sshguard-users — User questions and answers, bugs, and general support

Re: [SSHGuard-users] Stow away

[Kevin Z. <kev...@gm...>]

On 06/03/16 01:04, Jos Chrispijn wrote:
> Just saw that this one slipped trough SSHGuard:
> 
> Jun  2 01:11:35 ceto postfix/smtpd[43199]: warning: hostname 178.217.186.124-host.valuehosted.com does not resolve to address 178.217.186.124: hostname nor servname provided, or not known
> 
> Can you provide a link with which I can upload this text string on your website instead of in this mailing list? Thanks!

The issue tracker on Bitbucket is a good place:

https://bitbucket.org/sshguard/sshguard/issues?status=new&status=open

The list is fine, too, except I've been a bit busy lately and haven't
been processing bug reports or list posts. Sorry.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Stow away

[Carmel <car...@ou...>]

On Fri, 03 Jun 2016 08:43:20 -0400
li...@la... wrote:

> I've yet to trigger sshguard with postfix, so I appreciate this post.
> It will help me make a pentest, such as it is. A real pentest would
> trigger everything known about sshguard detection and in theory
> unknown attacks. ‎I've thrown a lot of random text at postfix and
> because of the limited "vocabulary" of MTA, it all gets rejected by
> postfix. 

I use Postfix and on an average, sshguard is triggered twice a day and
sometimes more. I use sshguard in conjunction with IPFW so my setup may
be different from yours.

It would really help is you posted your "postfix -n" output plus a few
examples of log entries that you believe should be triggering a
response.

-- 
Carmel

Re: [SSHGuard-users] Stow away

[<li...@la...>]

<html><head></head><body bgcolor="#FFFFFF" text="#000000" lang="en-US" style="background-color: rgb(255, 255, 255); line-height: initial;">                                                                                      <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">I've yet to trigger sshguard with postfix, so I appreciate this post. It will help me make a pentest, such as it is. A real pentest would trigger everything known about sshguard detection and in theory unknown attacks. ‎I've thrown a lot of random text at postfix and because of the limited "vocabulary" of MTA, it all gets rejected by postfix.&nbsp;<span style="font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; font-size: initial; text-align: initial; line-height: initial;"><br></span></div>                                                                                                                                     <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br style="display:initial"></div>                                                                                                                                                                                                   <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"></div>                                                                                                                                                                                  <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);">                           <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;">  <div><b>From: </b>Jos Chrispijn</div><div><b>Sent: </b>Friday, June 3, 2016 4:04 AM</div><div><b>To: </b>ssh...@li...; ssh...@li...</div><div><b>Subject: </b>[SSHGuard-users] Stow away</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style="background-color: rgb(255, 255, 255);">
  

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  
  
    <p><font face="Verdana">Just saw that t<font face="Verdana">his one
          s<font face="Verdana">l<font face="Verdana">ipped trough
              SSHGuard:</font></font></font></font></p>
    <pre wrap="">Jun  2 01:11:35 ceto postfix/smtpd[43199]: warning: hostname 178.217.186.124-host.valuehosted.com does not resolve to address 178.217.186.124: hostname nor servname provided, or not known

Can you provide a link with which I can upload this text string on your website instead of in this mailing list? Thanks!

Best regards,
Jos Chrispijn

</pre>
  

<br><!--end of _originalContent --></div></body></html>

[SSHGuard-users] Stow away

[Jos C. <ssh...@cl...>]

Just saw that this one slipped trough SSHGuard:

Jun  2 01:11:35 ceto postfix/smtpd[43199]: warning: hostname 178.217.186.124-host.valuehosted.com does not resolve to address 178.217.186.124: hostname nor servname provided, or not known

Can you provide a link with which I can upload this text string on your website instead of in this mailing list? Thanks!

Best regards,
Jos Chrispijn

Re: [SSHGuard-users] sshguard restart and ipfw table 22 entries

[Kevin Z. <kev...@gm...>]

On 05/27/16 12:19, Christos Chatzaras wrote:
> I run sshguard on 50+ freebsd servers and on two of them when I
> restart sshguard I get the server's primary IP in ipfw table 22. The
> question is why when I restart sshguard the ipfw table 22 has IPs and
> is not empty.
> 
> I have these lines on my rc.conf :
> 
> sshguard_enable="YES" 
> sshguard_watch_logs="/var/log/auth.log:/var/log/maillog:/var/log/xferlog"

I'm not sure what's going on, either. Are you running the latest version
from ports? Is the ipfw table empty when SSHGuard isn't running?

Thanks,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] sshguard restart and ipfw table 22 entries

[Christos C. <ch...@cr...>]

I run sshguard on 50+ freebsd servers and on two of them when I restart sshguard I get the server's primary IP in ipfw table 22. The question is why when I restart sshguard the ipfw table 22 has IPs and is not empty.

I have these lines on my rc.conf :

sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth.log:/var/log/maillog:/var/log/xferlog"
sshguard_blacklist=""

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Kevin Z. <kev...@gm...>]

On 05/21/2016 12:05, Jef Poskanzer wrote:
> I never saw any response to this - just wanted to make sure it
> didn't slip through the cracks, since it looks like a serious bug
> that affects everyone doing log-sucking, not just me. Editing out
> my TL;DR rambling, the gist is that there's a missing call to stat().

Thanks for bringing this up again. I haven't gotten around to reading
the other posts and kept putting it off...

>> Oh, I think I see the problem. sshguard_logsuck.c lines
>> 116-117, activate_source() is getting called with an uninitialized
>> fileinfo. Got to add a stat() to fill it in.

I think you're right. 'fileinfo' is not initialized, so
activate_source() is storing a random 'st_ino'. Static analysis probably
would have caught this. I need to run that sometime.

Like you said, the fix is probably just to add a call to stat(). I'll
post again once I've made the fix.

>> So I guess this is happening to everyone but no one else noticed because
>> their log files get rotated on a sane schedule.

Not sure why this didn't cause problems with anyone else.

Thanks,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

I never saw any response to this - just wanted to make sure it
didn't slip through the cracks, since it looks like a serious bug
that affects everyone doing log-sucking, not just me. Editing out
my TL;DR rambling, the gist is that there's a missing call to stat().

>Oh, I think I see the problem. sshguard_logsuck.c lines
>116-117, activate_source() is getting called with an uninitialized
>fileinfo. Got to add a stat() to fill it in.
>
>So I guess this is happening to everyone but no one else noticed because
>their log files get rotated on a sane schedule.

Re: [SSHGuard-users] sshguard sniffing postifx---no odor detected

[<li...@la...>]

Anvil rate limits any behavior, good or bad. But would you want an attacker to have to exceed in my case 60 failures per minute  before the attack is stopped? Now you could set the limit lower, but it wouldn't be all that weird for say yahoogroups to dump a pile of mail at once if a few lists suddenly became chatty. In my VPS, I'm the only customer. But in a more typical application, you could have many users getting hit from a list server without any real bad behavior occurring, well other than it might be lunchtime and something is trending. 

My point is you want to block bad behavior quickly. ‎Anvil just limits floods, good or band. 

It would be safe to assume a hacker/bot knows the default setting of postfix rate limiting and would stay under the radar.

Now that I have a command line means to annoy postfix, I will try a few scenarios of bad behavior and at least you would have the error messages handy should you decide to block based on them. 

The nice thing about swaks is you only need knowledge of bash scripting.

Funny thing about swaks is it knew immediately that a dynamic blocking service had blocked my attempt to send mail to an actual account on the system (as opposed to my open relay attempt). I wonder why a real email client can't do that? 



  Original Message  
From: Kevin Zheng
Sent: Saturday, May 21, 2016 6:25 AM
To: ssh...@li...
Subject: Re: [SSHGuard-users] sshguard sniffing postifx---no odor detected

On 05/20/2016 19:40, li...@la... wrote:
> I set up a simple script using swaks to hit my email server with 100
> messages to relay. Since I don't have an open relay, these actions get
> flagged by postfix. Eventually the connection got dropped by postfix
> anvil, the rate limiter. Best I can tell postfix locks me out for 600
> seconds.
> http://www.postfix.org/anvil.8.html

It sounds like anvil(8) does the right thing.

> In any event, sshguard didn't block me. I grepped all the auth.logs for
> the offending IP. (I would have done more email testing but the Peet's
> wifi is on a dynamic blocking list!)

SSHGuard doesn't know about RCPT TO rejects (yet). We could teach it to.
Ultimately, it looks like anvil does what you want, so perhaps just add
a rule to block the offender using the firewall when anvil starts to
rate-limit? This might potentially be a better option since we won't
need attack signatures for every error message that can be generated by
a spammer.

Thoughts?

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
sshguard-users mailing list
ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [SSHGuard-users] sshguard sniffing postifx---no odor detected

[Kevin Z. <kev...@gm...>]

On 05/20/2016 19:40, li...@la... wrote:
> I set up a simple script using swaks to hit my email server with 100
> messages to relay. Since I don't have an open relay, these actions get
> flagged by postfix. Eventually the connection got dropped by postfix
> anvil, the rate limiter. Best I can tell postfix locks me out for 600
> seconds.
> http://www.postfix.org/anvil.8.html

It sounds like anvil(8) does the right thing.

> In any event, sshguard didn't block me. I grepped all the auth.logs for
> the offending IP. (I would have done more email testing but the Peet's
> wifi is on a dynamic blocking list!)

SSHGuard doesn't know about RCPT TO rejects (yet). We could teach it to.
Ultimately, it looks like anvil does what you want, so perhaps just add
a rule to block the offender using the firewall when anvil starts to
rate-limit? This might potentially be a better option since we won't
need attack signatures for every error message that can be generated by
a spammer.

Thoughts?

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] sshguard sniffing postifx---no odor detected

[<li...@la...>]

I set up a simple script using swaks to hit my email server with 100
messages to relay. Since I don't have an open relay, these actions get
flagged by postfix. Eventually the connection got dropped by postfix
anvil, the rate limiter. Best I can tell postfix locks me out for 600
seconds.
http://www.postfix.org/anvil.8.html

In any event, sshguard didn't block me. I grepped all the auth.logs for
the offending IP. (I would have done more email testing but the Peet's
wifi is on a dynamic blocking list!)



May 20 23:49:55 theranch postfix/smtpd[63244]: disconnect from unknown[216.216.202.69] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
May 20 23:49:56 theranch postfix/smtpd[63244]: connect from unknown[216.216.202.69]
May 20 23:49:56 theranch postfix/smtpd[63244]: NOQUEUE: reject: RCPT from unknown[216.216.202.69]: 554 5.7.1 <wr...@wr...>: Relay access denied; from=<me@cantsay> to=<wr...@wr...> proto=ESMTP helo=<linux-h57q.site>
May 20 23:49:56 theranch postfix/smtpd[63244]: disconnect from unknown[216.216.202.69] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
May 20 23:49:57 theranch postfix/smtpd[63244]: connect from unknown[216.216.202.69]
May 20 23:49:57 theranch postfix/smtpd[63244]: NOQUEUE: reject: RCPT from unknown[216.216.202.69]: 554 5.7.1 <wr...@wr...>: Relay access denied; from=<me@cantsay> to=<wr...@wr...> proto=ESMTP helo=<linux-h57q.site>
May 20 23:49:57 theranch postfix/smtpd[63244]: disconnect from unknown[216.216.202.69] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
May 20 23:49:57 theranch postfix/smtpd[63244]: connect from unknown[216.216.202.69]
May 20 23:49:57 theranch postfix/smtpd[63244]: NOQUEUE: reject: RCPT from unknown[216.216.202.69]: 554 5.7.1 <wr...@wr...>: Relay access denied; from=<me@cantsay> to=<wr...@wr...> proto=ESMTP helo=<linux-h57q.site>
May 20 23:49:57 theranch postfix/smtpd[63244]: disconnect from unknown[216.216.202.69] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
May 20 23:53:21 theranch postfix/anvil[63222]: statistics: max connection rate 71/60s for (smtp:216.216.202.69) at May 20 23:49:31
May 20 23:53:21 theranch postfix/anvil[63222]: statistics: max connection count 1 for (smtp:216.216.202.69) at May 20 23:43:33

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

Kevin:
>In sshguard_logsuck.c, logsuck_add_logsource() does a
>lseek(cursource.current_descriptor, 0, SEEK_END) to the end of the file
>before polling for new entries.

Ok, good, thanks. I confirm the lseek is getting run on my log files.

>The behavior you're observing is incorrect. I'm still trying to figure
>out why this is happening to you. What are the permissions on the log
>files? Are they hard links, FIFOs, or anything else weird?

No, nothing weird.
-rw-------  1 root  wheel   298394 May 12 11:42 /var/log/auth.log
-rw-r-----  1 root  mail   1619946 May 12 11:43 /var/log/maillog

Re-running the test, I think these syslogs are a clue. I should have
sent them before!
May 12 11:42:02 hydra sshguard[58928]: Reloading rotated file /var/log/auth.log.
May 12 11:42:02 hydra sshguard[58928]: Reloading rotated file /var/log/maillog.

The code that does that is also in sshguard_logsuck.c, the comment says
it does this when "myentry->current_serial_number != fileinfo.st_ino".
A little debugging shows:
  myentry->current_serial_number 0, fileinfo.st_ino 12
  myentry->current_serial_number 0, fileinfo.st_ino 1532
Yes those are the correct inode numbers. So why is current_serial_number
zero...? Oh, I think I see the problem. sshguard_logsuck.c lines
116-117, activate_source() is getting called with an uninitialized
fileinfo. Got to add a stat() to fill it in.

So I guess this is happening to everyone but no one else noticed because
their log files get rotated on a sane schedule.
---
Jef

         Jef Poskanzer  je...@ma...  http://acme.com/jef/

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

>Ahh, I see. SSHGuard's regex parser ignores lines beginning with
>sshguard, but that doesn't do anything if syslog starts it.

Yep. By the time sshguard gets the line, it has by definition
already been restarted. :-)

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Kevin Z. <kev...@gm...>]

On 05/11/2016 22:16, Jef Poskanzer wrote:
> Now that I've updated my FreeBSD ports tree I'm using sshguard 1.6.4.
> I started it via a plain old "service sshguard start", no added options,
> unmodified rc file.
> 
> What keeps sshguard from reading the whole auth.log on startup?
> Is it the timestamps? If so then what about my speculation that
> the lack of a year on the timestamps is messing this up? I looked
> for the code that does this for a few minutes but didn't find it.

In sshguard_logsuck.c, logsuck_add_logsource() does a
lseek(cursource.current_descriptor, 0, SEEK_END) to the end of the file
before polling for new entries.

> This is a side issue since as soon as my logfiles rotate properly
> I'll try starting sshguard from rc again and expect it will work
> fine. Nevertheless it's interesting behavior and if it's easy to
> fix, why not.

The behavior you're observing is incorrect. I'm still trying to figure
out why this is happening to you. What are the permissions on the log
files? Are they hard links, FIFOs, or anything else weird?

> - The big one is it says "several times a day". I was seeing
>   exit & restart every hour, which is how often newsyslog runs
>   on FreeBSD. 24 times a day is more than several. Maybe other
>   systems run newsyslog less often? Or don't kill programs every
>   time it runs?

Check newsyslog.conf:
/var/log/auth.log			600  7     100  @0101T JC

The log is rotated when it's larger than 100 KB, or at a certain time?

> - It says "SIGHUP". sshguard 1.5 said "Got exit signal", 1.6.4
>   changed the wording to "Exiting on signal". If the code doesn't
>   tell the user what signal then the note probably shouldn't either,
>   to avoid confusion.

I'll see if I can print out the signal received.

> - And, not an inaccuracy, but adding a mention of my "!-sshguard"
>   config file tweak to prevent the immediate restarting would
>   be nice.

Ahh, I see. SSHGuard's regex parser ignores lines beginning with
sshguard, but that doesn't do anything if syslog starts it.

Thanks,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

Kevin:
>SSHGuard should certainly not be reading your entire auth.log at
>startup. What version of SSHGuard are you using? Are you just using the
>standard invocation from rc.d (no other options set)?

Now that I've updated my FreeBSD ports tree I'm using sshguard 1.6.4.
I started it via a plain old "service sshguard start", no added options,
unmodified rc file.

What keeps sshguard from reading the whole auth.log on startup?
Is it the timestamps? If so then what about my speculation that
the lack of a year on the timestamps is messing this up? I looked
for the code that does this for a few minutes but didn't find it.

This is a side issue since as soon as my logfiles rotate properly
I'll try starting sshguard from rc again and expect it will work
fine. Nevertheless it's interesting behavior and if it's easy to
fix, why not.

>> There's already a note in http://www.sshguard.net/docs/setup/ about
>> syslogd terminating and restarting sshguard, although it's not
>> completely accurate.
>
>Could you clarify which part is inaccurate? I'd like to fix it ASAP.

- The big one is it says "several times a day". I was seeing
  exit & restart every hour, which is how often newsyslog runs
  on FreeBSD. 24 times a day is more than several. Maybe other
  systems run newsyslog less often? Or don't kill programs every
  time it runs?
- It says "SIGHUP". sshguard 1.5 said "Got exit signal", 1.6.4
  changed the wording to "Exiting on signal". If the code doesn't
  tell the user what signal then the note probably shouldn't either,
  to avoid confusion.
- And, not an inaccuracy, but adding a mention of my "!-sshguard"
  config file tweak to prevent the immediate restarting would
  be nice.

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Kevin Z. <kev...@gm...>]

On 05/09/2016 23:42, Jef Poskanzer wrote:
> I'm sure that would fix the restart looping, as I suggested in my
> initial message. At the moment I can't start using the rc.d script
> for other reasons, which actually could be considered a bug in
> sshguard. Ok, since you asked so nicely I'll explain. My auth.log
> doesn't get much traffic and hasn't been rotated in years. When
> sshguard starts up it reads the whole file, sees all of my own
> logins happening at the current instant, and marks me as an
> attacker. It may have something to do with syslog lines not
> including the year - maybe sshguard parses the yearless timestamps
> past today's date as being in the future?

SSHGuard should certainly not be reading your entire auth.log at
startup. What version of SSHGuard are you using? Are you just using the
standard invocation from rc.d (no other options set)?

> There's already a note in http://www.sshguard.net/docs/setup/ about
> syslogd terminating and restarting sshguard, although it's not
> completely accurate. If the devs don't want to lower the log level
> of the exiting messages to LOG_DEBUG to prevent the restarting,
> then perhaps just correct this note and add the "!-sshguard"
> tweak I worked out. A doc change is always easier than a code
> change right?

Could you clarify which part is inaccurate? I'd like to fix it ASAP.

Thanks,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Maillog / Dovecot testing

[<li...@la...>]

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body {  font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div><span>I'm assuming since postfix is not mentioned on the attack signature page, sshguard is only reading maillog for exim and Sendmail messages.&nbsp;</span></div><div><span><br></span></div><div><span>Regarding Dovecot, how do I test this feature? Do I create an incorrect email account and ‎send messages rapidly? Also what about attacks where hackers use other protocols on the submission port such a telnet.&nbsp;</span></div><div><span><br></span></div><div><span>Basically I only see sshd messages in auth.log being operated on by sshguard. Eyeballing Dovecot.log, I see no hacking attempts, so the lack of messages in auth.log makes sense.</span></div><div><span><br></span></div><div></div></body></html>

Re: [SSHGuard-users] Submission page

[Kevin Z. <kev...@gm...>]

Hi Jos, Fed,

On 05/05/2016 13:24, Jos Chrispijn wrote:
> Can you pls update the content of the SSHGuard submission page?

When the website was designed, the sidebar was fed from Freshmeat, which
became Freecode and now is no longer updated. I need to ask the website
maintainer how to replace the sidebar with the SSHGuard news feed, which
has links to the recent release announcements.

In the meantime, I added "Latest releases" entry that points to the
SSHGuard news feed with the latest release announcements.

Thanks,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Peter B. <be...@an...>]

Could you not adjust the size at which the log is rotated to avoid such
chopping?

Doing my own little test, this succeeded at rotating safely at 10 entries
per second being written:

     cp auth.log auth.log.2 && cat /dev/null > auth.log

I had one process going writing a new entry to auth.log every 0.1 seconds
(10 per second), to ensure that I didn't lose any log entries during this
process.

What this does:

     * copies all of the data from auth.log to auth.log.2, even while
     auth.log is being written, the data is copied
     * As soon as the copy completes, it truncates auth.log (unless the
     copy fails, then it doesn't)

Now you (a) don't have to HUP any processes writing to auth.log, and (b)
don't lose any log entries due to timing issues.

Theoretically you could lose a few log lines depending on how loaded your
system is, but I lost ZERO log entries at 10 per second.

So again, I say, for the lot of you who are fussy about your log file sizes
for whatever reason, Why not rotate your logs?

Between newsyslog and writing your own if newsyslog doesn't have enough
knobs to meet your unique needs, I don't see how sshguard needs to be
rewritten to meet your needs.

Beckman


On Tue, 10 May 2016, li...@la... wrote:

> On Tue, 10 May 2016 10:04:57 -0400
> Peter Beckman <be...@an...> wrote:
>
>> Why not add your IP(s) to the whitelist? Did you fail to login
>> successfully many times in the past few years?
>>
>> Why not rotate your auth.log?
>>
>> Why not run newsyslog manually once to rotate initially?
>>
>> To me this isn't a bug, more of a "it doesn't work the way I want"
>> for some reasons that seem to be fairly easy to rememdy.
>>
>> Beckman
>>
>
>> ---------------------------------------------------------------------------
>
> Checking my /var/log, it appears that once you put a file into
> newsyslog, it will chop it up into compressed files with
> one "operating" file at the appropriate rotation time. That is, my
> maillog, which I recently added to newsyslog, was chopped into 6 files
> when the rotation time came around.
>
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[<li...@la...>]

On Tue, 10 May 2016 10:04:57 -0400
Peter Beckman <be...@an...> wrote:

> Why not add your IP(s) to the whitelist? Did you fail to login
> successfully many times in the past few years?
> 
> Why not rotate your auth.log?
> 
> Why not run newsyslog manually once to rotate initially?
> 
> To me this isn't a bug, more of a "it doesn't work the way I want"
> for some reasons that seem to be fairly easy to rememdy.
> 
> Beckman
> 

> ---------------------------------------------------------------------------

Checking my /var/log, it appears that once you put a file into
newsyslog, it will chop it up into compressed files with
one "operating" file at the appropriate rotation time. That is, my
maillog, which I recently added to newsyslog, was chopped into 6 files
when the rotation time came around. 

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Peter B. <be...@an...>]

Why not add your IP(s) to the whitelist? Did you fail to login successfully
many times in the past few years?

Why not rotate your auth.log?

Why not run newsyslog manually once to rotate initially?

To me this isn't a bug, more of a "it doesn't work the way I want" for some
reasons that seem to be fairly easy to rememdy.

Beckman

On Mon, 9 May 2016, Jef Poskanzer wrote:

> Kevin Zheng:
>> Thanks for updating to 1.6.4. Could you try starting SSHGuard as a
>> daemon using the rc.d script and see if the problem persists?
>
> I'm sure that would fix the restart looping, as I suggested in my
> initial message. At the moment I can't start using the rc.d script
> for other reasons, which actually could be considered a bug in
> sshguard. Ok, since you asked so nicely I'll explain. My auth.log
> doesn't get much traffic and hasn't been rotated in years. When
> sshguard starts up it reads the whole file, sees all of my own
> logins happening at the current instant, and marks me as an
> attacker. It may have something to do with syslog lines not
> including the year - maybe sshguard parses the yearless timestamps
> past today's date as being in the future?
>
> It just occured to me this this is *exactly* the plot line of
> tonight's Person of Interest episode!
>
> Anyway I have fixed my newsyslog.conf to rotate more often, but I
> don't want to manually rotate the files so I'm not going to start
> sshguard from rc.d until they rotate on their own.
>
> There's already a note in http://www.sshguard.net/docs/setup/ about
> syslogd terminating and restarting sshguard, although it's not
> completely accurate. If the devs don't want to lower the log level
> of the exiting messages to LOG_DEBUG to prevent the restarting,
> then perhaps just correct this note and add the "!-sshguard"
> tweak I worked out. A doc change is always easier than a code
> change right?

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

Kevin Zheng:
>Thanks for updating to 1.6.4. Could you try starting SSHGuard as a
>daemon using the rc.d script and see if the problem persists?

I'm sure that would fix the restart looping, as I suggested in my
initial message. At the moment I can't start using the rc.d script
for other reasons, which actually could be considered a bug in
sshguard. Ok, since you asked so nicely I'll explain. My auth.log
doesn't get much traffic and hasn't been rotated in years. When
sshguard starts up it reads the whole file, sees all of my own
logins happening at the current instant, and marks me as an
attacker. It may have something to do with syslog lines not
including the year - maybe sshguard parses the yearless timestamps
past today's date as being in the future?

It just occured to me this this is *exactly* the plot line of
tonight's Person of Interest episode!

Anyway I have fixed my newsyslog.conf to rotate more often, but I
don't want to manually rotate the files so I'm not going to start
sshguard from rc.d until they rotate on their own.

There's already a note in http://www.sshguard.net/docs/setup/ about
syslogd terminating and restarting sshguard, although it's not
completely accurate. If the devs don't want to lower the log level
of the exiting messages to LOG_DEBUG to prevent the restarting,
then perhaps just correct this note and add the "!-sshguard"
tweak I worked out. A doc change is always easier than a code
change right?
---
Jef

         Jef Poskanzer  je...@ma...  http://acme.com/jef/

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Kevin Z. <kev...@gm...>]

Hi Jef,

On 05/09/2016 12:19, Jef Poskanzer wrote:
> After a reminder that portsnap exists, I updated everything and
> tried again with sshguard 1.6.4. I undid my syslog config quick-fix
> to test, and can confirm that the restart looping still happens
> although with different log messages:
> 
> May  9 11:57:02 hydra sshguard[22878]: Monitoring attacks from stdin
> May  9 12:00:00 hydra sshguard[22878]: Received EOF from stdin
> May  9 12:00:00 hydra sshguard[22878]: Exiting on signal
> May  9 12:00:00 hydra sshguard[28419]: Monitoring attacks from stdin
> 
> Looks like the exit message is now logged at level info instead
> of notice, but that is still high enough to get caught by the
> recommended syslog.conf line. And anyway the new 'Received EOF'
> message is at level notice.

Thanks for updating to 1.6.4. Could you try starting SSHGuard as a
daemon using the rc.d script and see if the problem persists?

Thanks,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

I wrote:
>I'm on FreeBSD 10.1R. I installed it from /usr/ports/security/sshguard
>which gave me version 1.5 - no problems on the install.

After a reminder that portsnap exists, I updated everything and
tried again with sshguard 1.6.4. I undid my syslog config quick-fix
to test, and can confirm that the restart looping still happens
although with different log messages:

May  9 11:57:02 hydra sshguard[22878]: Monitoring attacks from stdin
May  9 12:00:00 hydra sshguard[22878]: Received EOF from stdin
May  9 12:00:00 hydra sshguard[22878]: Exiting on signal
May  9 12:00:00 hydra sshguard[28419]: Monitoring attacks from stdin

Looks like the exit message is now logged at level info instead
of notice, but that is still high enough to get caught by the
recommended syslog.conf line. And anyway the new 'Received EOF'
message is at level notice.
---
Jef

         Jef Poskanzer  je...@ma...  http://acme.com/jef/

[SSHGuard-users] sshguard restart loop when using syslogd

[Jef P. <je...@ma...>]

Hi. I ran across sshguard today and decided to give it a try.
I'm on FreeBSD 10.1R. I installed it from /usr/ports/security/sshguard
which gave me version 1.5 - no problems on the install. I enabled it
using syslogd and ipfw. I used the suggested syslog.conf line:
  auth.info;authpriv.info        |exec /usr/local/sbin/sshguard
And a slightly modified ipfw line:
  ipfw add deny ip from 'table(22)' to me in via ${oif}
After restarting syslogd, I observed new log messages from
sshguard. Yay!

However, there was a minor problem: every hour it would exit and restart:

May  8 13:00:00 hydra sshguard[86471]: Got exit signal, flushing blocked addresses and exiting...
May  8 13:00:00 hydra sshguard[14184]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May  8 14:00:00 hydra sshguard[14184]: Got exit signal, flushing blocked addresses and exiting...
May  8 14:00:00 hydra sshguard[85407]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May  8 15:00:00 hydra sshguard[85407]: Got exit signal, flushing blocked addresses and exiting...
May  8 15:00:00 hydra sshguard[67455]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.

I did a not-very-thorough search of the sshguard-users archives and
didn't see discussion of this. The reason for the looping is pretty
obvious: sshguard's exit message goes to auth.notice and therefore
gets sent to sshguard and starts it up again.

My first try at fixing this worked ok - I changed syslog.conf so it
doesn't send sshguard's own messages to itself:
  !-sshguard
  auth.info;authpriv.info        |exec /usr/local/sbin/sshguard
However this makes the config file a little ugly since the sshguard
stuff now has to be in a separate paragraph.

Starting sshguard from an rc file instead of from syslog should also
fix the restart looping. I'll try that tomorrow.

A source-code fix would be to not log the exit message, or log it
at debug instead of notice. I haven't checked if something along these
lines has already been done in the development version - if so, hooray!

Anyway, thanks for the nice simple software.
---
Jef

         Jef Poskanzer  je...@ma...  http://acme.com/jef/