Re: [Sshguard-users] help needed building sshguard to use ip filter on solaris 8

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello again.

OK I've sucessfully built and installed after my changes mentioned below but the program is 
failing to block hosts.

The way I'm running the program (as root) as such:

tail -0f /var/adm/sshlog | /usr/local/sbin/sshguard

(which didn't give any errors after I replaced the sun grep with gnu grep)

I do have the two lines:

##sshguard-begin##
##sshguard-end##

in my /etc/opt/ipf/ipf.conf which is symlinked as

/etc/ipf.rules

I tried ssh'ing in as root about 20 times as quick as ssh allowed me from a linux machine (it 
took a couple of minutes) but the rules have not changed and I'm not banned.

Here is an excerpt from the logs:

-----------------------------------------------------------------------------------------------------------------------
Oct  4 16:53:22 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:53:22 newton sshd[27849]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:53:23 newton sshd[27849]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:53:28 newton last message repeated 2 times
Oct  4 16:53:30 newton sshd[27849]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:53:30 newton sshd[27849]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
Oct  4 16:53:58 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:53:58 newton sshd[27854]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:53:59 newton sshd[27854]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:54:04 newton last message repeated 2 times
Oct  4 16:54:06 newton sshd[27854]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:54:06 newton sshd[27854]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
Oct  4 16:54:07 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:54:07 newton sshd[27858]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:54:08 newton sshd[27858]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:54:13 newton last message repeated 2 times
Oct  4 16:54:15 newton sshd[27858]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:54:15 newton sshd[27858]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
Oct  4 16:54:16 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:54:16 newton sshd[27862]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:54:18 newton sshd[27862]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:54:24 newton last message repeated 2 times
Oct  4 16:54:26 newton sshd[27862]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:54:26 newton sshd[27862]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
Oct  4 16:54:28 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:54:28 newton sshd[27864]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:54:29 newton sshd[27864]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:54:34 newton last message repeated 2 times
Oct  4 16:54:36 newton sshd[27864]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:54:36 newton sshd[27864]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
Oct  4 16:54:37 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:54:37 newton sshd[27870]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:54:38 newton sshd[27870]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:54:44 newton last message repeated 2 times
Oct  4 16:54:46 newton sshd[27870]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:54:46 newton sshd[27870]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
Oct  4 16:55:39 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 16:55:39 newton sshd[27881]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 16:55:43 newton sshd[27881]: [ID 702911 local7.warning] Wrong password given for 
user 'root'.
Oct  4 16:55:49 newton last message repeated 2 times
Oct  4 16:55:51 newton sshd[27881]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 16:55:51 newton sshd[27881]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
-----------------------------------------------------------------------------------------------------------------------

I also tried an invalid user as guest and that didn't work either:

-----------------------------------------------------------------------------------------------------------------------
Oct  4 17:05:06 newton sshd[640]: [ID 702911 local7.info] connection from "10.31.5.173"
Oct  4 17:05:06 newton sshd[28007]: [ID 702911 local7.warning] WARNING: DNS lookup 
failed for "10.31.5.173".
Oct  4 17:05:07 newton sshd[28007]: [ID 702911 local7.warning] password authentication 
failed. Login to account guest not allowed or account non-existent.
Oct  4 17:05:12 newton last message repeated 2 times
Oct  4 17:05:14 newton sshd[28007]: [ID 702911 local7.info] Local disconnected: Connection 
closed.
Oct  4 17:05:14 newton sshd[28007]: [ID 702911 local7.info] connection lost: 'Connection 
closed.'
-----------------------------------------------------------------------------------------------------------------------

I'm guessing that the program is looking for a different string to watch out for in the logs but 
there is no config file to change that string.

Any further help would be apreciated.

Thanks

-Steve O.

On 3 Oct 2007 at 20:52, ssh...@li...urcefo wrote:

> On 3 Oct 2007 at 19:59, Steve Ochani wrote:
> 
> > > then try compiling: run
> > > 
> > > gcc  -I. -O2   -o sshguard  sshguard.o sshguard_whitelist.o 
> > > sshguard_log.o sshguard_procauth.o simclist.o attack_parser.o
> > > attack_scanner.o fwalls/libfwall.a -lpthread -lsocket -lresolv
> > > -lnsl
> > 
> > Did that and I get 1 linker error
> > 
> > gcc  -I. -O2   -o sshguard  sshguard.o sshguard_whitelist.o
> > sshguard_log.o sshguard_procauth.o simclist.o attack_parser.o
> > attack_scanner.o fwalls/libfwall.a -lpthread - lsocket -lresolv
> > -lnsl Undefined                       first referenced
> >  symbol                             in file
> > gethostbyname2                      attack_parser.o
> > ld: fatal: Symbol referencing errors. No output written to sshguard
> > collect2: ld returned 1 exit status
> 
> I edited attack_parser.c and changed gethostbyname2 call to plain old
> gethostbyname and took out the last arg of AF_INET even though I
> realize the 2nd call is for ipv6, but I'm not using ipv6 so I should
> be ok.
> 
> 
> I'll hopefully have time to install and test it tomorrow.
> 
> Thanks for the help.
> 
> I'll report back by results.
> 
> (I can't wait to get my new Linux servers in a few months and get rid
> of p.o.s. solaris)
> 
> -Steve O.
> 
> 
> 

Re: [Sshguard-users] help needed building sshguard to use ip filter on solaris 8

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] help needed building sshguard to use ip filter on solaris 8