Menu
▾
▴
Re: [Sshguard-users] sshguard won't work on debian or ubuntu
|
From: Robert S <rob...@gm...> - 2007-06-27 11:44:24
|
> You would try running "/usr/local/sbin/sshguard" from the command > line and > pasting this line in its input (from keyboard) > > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > This seems to work (compiled with debugging): # /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Blocking 1.2.3.4: 4 failures over 3 seconds. Setting environment: SSHG_ADDR=1.2.3.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. Got exit signal, flushing blocked addresses and exiting... ip6tables: No chain/target/match by that name Run command "/sbin/iptables -F sshguard ; /sbin/ip6tables -F sshguard": exited 256. > paste it 4 times then check "iptables -L" to see if a drop rule for This confirms that the address 1.2.3.4 is DROPed > # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/sshguard No luck when I use a username that exists on the system: # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 28 07:13:28 etch sshd[5789]: Failed password for robert from 192.168.2.40 port 40727 ssh2 Jun 28 07:13:34 etch sshd[5798]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au user=robert Jun 28 07:13:37 etch sshd[5798]: Failed password for robert from 192.168.2.40 port 40729 ssh2 Jun 28 07:13:39 etch sshd[5798]: Failed password for robert from 192.168.2.40 port 40729 ssh2 Jun 28 07:13:42 etch sshd[5798]: Failed password for robert from 192.168.2.40 port 40729 ssh2 Jun 28 07:13:48 etch sshd[5800]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au user=robert Jun 28 07:13:49 etch sshd[5800]: Failed password for robert from 192.168.2.40 port 40730 ssh2 Jun 28 07:13:52 etch sshd[5800]: Failed password for robert from 192.168.2.40 port 40730 ssh2 Jun 28 07:13:56 etch sshd[5800]: Failed password for robert from 192.168.2.40 port 40730 ssh2 <etc> On the other hand - if I use a non-existent user the following happens: # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 28 07:24:44 etch sshd[5922]: Invalid user foobar from 192.168.2.40 Jun 28 07:24:45 etch sshd[5922]: Failed none for invalid user foobar from 192.168.2.40 port 58171 ssh2 Matched IP address 192.168.2.40 Jun 28 07:24:48 etch sshd[5922]: (pam_unix) check pass; user unknown Jun 28 07:24:48 etch sshd[5922]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au Jun 28 07:24:50 etch sshd[5922]: Failed password for invalid user foobar from 192.168.2.40 port 58171 ssh2 Jun 28 07:24:55 etch sshd[5922]: (pam_unix) check pass; user unknown Jun 28 07:24:56 etch sshd[5922]: Failed password for invalid user foobar from 192.168.2.40 port 58171 ssh2 Jun 28 07:25:01 etch sshd[5922]: (pam_unix) check pass; user unknown Jun 28 07:25:03 etch sshd[5922]: Failed password for invalid user foobar from 192.168.2.40 port 58171 ssh2 Jun 28 07:25:04 etch sshd[5924]: Invalid user foobar from 192.168.2.40 Jun 28 07:25:04 etch sshd[5924]: Failed none for invalid user foobar from 192.168.2.40 port 58172 ssh2 Matched IP address 192.168.2.40 Jun 28 07:25:06 etch sshd[5924]: (pam_unix) check pass; user unknown Jun 28 07:25:06 etch sshd[5924]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au Jun 28 07:25:09 etch sshd[5924]: Failed password for invalid user foobar from 192.168.2.40 port 58172 ssh2 Jun 28 07:25:13 etch sshd[5924]: (pam_unix) check pass; user unknown Jun 28 07:25:15 etch sshd[5924]: Failed password for invalid user foobar from 192.168.2.40 port 58172 ssh2 Jun 28 07:25:16 etch sshd[5924]: (pam_unix) check pass; user unknown Jun 28 07:25:18 etch sshd[5924]: Failed password for invalid user foobar from 192.168.2.40 port 58172 ssh2 Jun 28 07:25:20 etch sshd[5926]: Invalid user foobar from 192.168.2.40 Jun 28 07:25:20 etch sshd[5926]: Failed none for invalid user foobar from 192.168.2.40 port 58173 ssh2 Matched IP address 192.168.2.40 Jun 28 07:25:21 etch sshd[5926]: (pam_unix) check pass; user unknown Jun 28 07:25:21 etch sshd[5926]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au Jun 28 07:25:23 etch sshd[5926]: Failed password for invalid user foobar from 192.168.2.40 port 58173 ssh2 Jun 28 07:25:25 etch sshd[5928]: Invalid user foobar from 192.168.2.40 Jun 28 07:25:25 etch sshd[5928]: Failed none for invalid user foobar from 192.168.2.40 port 58174 ssh2 Matched IP address 192.168.2.40 Blocking 192.168.2.40: 4 failures over 40 seconds. Setting environment: SSHG_ADDR=192.168.2.40;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. Strangely, I am still able to log into "etch". iptables -L gives me: Chain sshguard (0 references) target prot opt source destination DROP 0 -- myhost.mydomain.com.au anywhere Further - if I run sshguard with no input, and feed it "Failed password for robert from 192.168.2.40 port 40727 ssh2", it does nothing: # /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 It appears to me that sshguard doesn't recognise most of my log messages?? |
