for syslogd, external procs are not started when syslogd is >> restarted, but at the first occurrence of a log for them. So, restart >> syslogd and try a ssh login before checking ps. > > I tried using syslog-ng - no luck. > >> I am interested in your report. Could you please: >> 1) disable syslog config for sshguard >> 2) reinstall sshguard >> 3) run sshguard from the command line as >> /usr/local/sbin/sshguard > > I have tried these things. I get no output when I do this: > > # /usr/local/sbin/sshguard this is the correct behaviour; it is expecting input to scan. With 1.1beta you have "-d" to dump logging to standard output; otherwise they go to syslog > When I do Ctrl-C I get: > > ip6tables: No chain/target/match by that name > > (I assume this is normal because I don't have any ip6tables chain - I > get this on my gentoo machine that works OK) correct; on shutdown blocking rules are flushed for consistency; iptables and ip6tables are called for IPv4 and IPv6 > My /var/log/messages gives me these messages, but there is no sign > that sshguard is being activated when a failed login occurs: > > Jun 27 17:48:06 etch sshguard[11412]: Started successfully > [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jun 27 17:48:55 etch sshguard[11412]: Got exit signal, flushing > blocked addresses and exiting... > > These are the messages I get in my logs when a failed login occurs (I > tried disabling PAM): > > Jun 27 17:49:25 etch sshd[11521]: Failed password for robert from > 192.168.2.40 port 33202 ssh2 > Jun 27 17:49:28 etch sshd[11523]: Failed password for robert from > 192.168.2.40 port 33203 ssh2 > Jun 27 17:49:29 etch sshd[11523]: Failed password for robert from > 192.168.2.40 port 33203 ssh2 > > With PAM enabled I get these messages: > > Jun 27 17:58:28 etch sshd[11575]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost.mydomain.com.au > user=robert > Jun 27 17:58:31 etch sshd[11575]: Failed password for robert from > 192.168.2.40 port 57699 ssh2 > Jun 27 17:58:33 etch sshd[11575]: Failed password for robert from > 192.168.2.40 port 57699 ssh2 > Jun 27 17:58:36 etch sshd[11575]: Failed password for robert from > 192.168.2.40 port 57699 ssh2 > > I hope this is of some help. > > Robert. it will not react if you start from the command line without feeding log messages. You would try running "/usr/local/sbin/sshguard" from the command line and pasting this line in its input (from keyboard) Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 paste it 4 times then check "iptables -L" to see if a drop rule for 1.2.3.4 exist. Check on another terminal without interrupting sshguard, otherwise it will flush all rules. Then try feeding from tail. If attacks are not blocked then the only possibility is that sshd is logging unrecognized messages. I definitely do not expect this. Anyway, with "sshguard -d" (1.1beta) or compiling sshguard with - DDEBUG (use "CFLAGS=-DDEBUG make -e" from the shell) (1.0) you have a report on stdout, eg # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 27 12:22:19 portabilis sshd[5355]: Invalid user asd from 127.0.0.1 Matched IP address 127.0.0.1 Jun 27 12:22:19 portabilis sshd[5355]: Failed none for invalid user asd from 127.0.0.1 port 49512 ssh2 (this is on Mac OS X). If both these work, then the problem is in the way sshguard is called or messages are passed to it from syslog-ng. bye |
