sshguard-users Mailing List for SSHGuard (Page 13)

Intelligently block brute-force attacks by aggregating system logs

Brought to you by: mijio, partmedia

sshguard-users — User questions and answers, bugs, and general support

You can subscribe to this list here.

2007	Jan	Feb	Mar (10)	Apr (7)	May (6)	Jun (13)	Jul (4)	Aug	Sep	Oct (17)	Nov (5)	Dec (4)
2008	Jan (2)	Feb	Mar	Apr (4)	May (2)	Jun (7)	Jul (10)	Aug (4)	Sep (14)	Oct	Nov (1)	Dec (7)
2009	Jan (17)	Feb (20)	Mar (11)	Apr (14)	May (8)	Jun (3)	Jul (22)	Aug (9)	Sep (8)	Oct (6)	Nov (4)	Dec (8)
2010	Jan (17)	Feb (9)	Mar (15)	Apr (24)	May (14)	Jun (1)	Jul (21)	Aug (6)	Sep (2)	Oct (2)	Nov (6)	Dec (9)
2011	Jan (11)	Feb (1)	Mar (3)	Apr (4)	May	Jun	Jul (2)	Aug (3)	Sep (2)	Oct (29)	Nov (1)	Dec (1)
2012	Jan (1)	Feb (1)	Mar	Apr (13)	May (4)	Jun (9)	Jul (2)	Aug (2)	Sep (1)	Oct (2)	Nov (11)	Dec (4)
2013	Jan (2)	Feb (2)	Mar (4)	Apr (13)	May (4)	Jun	Jul	Aug (1)	Sep (5)	Oct (3)	Nov (1)	Dec (3)
2014	Jan	Feb (3)	Mar (3)	Apr (6)	May (8)	Jun	Jul	Aug (1)	Sep (1)	Oct (3)	Nov (14)	Dec (8)
2015	Jan (16)	Feb (30)	Mar (20)	Apr (5)	May (33)	Jun (11)	Jul (15)	Aug (91)	Sep (23)	Oct (10)	Nov (7)	Dec (9)
2016	Jan (22)	Feb (8)	Mar (6)	Apr (23)	May (38)	Jun (29)	Jul (43)	Aug (43)	Sep (18)	Oct (8)	Nov (2)	Dec (25)
2017	Jan (38)	Feb (3)	Mar (1)	Apr	May (18)	Jun (2)	Jul (16)	Aug (2)	Sep	Oct (1)	Nov (4)	Dec (14)
2018	Jan (15)	Feb (2)	Mar (3)	Apr (5)	May (8)	Jun (12)	Jul (19)	Aug (16)	Sep (8)	Oct (13)	Nov (15)	Dec (10)
2019	Jan (9)	Feb (3)	Mar	Apr (2)	May	Jun (1)	Jul	Aug (5)	Sep (5)	Oct (12)	Nov (4)	Dec
2020	Jan (2)	Feb (6)	Mar	Apr	May (11)	Jun (1)	Jul (3)	Aug (22)	Sep (8)	Oct	Nov (2)	Dec
2021	Jan (7)	Feb	Mar (19)	Apr	May (10)	Jun (5)	Jul (7)	Aug (3)	Sep (1)	Oct	Nov (10)	Dec (4)
2022	Jan (17)	Feb	Mar (7)	Apr (3)	May	Jun (1)	Jul (3)	Aug	Sep	Oct (6)	Nov	Dec
2023	Jan	Feb (5)	Mar (1)	Apr (3)	May	Jun (3)	Jul (2)	Aug	Sep	Oct	Nov (6)	Dec
2024	Jan	Feb	Mar	Apr	May (3)	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar (15)	Apr (8)	May (10)	Jun	Jul	Aug	Sep (6)	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 11 12 13 14 15 .. 64 > >> (Page 13 of 64)

Re: [SSHGuard-users] More debugging output

From: Frank S. <fst...@bi...> - 2018-09-28 08:28:17

Kevin Zheng wrote:

> On 9/27/18 2:55 AM, Frank Steiner wrote:
>> Hi,
>>
>> just a little proposal for an improvment: trying to figure out why certain
>> actions get the matches/score they do, it would be very helpful if the
>> "Attack from..." messages could contain the rule that matched. Like
>> "Attack from xxx on service 100 (SSH_MAXAUTH) with danger.."
>>
>> I had to patch that myself to figure out why so many rules matched
>> for my ssh, but I just added stupid print statements in attack_scanner.c,
>> so I cannot offer a valid patch for this.
> 
> Have you tried running sshg-parser in libexec? The output is currently a
> bit cryptic, but it'll tell you which rule was matched.

Hmm, if I feed journalctl to sshg-parser I only get lines like
100 x.x.x.x 4 10
100 x.x.x.x 4 3

These are two different rules, the first one is the unknown user, the
second one the maximum reached as I patched that one to score 3.

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

Re: [SSHGuard-users] More debugging output

From: Kevin Z. <kev...@gm...> - 2018-09-27 15:25:39

On 9/27/18 2:55 AM, Frank Steiner wrote:
> Hi,
> 
> just a little proposal for an improvment: trying to figure out why certain
> actions get the matches/score they do, it would be very helpful if the
> "Attack from..." messages could contain the rule that matched. Like
> "Attack from xxx on service 100 (SSH_MAXAUTH) with danger.."
> 
> I had to patch that myself to figure out why so many rules matched
> for my ssh, but I just added stupid print statements in attack_scanner.c,
> so I cannot offer a valid patch for this.

Have you tried running sshg-parser in libexec? The output is currently a
bit cryptic, but it'll tell you which rule was matched.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] More debugging output

From: Frank S. <fst...@bi...> - 2018-09-27 09:56:01

Hi,

just a little proposal for an improvment: trying to figure out why certain
actions get the matches/score they do, it would be very helpful if the
"Attack from..." messages could contain the rule that matched. Like
"Attack from xxx on service 100 (SSH_MAXAUTH) with danger.."

I had to patch that myself to figure out why so many rules matched
for my ssh, but I just added stupid print statements in attack_scanner.c,
so I cannot offer a valid patch for this.

cu,
Frank


-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

Re: [SSHGuard-users] Scoring problems

From: Kevin Z. <kev...@gm...> - 2018-09-26 22:14:05

Hi Frank,

Thanks for the comments.

On 9/26/18 7:38 AM, Frank Steiner wrote:
> Thus, four attacks with score 10 each are counted, giving a score of 40
> for two wrong passwords. That happens because in addition to the two
> wrong passwords (SSH_LOGINERR_PAM, I've patched the scanner to see
> which rules matched) sshguard also counts the "maximum authentication
> attempts exceeded" (ssh_maxauth) and the "Failed keyboard-interactive/pam
> for someuser" (SSH_LOGINERR_PREF).
> 
> This really makes it hard to configure sshguard in a reasonable way.
> Two wrong ftp passwords are score 20, two wrong ssh passwords are
> 40. For my config it wouldn't be neccessary to count the
> "failed keyboard-interactive" or the "max attempts" when I already
> count each wrong password.

I agree this is bad.

> I saw in the comments that the rule SSH_LOGINERR_PREF was meant for
> Ubuntu, the SSH_LOGINERR_PAM for FreeBSD/Debian, but for our SuSE
> system they match both.

As you point out, it's hard to keep the rules generally applicable but
also avoid duplicates.

> I see only two ways to solve this problem in general: Either you
> define groups of commands that mean the same  and are only counted
> as one attack. But it might  be very hard to figure out e.g which
> pam messages belong to with sshd parent process if several connections
> are done in parallel.

Exactly.

> Or you allow users to define which rules should be counted with
> which score in the config file. E.g. setting sth. likle this
> in sshguard.conf:
> 
> SSH_LOGINERR_PREF=0
> SSH_MAXAUTH=3
> 
> That would sshguard cause to ignore the "Failed keyboard-interactive/pam"
> and counting the "max attempt" message with score 3 only.
> 
> This would allow every admin to adjust scoring to his/her specific
> needs, even different settings for several hosts.

Perhaps this is the better solution.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Scoring problems

From: Frank S. <fst...@bi...> - 2018-09-26 14:56:42

Hi,

trying to make my sshguard config valid against the currently running
ssh attacks I stepped again on the problem of multiple counts of the
same action with ssh.

Here's an example. Our ssh config has MaxAuthTries=3. Invalid ssh keys
are counted as failed try and our default is that every user has one
key for hosts inside our network. For some hosts keys are not allowed,
so ssh will accept two password tries to login.

Assuming that both are wrong, here's what journalctl shows:

Sep 26 16:14:33 galois sshd[19429]: Postponed keyboard-interactive for someuser from x.x.x.x port 39022 ssh2 [preauth]
Sep 26 16:14:36 myhost sshd[19431]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=someuser
Sep 26 16:14:38 myhost sshd[19429]: error: PAM: Authentication failure for someuser from x.x.x.x
Sep 26 16:14:38 myhost sshguard[17898]: matched SSH_LOGINERR_PAM
Sep 26 16:14:38 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.
Sep 26 16:14:38 myhost sshd[19429]: Postponed keyboard-interactive for someuser from x.x.x.x port 39022 ssh2 [preauth]
Sep 26 16:14:38 myhost sshd[19434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=someuser
Sep 26 16:14:40 myhost sshd[19429]: error: PAM: Authentication failure for someuser from x.x.x.x
Sep 26 16:14:40 myhost sshd[19429]: Failed keyboard-interactive/pam for someuser from x.x.x.x port 39022 ssh2
Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.
Sep 26 16:14:40 myhost sshd[19429]: error: maximum authentication attempts exceeded for someuser from x.x.x.x port 39022 ssh2 [preauth]
Sep 26 16:14:40 myhost sshd[19429]: Disconnecting: Too many authentication failures [preauth]
Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_LOGINERR_PAM
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_LOGINERR_PREF
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_ADDR_SUFF
Sep 26 16:14:40 myhost sshguard[17898]: matched ssh_maxauth
Sep 26 16:14:40 myhost sshguard[17898]: matched SSH_ADDR_SUFF
Sep 26 16:14:40 myhost sshguard[17903]: Attack from "x.x.x.x" on service 100 with danger 10.


Thus, four attacks with score 10 each are counted, giving a score of 40
for two wrong passwords. That happens because in addition to the two
wrong passwords (SSH_LOGINERR_PAM, I've patched the scanner to see
which rules matched) sshguard also counts the "maximum authentication
attempts exceeded" (ssh_maxauth) and the "Failed keyboard-interactive/pam
for someuser" (SSH_LOGINERR_PREF).

This really makes it hard to configure sshguard in a reasonable way.
Two wrong ftp passwords are score 20, two wrong ssh passwords are
40. For my config it wouldn't be neccessary to count the
"failed keyboard-interactive" or the "max attempts" when I already
count each wrong password.

I saw in the comments that the rule SSH_LOGINERR_PREF was meant for
Ubuntu, the SSH_LOGINERR_PAM for FreeBSD/Debian, but for our SuSE
system they match both.

I see only two ways to solve this problem in general: Either you
define groups of commands that mean the same  and are only counted
as one attack. But it might  be very hard to figure out e.g which
pam messages belong to with sshd parent process if several connections
are done in parallel.

Or you allow users to define which rules should be counted with
which score in the config file. E.g. setting sth. likle this
in sshguard.conf:

SSH_LOGINERR_PREF=0
SSH_MAXAUTH=3

That would sshguard cause to ignore the "Failed keyboard-interactive/pam"
and counting the "max attempt" message with score 3 only.

This would allow every admin to adjust scoring to his/her specific
needs, even different settings for several hosts.

cu,
Frank


-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

Re: [SSHGuard-users] configure-script does not honour --libexecprefix

From: Kevin Z. <kev...@gm...> - 2018-09-22 15:47:43

On 9/18/18 5:57 AM, Christopher Engelhard wrote:
> I'm trying to install sshguard to a non-standard location and stumbled
> upon the following problem: When setting the location using ./configure
> --prefix=<location>, sshguard installs to the specified path, but when
> executed looks for the sshg-...-binaries in /usr/local/libexec
> nonetheless. The same happens when the various paths are specified
> individually via --libexecdir=... etc. This appears to exclusively
> affect libexecdir, not e.g. sysconfdir.
> 
> Running sshguard-2.2.0 on Fedora Server 28
> Steps to reproduce:
> 1) Run ./configure --prefix=/opt && make && make install
> 2) copy example config file to /opt/etc/sshguard.conf and set backend
> 3) execute /opt/sbin/sshguard
> 
> SSHGuard will fail with the following error:
> "sshguard: '/usr/local/libexec/sshg-fw-iptables' is not executable"

Could you show your sshguard.conf?

I suspect what happened here is that you uncommented the default BACKEND
without changing it.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] configure-script does not honour --libexecprefix

From: Christopher E. <ce...@lc...> - 2018-09-18 13:13:47

Hi,
I'm trying to install sshguard to a non-standard location and stumbled 
upon the following problem: When setting the location using ./configure 
--prefix=<location>, sshguard installs to the specified path, but when 
executed looks for the sshg-...-binaries in /usr/local/libexec 
nonetheless. The same happens when the various paths are specified 
individually via --libexecdir=... etc. This appears to exclusively 
affect libexecdir, not e.g. sysconfdir.

Running sshguard-2.2.0 on Fedora Server 28
Steps to reproduce:
1) Run ./configure --prefix=/opt && make && make install
2) copy example config file to /opt/etc/sshguard.conf and set backend
3) execute /opt/sbin/sshguard

SSHGuard will fail with the following error:
"sshguard: '/usr/local/libexec/sshg-fw-iptables' is not executable"

Not much of a programmer, but please let me know if there is any way I 
can help further.

Best,
Christopher

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [SSHGuard-users] Blacklisting

From: Kevin Z. <kev...@gm...> - 2018-08-18 01:02:50

On 8/17/18 9:50 AM, Jos Chrispijn wrote:
> Can you tell me if the blacklist.db is for ip's that are banned forever
> or is it also used for certain amount of time (180, 360, 720 secs)after
> an ip is removed again from it?

Everything that goes into blacklist.db is banned permanently; the block
does not expire and is reloaded once SSHGuard restarts.

There are plans to persist regular blocks across restarts and make
blacklists a very, very long persistent ban.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Adding IP to blacklist manually

From: Kevin Z. <kev...@gm...> - 2018-08-18 01:01:32

On 8/17/18 9:53 AM, Jos Chrispijn wrote:
> Kev, can you tell me how I can add an IP address manually to the
> blacklist.db?
> Is there a commandline for that or is it just open the file, copy the
> last line, change the IP address into the desired one, save it and
> restart SSHguard service?

There is no command-line. That's currently the way to do it.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Adding IP to blacklist manually

From: Jos C. <jo...@cl...> - 2018-08-17 16:53:39

Kev, can you tell me how I can add an IP address manually to the 
blacklist.db?
Is there a commandline for that or is it just open the file, copy the 
last line, change the IP address into the desired one, save it and 
restart SSHguard service?

Thanks,
Jos

#CSSis {beautiful};

[SSHGuard-users] Blacklisting

From: Jos C. <jo...@cl...> - 2018-08-17 16:50:14

Can you tell me if the blacklist.db is for ip's that are banned forever 
or is it also used for certain amount of time (180, 360, 720 secs)after 
an ip is removed again from it?

Thanks,
Jos

#CSSis {beautiful};

Re: [SSHGuard-users] New 'sqlite' branch with persistent blocks

From: Kevin Z. <kev...@gm...> - 2018-08-09 17:32:30

On 8/9/18 12:12 AM, Frank Steiner wrote:
> Remembering the temporary blocks on restart, is a great idea!
> 
> There should be a little script allowing admins to list the db and
> prune specific entries by giving an ip etc. In case one of our students
> or researchers forgot again that his username is different on his laptop
> and tried to login several times with the wrong user and got blocked :-)
> This happens from time to time, and for the moment it's easy to remove
> such entries from the txt file.

Noted, thanks for the suggestion.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] New 'sqlite' branch with persistent blocks

From: Frank S. <fst...@bi...> - 2018-08-09 07:13:00

Kevin Zheng wrote:

>> Do you plan on leaving it up to the administrator to prune the blacklist
>> or will you include, by way of example in docs, a simple query on
>> dropping old records?
> 
> It will be automatic, pruning on startup and every hour or so. I just
> haven't sat down and written the query.

Remembering the temporary blocks on restart, is a great idea!

There should be a little script allowing admins to list the db and
prune specific entries by giving an ip etc. In case one of our students
or researchers forgot again that his username is different on his laptop
and tried to login several times with the wrong user and got blocked :-)
This happens from time to time, and for the moment it's easy to remove
such entries from the txt file.

cu,
Frank

-- 
Dipl.-Inform. Frank Steiner   Web:  http://www.bio.ifi.lmu.de/~steiner/
Lehrstuhl f. Bioinformatik    Mail: http://www.bio.ifi.lmu.de/~steiner/m/
LMU, Amalienstr. 17           Phone: +49 89 2180-4049
80333 Muenchen, Germany       Fax:   +49 89 2180-99-4049
* Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

Re: [SSHGuard-users] New 'sqlite' branch with persistent blocks

From: Kevin Z. <kev...@gm...> - 2018-08-08 05:47:41

On 8/7/18 10:38 PM, jungle Boogie wrote:
> Nice work! It is annoying having the blacklist lost after reboots, so
> maybe this is a nice, valid solution.
> 
> Do you plan on leaving it up to the administrator to prune the blacklist
> or will you include, by way of example in docs, a simple query on
> dropping old records?

It will be automatic, pruning on startup and every hour or so. I just
haven't sat down and written the query.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] New 'sqlite' branch with persistent blocks

From: jungle B. <jun...@gm...> - 2018-08-08 05:38:24

Hi Kevin,

Nice work! It is annoying having the blacklist lost after reboots, so maybe
this is a nice, valid solution.

Do you plan on leaving it up to the administrator to prune the blacklist or
will you include, by way of example in docs, a simple query on dropping old
records?

Thanks!

[SSHGuard-users] New 'sqlite' branch with persistent blocks

From: Kevin Z. <kev...@gm...> - 2018-08-08 05:19:59

Hi there,

SSHGuard keeps an internal list in memory of recent attackers that is
lost when sshg-blocker restarts. One workaround is to enable
blacklisting and write frequent attackers to a permanent block file.

The new 'sqlite' branch on Bitbucket attempts to address this issue by
moving the in-memory list into an on-disk SQLite database. This new
branch depends on SQLite 3.

In this *experimental* branch, the '-b' flag has changed:

When '-b' is not specified, SSHGuard uses an in-memory database. If
there are no bugs, behavior should be no different than it is now.

When '-b' is specified with the argument THRESH:PATH (e.g.
120:/var/run/sshguard.db, just like now), the database is instead
written to PATH and will preserve attacks across restarts. The THRESH
specifies a blacklisting threshold, where an attacker who exceeds the
threshold will be blocked for 30 days.

WARNINGS:

The new database format is not compatible with the old blacklist format.
For now, point this to a new or non-existent file. When this is no
longer experimental, a converter script may be added.

Attacks are NOT deleted from the database AT ALL. This means the more
attacks SSHGuard sees, the bigger the database will grow. Some queries
have not been optimized and will slow down linearly with the size of the
database. Pruning old attacks will be written soon.

To use it:

https://bitbucket.org/sshguard/sshguard/branch/sqlite

Checkout by cloning the repository, then:
$ git checkout sqlite

Comments, and some initial feedback from those who are brave enough to
test this, are welcome!

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090