Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
(6) |
Oct
|
Nov
|
Dec
|
|
From: <li...@la...> - 2016-05-08 06:48:36
|
Regarding reset or deny, who is the user here? The clown trying to log into the server, or the sysadmin? My first priority would be which uses the least resources of my server. If equal, then I would pick which method wastes the time of the clown trying to break into the network. Original Message From: Kevin Zheng Sent: Saturday, May 7, 2016 11:36 PM To: Carmel; ssh...@li... Subject: Re: [SSHGuard-users] Results from running 1.6.4 On 05/07/2016 06:00, Carmel wrote: > I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I > installed the program via the ports system. > > I was just wondering where you located this new documentation? I have > been interested in exactly what and where to put entries in my "ipfw" > file, or if I even needed them at all. As mentioned before, the setup documentation is here: http://www.sshguard.net/docs/setup/ You need to understand your own firewall to set up SSHGuard. Copying and pasting might work if you're lucky. The 'reset' instead of 'deny' was chosen as a more reasonable default to give users better feedback. Dropping the connection will cause the client to wait for a timeout, while resetting the connection will give the user more meaningful feedback (connection reset by peer). The rule number depends entirely on your ruleset. IPFW is a first-rule-wins firewall, so the rule that allows SSH should have a higher rule number than SSHGuard's rule number. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2016-05-08 06:36:37
|
On 05/07/2016 06:00, Carmel wrote: > I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I > installed the program via the ports system. > > I was just wondering where you located this new documentation? I have > been interested in exactly what and where to put entries in my "ipfw" > file, or if I even needed them at all. As mentioned before, the setup documentation is here: http://www.sshguard.net/docs/setup/ You need to understand your own firewall to set up SSHGuard. Copying and pasting might work if you're lucky. The 'reset' instead of 'deny' was chosen as a more reasonable default to give users better feedback. Dropping the connection will cause the client to wait for a timeout, while resetting the connection will give the user more meaningful feedback (connection reset by peer). The rule number depends entirely on your ruleset. IPFW is a first-rule-wins firewall, so the rule that allows SSH should have a higher rule number than SSHGuard's rule number. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Kevin Z. <kev...@gm...> - 2016-05-08 06:26:05
|
On 05/06/2016 17:47, li...@la... wrote: > I got this line a number of times, but I think it means the IP addresses > are already in the blocked database. > > ipfw: setsockopt(IP_FW_TABLE_XADD): File exists > > Hmmh, no new blocked IPs in the last 12 minutes. Maybe the hackers > are taking a coffee break. I will give this an hour and then check the > log. What happens if you manually flush table 22 before starting SSHGuard? -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2016-05-07 13:20:00
|
The entry into rc.firewall is on this page: http://www.sshguard.net/docs/setup/ You certainly need the line and there was a thread sometime back regarding where in the file to place it. Sorry for the top posting, but I'm on the "phone." Original Message From: Carmel Sent: Saturday, May 7, 2016 6:00 AM To: ssh...@li... Subject: Re: [SSHGuard-users] Results from running 1.6.4 On Fri, 6 May 2016 19:56:17 -0700, li...@la... stated: >Old ipfw line: >${fwcmd} add 550 deny log all from 'table(22)' to any > >Suggested line from current docuemntation ># ipfw add 5000 reset ip from table\(22\) to me I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I installed the program via the ports system. I was just wondering where you located this new documentation? I have been interested in exactly what and where to put entries in my "ipfw" file, or if I even needed them at all. Thanks! -- Carmel ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Carmel <car...@ou...> - 2016-05-07 13:00:20
|
On Fri, 6 May 2016 19:56:17 -0700, li...@la... stated:
>Old ipfw line:
>${fwcmd} add 550 deny log all from 'table(22)' to any
>
>Suggested line from current docuemntation
># ipfw add 5000 reset ip from table\(22\) to me
I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I
installed the program via the ports system.
I was just wondering where you located this new documentation? I have
been interested in exactly what and where to put entries in my "ipfw"
file, or if I even needed them at all.
Thanks!
--
Carmel
|
|
From: <li...@la...> - 2016-05-07 02:56:28
|
Old ipfw line:
${fwcmd} add 550 deny log all from 'table(22)' to any
Suggested line from current docuemntation
# ipfw add 5000 reset ip from table\(22\) to me
-------------------------------------------------------------
I noticed the updated sshguard made it to /usr/ports, so I compiled the
code there and did a reinstall so it would be more like a typical user
installation.
--------------------------------------------------------
This is the error message when starting sshguard:
# service sshguard restart
Stopping sshguard.
Starting sshguard.
#
# ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
-----------------------------------------------------------------
The standard daemon file doesn't include dovecot. I added the dovecot
log, but I don't see it mentioned in the auth.log. Also should I delete
the old block list?
May 7 02:53:13 theranch sshguard[21444]: Exiting on signal
May 7 02:53:13 theranch sshguard[23159]: blacklist: blocking 1644 addresses
May 7 02:53:16 theranch sshguard[23159]: Monitoring attacks from log files
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated file /var/log/auth.log.
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated file /var/log/maillog.
May 7 02:53:16 theranch sshguard[23159]: blacklist: 217.199.161.135 is already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 217.199.161.135: blocking forever (3 attacks in 0 secs, after 1 abuses over
0 secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 185.103.109.70 is already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 185.103.109.70: blocking forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 155.133.82.69 is already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: blocking forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
---------------------------------------------------------
May 7 02:53:13 theranch sshguard[21444]: Exiting on signal
May 7 02:53:13 theranch sshguard[23159]: blacklist: blocking 1644
addresses
May 7 02:53:16 theranch sshguard[23159]: Monitoring attacks from log
files
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated
file /var/log/auth.log.
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated
file /var/log/maillog.
May 7 02:53:16 theranch sshguard[23159]: blacklist: 217.199.161.135 is
already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 217.199.161.135: blocking
forever (3 attacks in 0 secs, after 1 abuses over
0 secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 185.103.109.70 is
already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 185.103.109.70: blocking
forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 155.133.82.69 is
already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: blocking
forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
-----------------------------------------
My recollection is it was suggested to change the regex in the daemon a
bit. Is this still valid?
-----------------------------------------------
The daemon file /usr/local/etc/rc.d/sshguard (well
truncatred a bit) follows.
#!/bin/sh
#
# Add the following lines to /etc/rc.conf to enable sshguard:
# sshguard_enable (bool): Set to "NO" by default.
# Set it to "YES" to enable sshguard
# sshguard_pidfile (str): Path to PID file.
# Set to "/var/run/sshguard.pid" by default
# sshguard_watch_logs (str): Colon splitted list of logs to watch.
# Set to "/var/log/auth.log:/var/log/maillog"
# by default.
# The following options directly maps to their command line options,
# please read manual page sshguard(8) for detailed information:
# sshguard_blacklist (str): [thr:]/path/to/blacklist.
# Set to "30:/var/db/sshguard/blacklist.db"
# by default.
# sshguard_danger_thresh (int): Danger threshold. Set to "30" by default.
# sshguard_release_interval (int):
# Minimum interval an address remains
# blocked. Set to "120" by default.
# sshguard_reset_interval (int):
# Interval before a suspected attack is
# forgotten and danger is reset to 0.
# Set to "1800" by default.
# sshguard_whitelistfile (str): Path to the whitelist.
# Set to "/usr/local/etc/sshguard.whitelist"
# by default.
# sshguard_flags (str): Set additional command line arguments.
#
. /etc/rc.subr
name=sshguard
rcvar=sshguard_enable
load_rc_config sshguard
: ${sshguard_enable:=NO}
: ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
: ${sshguard_danger_thresh=30}
: ${sshguard_release_interval=120}
: ${sshguard_reset_interval=1800}
: ${sshguard_whitelistfile="/usr/local/etc/sshguard.whitelist"}
: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}
pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
command=/usr/sbin/daemon
actual_command="/usr/local/sbin/sshguard"
procname="${actual_command}"
start_precmd=sshguard_prestart
command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
sshguard_prestart()
{
# Clear rc_flags so sshguard_flags can be passed to sshguard
# instaed of daemon(8)
rc_flags=""
if [ ! -z ${sshguard_blacklist} ]; then
mkdir -p $(dirname ${sshguard_blacklist##*:})
sshguard_blacklist_params="-b ${sshguard_blacklist}"
fi
[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
}
run_rc_command "$1
|
|
From: <li...@la...> - 2016-05-07 00:47:37
|
On Thu, 5 May 2016 23:32:49 -0700 Kevin Zheng <kev...@gm...> wrote: > On 05/05/2016 23:31, li...@la... wrote: > > Can someone put the instructions for compiling sshguard using > > automake on the website? > > Building from source: > > http://www.sshguard.net/docs/setup/compile-install/ > > Hope that helps. > > Best, > Kevin > No issues in compilation. Verification new version running: # sshguard -v sshguard 1.6.4 I got this line a number of times, but I think it means the IP addresses are already in the blocked database. ipfw: setsockopt(IP_FW_TABLE_XADD): File exists Hmmh, no new blocked IPs in the last 12 minutes. Maybe the hackers are taking a coffee break. I will give this an hour and then check the log. |
|
From: <li...@la...> - 2016-05-06 07:37:49
|
That looks great. It is a bit embarrassing since you emailed that to me, but I couldn't find the message. I will build it later today. I guess it would be stating the obvious that you have to rename the old sshguard directory else git will complain. Original Message From: Kevin Zheng Sent: Thursday, May 5, 2016 11:33 PM To: ssh...@li... Subject: Re: [SSHGuard-users] Automake and sshguard source On 05/05/2016 23:31, li...@la... wrote: > Can someone put the instructions for compiling sshguard using automake > on the website? Building from source: http://www.sshguard.net/docs/setup/compile-install/ Hope that helps. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2016-05-06 06:32:58
|
On 05/05/2016 23:31, li...@la... wrote: > Can someone put the instructions for compiling sshguard using automake > on the website? Building from source: http://www.sshguard.net/docs/setup/compile-install/ Hope that helps. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2016-05-06 06:31:13
|
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body { font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div>Can someone put the instructions for compiling sshguard using automake on the website?</div><div><span style="font-family: Calibri, 'Slate Pro', sans-serif, sans-serif;"><br></span></div><div><span style="font-family: Calibri, 'Slate Pro', sans-serif, sans-serif;"><br></span></div><div><br></div><div></div></body></html>
|
|
From: Jos C. <ssh...@cl...> - 2016-05-05 20:24:57
|
Can you pls update the content of the SSHGuard submission page?
Right frame shows
Lates ReleasesView all» <http://www.sshguard.net/download/releases/>
* sshguard 1.5
<http://freshmeat.net/projects/sshguard#release_328284>This is a
milestone release, coming after 18 months ...
* sshguard 1.5
<http://freecode.com/projects/sshguard#release_328284>Sshguard
monitors services through their logging activity. It reacts ...
* sshguard 1.5rc4
<http://freshmeat.net/projects/sshguard#release_320398>This release
candidate fixes the last known bugs submitted ...
on which View all starts with the 1.5 Feb 2011 release/version.
thanks,
Jos Chrispijn
|
|
From: Willem J. W. <wj...@di...> - 2016-05-04 08:15:21
|
On 4-5-2016 06:16, Kevin Zheng wrote: > On 05/03/2016 08:36, Jos Chrispijn wrote: >> Is there a way of blocking port scanners and treat them as false login? > > Yes, by adding these signatures and monitoring 'all.log'. But this > wouldn't stop these log messages from showing up, because the attackers > would still hit the firewall. It doesn't make sense to have a firewall > protecting the firewall. > >> May 3 17:24:18 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:28997 in via re0 >> May 3 17:24:26 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:11505 in via re0 >> May 3 17:24:31 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:21643 in via re0 >> May 3 17:24:33 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:28800 in via re0 > > I think this is beyond the scope of SSHGuard. SSHGuard protects against > service attacks, not port scans. The intent of SSHGuard is to use a > firewall to prevent rapid attacks against services (that takes up CPU > and memory resources). As a blunt tools I use portsentry. If you hit any of the ports normlly used with backdoors, p2p, ... all kinds of things I do not serve and do not want to be accessed. I'm using it in the same way as sshguard: ipfw table <nr of choice> add <ipnr> And then build a list of tables that are being blocked.... 01050 deny ip from table(10) to any 01060 deny ip from table(21) to any 01070 deny ip from table(22) to any 01080 deny ip from table(25) to any 01090 deny ip from table(26) to any 01100 deny ip from table(40) to any 01110 deny ip from table(41) to any 01120 deny ip from table(42) to any 01130 deny ip from table(43) to any 01140 deny ip from table(50) to any 01150 deny ip from table(53) to any 01160 deny ip from table(54) to any 01170 deny ip from table(55) to any 01180 deny ip from table(56) to any 01190 deny ip from table(57) to any 01200 deny ip from table(58) to any 01210 deny ip from table(59) to any 01220 deny ip from table(60) to any 01230 deny ip from table(70) to any 01240 deny ip from table(75) to any 01250 deny ip from table(80) to any 01260 deny ip from table(81) to any 01270 deny ip from table(86) to any --WjW |
|
From: Kevin Z. <kev...@gm...> - 2016-05-04 04:16:25
|
On 05/03/2016 08:36, Jos Chrispijn wrote: > Is there a way of blocking port scanners and treat them as false login? Yes, by adding these signatures and monitoring 'all.log'. But this wouldn't stop these log messages from showing up, because the attackers would still hit the firewall. It doesn't make sense to have a firewall protecting the firewall. > May 3 17:24:18 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 > x.x.x.x:28997 in via re0 > May 3 17:24:26 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 > x.x.x.x:11505 in via re0 > May 3 17:24:31 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 > x.x.x.x:21643 in via re0 > May 3 17:24:33 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 > x.x.x.x:28800 in via re0 I think this is beyond the scope of SSHGuard. SSHGuard protects against service attacks, not port scans. The intent of SSHGuard is to use a firewall to prevent rapid attacks against services (that takes up CPU and memory resources). -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Jos C. <ssh...@cl...> - 2016-05-03 15:36:57
|
Is there a way of blocking port scanners and treat them as false login? From my FreeBSD all.log May 3 17:24:18 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 x.x.x.x:28997 in via re0 May 3 17:24:26 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 x.x.x.x:11505 in via re0 May 3 17:24:31 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 x.x.x.x:21643 in via re0 May 3 17:24:33 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 x.x.x.x:28800 in via re0 Best regards, Jos Chrispijn |
|
From: Mark F. <fe...@Fr...> - 2016-05-02 16:44:06
|
On Mon, May 2, 2016, at 11:42, Kevin Zheng wrote: > On 05/02/2016 08:56, Mark Felder wrote: > >> Most notably, some default options have changed. The abuse threshold has > >> been reduced to 30 (3 attacks) and the initial block time has been > >> lowered to 2 minutes (from 7). These settings can be overridden from the > >> command line. Package maintainers should check their scripts. > >> > > > > The man page has not been updated to reflect these changes. > > Oops, thanks for catching the issue. An updated man page has been > committed, and the diff between 1.6.4 is attached. > This was not noted in the release notes, but I will make sure this is reflected in the FreeBSD port +.B \fB\-s\fP \fIinterval\fP (default 1800 secs, or 30 minutes) -- Mark Felder ports-secteam member fe...@Fr... |
|
From: Kevin Z. <kev...@gm...> - 2016-05-02 16:42:39
|
On 05/02/2016 08:56, Mark Felder wrote: >> Most notably, some default options have changed. The abuse threshold has >> been reduced to 30 (3 attacks) and the initial block time has been >> lowered to 2 minutes (from 7). These settings can be overridden from the >> command line. Package maintainers should check their scripts. >> > > The man page has not been updated to reflect these changes. Oops, thanks for catching the issue. An updated man page has been committed, and the diff between 1.6.4 is attached. Thanks, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Mark F. <fe...@Fr...> - 2016-05-02 16:11:50
|
On Thu, Apr 28, 2016, at 20:24, Kevin Zheng wrote: > > Most notably, some default options have changed. The abuse threshold has > been reduced to 30 (3 attacks) and the initial block time has been > lowered to 2 minutes (from 7). These settings can be overridden from the > command line. Package maintainers should check their scripts. > The man page has not been updated to reflect these changes. -- Mark Felder ports-secteam member fe...@Fr... |
|
From: Jos C. <ssh...@cl...> - 2016-04-30 11:34:04
|
In een bericht van 29-4-2016 2:53: > This attack will be detected in 1.6.4. Thanks for this and letting us use your program - it saves me a lot of time (earlier blocked ip's by hand)... Best regards, Jos Chrispijn |
|
From: Jos C. <ssh...@cl...> - 2016-04-30 11:32:21
|
Dear team, > I am pleased to announce the release of SSHGuard 1.6.4 [1]. This release > brings updated signatures, usability improvements, and bug fixes. > Highlights in this release include: Great news! Can you pls put this version in de FreeBSD Ports collection? thanks, Jos Chrispijn |
|
From: Kevin Z. <kev...@gm...> - 2016-04-29 01:24:58
|
Greetings,
I am pleased to announce the release of SSHGuard 1.6.4 [1]. This release
brings updated signatures, usability improvements, and bug fixes.
Highlights in this release include:
- Match Postfix pre-authentication disconnects
- Fix bashisms in iptables backend
- Fix size argument in inet_ntop() call
- Remove excessive logging when polling from files
- Keep looking for unreadable files while polling
- Update Dovecot signature for POP3
- Match "Connection reset" message for SSH
- Resurrect PID file option by popular demand
- Adjust default abuse threshold
Most notably, some default options have changed. The abuse threshold has
been reduced to 30 (3 attacks) and the initial block time has been
lowered to 2 minutes (from 7). These settings can be overridden from the
command line. Package maintainers should check their scripts.
The PID file option (-p) has been resurrected.
As usual, please report any bugs, build failures, or other issues to
the mailing list or the Bitbucket tracker [2].
If you haven't already, please take 2-3 minutes to complete a survey
about how you use SSHGuard:
https://docs.google.com/forms/d/1UQHrtq7uhpopWDsNmvYyVbwKpupkgHAwcd3SwmTMaNc/viewform?usp=send_form
Best,
Kevin
[1] https://sourceforge.net/projects/sshguard/files/sshguard/1.6.4/
[2] https://bitbucket.org/sshguard/sshguard/issues/
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
|
|
From: Kevin Z. <kev...@gm...> - 2016-04-29 00:53:25
|
On 04/27/2016 11:11, Jos Chrispijn wrote: > Just to inform you that this line is ignored in your scan: > > Apr 27 13:45:26 ceto postfix/smtpd[71252]: warning: > unknown[115.159.143.169]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > > Can you fix and/or let me know how to configure? Thanks. This attack will be detected in 1.6.4. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Jos C. <ssh...@cl...> - 2016-04-27 18:11:13
|
[sshguard-ipfw-1.6.3_1] Dear team, Just to inform you that this line is ignored in your scan: Apr 27 13:45:26 ceto postfix/smtpd[71252]: warning: unknown[115.159.143.169]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Can you fix and/or let me know how to configure? Thanks. /JosC -- |
|
From: Kevin Z. <kev...@gm...> - 2016-04-24 05:00:03
|
Greetings,
SSHGuard 1.6.4 is just around the corner, bringing these changes:
- Match Postfix pre-authentication disconnects
- Fix bashisms in iptables backend
- Fix size argument in inet_ntop() call
- Remove excessive logging when polling from files
- Keep looking for unreadable files while polling
- Update Dovecot signature for POP3
- Match "Connection reset" message for SSH
- Resurrect PID file option by popular demand
- Adjust default abuse threshold
Most notably, some default options have changed. The abuse threshold has
been reduced to 30 (3 attacks) and the initial block time has been
lowered to 2 minutes (from 7). These settings can be overridden from the
command line. Package maintainers should check their scripts.
The PID file option (-p) has been resurrected.
If no major issues come up, the 1.6.4 tarball will be released in the
coming week. You can test-drive this release by cloning from the
'master' branch in the Bitbucket repository.
Cheers,
Kevin
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
|
|
From: Henri S. <hen...@gm...> - 2016-04-20 06:10:14
|
> This issue was fixed right after the 1.6.3 release. So it hasn't been released yet. I can check out from the git repository / wait until it is main stream. Just glad to know that the attack is detected as an attack in the current versions! I am glad I decided to contact the list rather than start editing the code manually trying to add this particular attack detection if the problem had already been resolved. I guessed it was an attack that should be detected. Thank you for all your help and in particular taking the time to look at the problem. No need to issue a patch just for me! Thanks again! -------------------------------------------------------------------- This email is protected by LBackup, an open source backup solution http://www.lbackup.org |
|
From: Kevin Z. <kev...@gm...> - 2016-04-20 03:36:50
|
On 04/19/2016 19:18, Henri Shustak wrote: >> What version of SSHGuard are you using? > > SSHGuard version : 1.6.1 : OK, not the latest but it is fairly recent > right? Oops, this is embarassing. This issue was fixed right after the 1.6.3 release. So it hasn't been released yet. > Note : This is SSHGuard was installed via brew on a Mac OS X system. > I have confirmed that if password authentication enabled and you do > not connect with a key and instead try to use a password, then it > SSHGuard works great! > >> What pre-auth disconnect message showed up in the logs? > > Connection closed by 123.255.41.127 [preauth] The development version in Git recognizes this attack. Next release is planned for early May, but in the meantime I can provide a patch against 1.6.3. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
2 messages has been excluded from this view by a project administrator.
