Menu
▾
▴
Re: [Sshguard-users] sshguard won't work on debian or ubuntu
|
From: Mij <mi...@bi...> - 2007-06-28 15:46:04
|
On 27/giu/07, at 13:44, Robert S wrote: >> You would try running "/usr/local/sbin/sshguard" from the command >> line and >> pasting this line in its input (from keyboard) >> >> Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 >> > > This seems to work (compiled with debugging): > > # /usr/local/sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Blocking 1.2.3.4: 4 failures over 3 seconds. > > Setting environment: > SSHG_ADDR=1.2.3.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10. > Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard > -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s > $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. > Got exit signal, flushing blocked addresses and exiting... > ip6tables: No chain/target/match by that name > Run command "/sbin/iptables -F sshguard ; /sbin/ip6tables -F > sshguard": exited 256. > >> paste it 4 times then check "iptables -L" to see if a drop rule for > > This confirms that the address 1.2.3.4 is DROPed > >> # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/ >> sshguard > > No luck when I use a username that exists on the system: > > # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/ > sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jun 28 07:13:28 etch sshd[5789]: Failed password for robert from > 192.168.2.40 port 40727 ssh2 > Jun 28 07:13:34 etch sshd[5798]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > user=robert > Jun 28 07:13:37 etch sshd[5798]: Failed password for robert from > 192.168.2.40 port 40729 ssh2 > Jun 28 07:13:39 etch sshd[5798]: Failed password for robert from > 192.168.2.40 port 40729 ssh2 > Jun 28 07:13:42 etch sshd[5798]: Failed password for robert from > 192.168.2.40 port 40729 ssh2 > Jun 28 07:13:48 etch sshd[5800]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > user=robert > Jun 28 07:13:49 etch sshd[5800]: Failed password for robert from > 192.168.2.40 port 40730 ssh2 > Jun 28 07:13:52 etch sshd[5800]: Failed password for robert from > 192.168.2.40 port 40730 ssh2 > Jun 28 07:13:56 etch sshd[5800]: Failed password for robert from > 192.168.2.40 port 40730 ssh2 > <etc> > > On the other hand - if I use a non-existent user the following > happens: > > # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/ > sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jun 28 07:24:44 etch sshd[5922]: Invalid user foobar from 192.168.2.40 > Jun 28 07:24:45 etch sshd[5922]: Failed none for invalid user foobar > from 192.168.2.40 port 58171 ssh2 > Matched IP address 192.168.2.40 > Jun 28 07:24:48 etch sshd[5922]: (pam_unix) check pass; user unknown > Jun 28 07:24:48 etch sshd[5922]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > Jun 28 07:24:50 etch sshd[5922]: Failed password for invalid user > foobar from 192.168.2.40 port 58171 ssh2 > Jun 28 07:24:55 etch sshd[5922]: (pam_unix) check pass; user unknown > Jun 28 07:24:56 etch sshd[5922]: Failed password for invalid user > foobar from 192.168.2.40 port 58171 ssh2 > Jun 28 07:25:01 etch sshd[5922]: (pam_unix) check pass; user unknown > Jun 28 07:25:03 etch sshd[5922]: Failed password for invalid user > foobar from 192.168.2.40 port 58171 ssh2 > Jun 28 07:25:04 etch sshd[5924]: Invalid user foobar from 192.168.2.40 > Jun 28 07:25:04 etch sshd[5924]: Failed none for invalid user foobar > from 192.168.2.40 port 58172 ssh2 > Matched IP address 192.168.2.40 > Jun 28 07:25:06 etch sshd[5924]: (pam_unix) check pass; user unknown > Jun 28 07:25:06 etch sshd[5924]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > Jun 28 07:25:09 etch sshd[5924]: Failed password for invalid user > foobar from 192.168.2.40 port 58172 ssh2 > Jun 28 07:25:13 etch sshd[5924]: (pam_unix) check pass; user unknown > Jun 28 07:25:15 etch sshd[5924]: Failed password for invalid user > foobar from 192.168.2.40 port 58172 ssh2 > Jun 28 07:25:16 etch sshd[5924]: (pam_unix) check pass; user unknown > Jun 28 07:25:18 etch sshd[5924]: Failed password for invalid user > foobar from 192.168.2.40 port 58172 ssh2 > Jun 28 07:25:20 etch sshd[5926]: Invalid user foobar from 192.168.2.40 > Jun 28 07:25:20 etch sshd[5926]: Failed none for invalid user foobar > from 192.168.2.40 port 58173 ssh2 > Matched IP address 192.168.2.40 > Jun 28 07:25:21 etch sshd[5926]: (pam_unix) check pass; user unknown > Jun 28 07:25:21 etch sshd[5926]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > Jun 28 07:25:23 etch sshd[5926]: Failed password for invalid user > foobar from 192.168.2.40 port 58173 ssh2 > Jun 28 07:25:25 etch sshd[5928]: Invalid user foobar from 192.168.2.40 > Jun 28 07:25:25 etch sshd[5928]: Failed none for invalid user foobar > from 192.168.2.40 port 58174 ssh2 > Matched IP address 192.168.2.40 > Blocking 192.168.2.40: 4 failures over 40 seconds. > > Setting environment: > SSHG_ADDR=192.168.2.40;SSHG_ADDRKIND=4;SSHG_SERVICE=10. > Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard > -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s > $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. > > Strangely, I am still able to log into "etch". iptables -L gives me: > > Chain sshguard (0 references) > target prot opt source destination > DROP 0 -- myhost.mydomain.com.au anywhere sshguard did its job in putting the blocking rule in the "sshguard" chain, so I guess this address is not blocked because you have not demanded the INPUT chain to this one, possible? > Further - if I run sshguard with no input, and feed it "Failed > password for robert from 192.168.2.40 port 40727 ssh2", it does > nothing: > > # /usr/local/sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > > It appears to me that sshguard doesn't recognise most of my log > messages?? There are 2 basic kinds of attack: invalid user or invalid password. The former is recognized on your system, the latter is not. There is a parser attached that recognizes these logs. It has been integrated in 1.1beta3. You can simply copy these files in a clean sshguard-1.0 package (directory "src") and then run: cd src bison -vd attack_parser.y flex attack_scanner.l then recompile and reinstall. bye |
