sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Bradley G. <pi...@ma...>]

On Feb 7, 2015, at 7:28 PM, Kevin Zheng <kev...@gm...> wrote:

> Signed PGP part
> On 02/05/15 15:01, Bradley Giesbrecht wrote:
> > I maintain the MacPorts sshguard package and will add your patch to
> > our build.
> 
> Fantastic! Thanks for maintaining the package!
> 
> > Do you know if there are any plans to roll a new release of
> > sshguard?
> 
> Yes, since there have been some major release-worthy changes (most
> notably human-readable blacklisting) from the last release, which was
> quite some time ago. Unfortunately, there's no ETA for this since it
> depends on how busy Mij and I are.
> 
> Meanwhile, testing the development version (from Bitbucket) and
> reporting issues (or lack thereof) is well appreciated.

Done. MacPorts is now building with 95f80c8 from BitBucket.

http://trac.macports.org/changeset/132790


Regards,
Bradley Giesbrecht (pixilla)

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Kevin Z. <kev...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/05/15 15:01, Bradley Giesbrecht wrote:
> I maintain the MacPorts sshguard package and will add your patch to
> our build.

Fantastic! Thanks for maintaining the package!

> Do you know if there are any plans to roll a new release of
> sshguard?

Yes, since there have been some major release-worthy changes (most
notably human-readable blacklisting) from the last release, which was
quite some time ago. Unfortunately, there's no ETA for this since it
depends on how busy Mij and I are.

Meanwhile, testing the development version (from Bitbucket) and
reporting issues (or lack thereof) is well appreciated.

Thanks,
Kevin Zheng
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJU1tfxAAoJEOrPD3bCLhCQ7DcIAKux0pDagzWKrU8D/xNaCqgP
ThsVHydFbhZ8yodb03h4ryM5JT9YhzKLmqH1COT9M/COb6YUDsIPyNrchYQSRyC7
QT/X56YCMUC8kymeK6icEa2LFIXZaBfJsoIgRxoCNvArzbUofLNLwkDD8fD9Kzqy
GYqcToGjBEz8gATscQi25h4rVQVPidvWm3ItLPPjXqtKSQm+Tdac80mZUUmRNTas
svRnQN5dET2IJTDueo9AI+ICNaqTm7smHCfssGCLQDuc6s/PRns025dQFunGYgjW
vCcecaHBodiDmuaD4ui+i7o/rF2hAxd/DKp6orG/Q+ntTNk6yhpkc07NYRvGvkE=
=WUN/
-----END PGP SIGNATURE-----

Re: [Sshguard-users] Where are blocked IPs listed in OS X?

[LuKreme <kr...@kr...>]

On 06 Feb 2015, at 14:53 , LuKreme <kr...@kr...> wrote:
> Where is that IP listed as being blocked other than in the logs? It’s not listed in any file in /etc/* but it stops appearing in system.log after sshguard block it.

Never mind. Doh.

# pfctl -T show -t sshguard

-- 
'There's Mr Dibbler.' 'What's he selling this time?' 'I don't think he's
trying to sell anything, Mr Poons.' 'It's that bad? Then we're probably
in lots of trouble.' --Reaper Man

[Sshguard-users] Where are blocked IPs listed in OS X?

[LuKreme <kr...@kr...>]

Feb  6 14:42:58 Jaka sshguard[160]: Blocking 87.106.151.126:4 for >630secs: 40 danger in 4 attacks over 93 seconds (all: 40d in 1 abuses over 93s).

Where is that IP listed as being blocked other than in the logs? It’s not listed in any file in /etc/* but it stops appearing in system.log after sshguard block it.

(Under OS X 10.10)

-- 
Commander: "Seems odd you'd name your ship after a battle you were on
the wrong side of." 
 
Mal: "May have been the losing side. Still not convinced it was the
wrong one."

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Alan S. <st...@le...>]

Dear Bradley,

That's great - many thanks (and to you Kevin)

regards

Alan

On 5 Feb 2015, at 21:01, Bradley Giesbrecht <pi...@ma...> wrote:

> On Feb 4, 2015, at 5:03 PM, Kevin Zheng <kev...@gm...> wrote:
> 
>> On 01/27/15 06:25, Alan Stocker wrote:
>>> Any thoughts on what I have setup incorrectly (if anything) or
>>> solutions?
>> 
>> This problem has been fixed recently, and is available in the
>> development repository located at:
>> 
>> https://bitbucket.org/sshguard/sshguard
> 
> Thanks Kevin.
> 
> I maintain the MacPorts sshguard package and will add your patch to our build.
> 
> Do you know if there are any plans to roll a new release of sshguard?
> 
> 
> Regards,
> Bradley Giesbrecht (pixilla)
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Bradley G. <pi...@ma...>]

On Feb 4, 2015, at 5:03 PM, Kevin Zheng <kev...@gm...> wrote:

> On 01/27/15 06:25, Alan Stocker wrote:
>> Any thoughts on what I have setup incorrectly (if anything) or
>> solutions?
> 
> This problem has been fixed recently, and is available in the
> development repository located at:
> 
> https://bitbucket.org/sshguard/sshguard

Thanks Kevin.

I maintain the MacPorts sshguard package and will add your patch to our build.

Do you know if there are any plans to roll a new release of sshguard?


Regards,
Bradley Giesbrecht (pixilla)

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Kevin Z. <kev...@gm...>]

Hi Alan,

On 01/27/15 06:25, Alan Stocker wrote:
> Any thoughts on what I have setup incorrectly (if anything) or
> solutions?

This problem has been fixed recently, and is available in the
development repository located at:

https://bitbucket.org/sshguard/sshguard

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Barry M. <bmu...@ga...>]

diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 4a58dd2..af193fb 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -89,6 +89,7 @@ static struct {
 /* ssh */
 %token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF
 %token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
+%token SSH_VIA_SUFF
 %token SSH_REVERSEMAP_PREF SSH_REVERSEMAP_SUFF
 %token SSH_NOIDENTIFSTR SSH_BADPROTOCOLIDENTIF SSH_BADPROTOCOLIDENTIF_SUFF
 %token SSH_DISCONNECT_PREF SSH_PREAUTH_SUFF
@@ -278,6 +279,7 @@ ssh_illegaluser:
 ssh_authfail:
     SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
     | SSH_LOGINERR_PAM addr
+    | SSH_LOGINERR_PAM addr SSH_VIA_SUFF
     ;
 
 ssh_reversemapping:
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 5ecdcc8..3956c5d 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -146,6 +146,7 @@ HOSTADDR    localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+|{IPV4}|{IPV6}|{IPV4MAPPED6}
 
  /* wrong password for valid user @ FreeBSD, Debian */
 "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user ")?.+" from "            { return SSH_LOGINERR_PAM; }
+"via ".*                                                        { BEGIN(INITIAL); return SSH_VIA_SUFF; }
 
  /* SSH: reverse mapping "possible break-in attempt!" */
 "reverse mapping checking getaddrinfo for "[^\[]*"["            { BEGIN(ssh_reversemap); return SSH_REVERSEMAP_PREF; }

Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server

[Vjaceslavs K. <vkl...@gm...>]

I suppose this very the root of the problem was, I was pulling the source
from
https://sshguard.svn.sourceforge.net/svnroot/sshguard/trunk/

Code from https://bitbucket.org/sshguard/sshguard definitely blocks on
Received disconnect from 103.41.124.17: 11:  [preauth]

Thank you.

On Mon, Feb 2, 2015 at 5:27 PM, Kevin Zheng <kev...@gm...> wrote:

> Hi Vjaceslavs,
>
> On 02/02/2015 17:02, Vjaceslavs Klimovs wrote:
> > Just a quick ping on this one, did you have a chance to look at this?
>
> Thanks for the ping, otherwise, I may have forgotten about it!
>
> SSHGuard (in the current development version) correctly detects the
> following message as an attack:
>
> Received disconnect from 103.41.124.17: 11:  [preauth]
>
> Is this the line you intended?
>
> Just as a sanity check, the development version is here:
> https://bitbucket.org/sshguard/sshguard
>
> Thanks,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

[Sshguard-users] Adding some extra tools to sshguard blacklist handling

[Scott M. <sha...@gm...>]

Dear list..

I found that I needed some extra tools, so I formalized one I found in
a GIST and wrote another one.

https://github.com/shadowbq/sshguard-contrib

sshguard-reprieve

sshguard-dump

Check it out .. Fork it .. Fix it.

Shadowbq

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

Works!  Thanks Kevin, for the super rapid response!

-Barry



On Tue, Feb 3, 2015 at 1:14 AM, Bradley Giesbrecht <pi...@ma...>
wrote:

>
> On Feb 2, 2015, at 6:11 PM, Bradley Giesbrecht <pi...@ma...>
> wrote:
>
> >
> > On Feb 2, 2015, at 5:22 PM, Kevin Zheng <kev...@gm...> wrote:
> >
> >> Hi Barry,
> >>
> >> On 02/02/2015 18:59, Barry Muldrey wrote:
> >>> Does anyone know who's responsible for printing the "...via 10.0.1.100"
> >>> in the syslog message?
> >>> I presume it's there to tell me which interface the attack came in on
> >>> (for multiple LAN interface machines)?
> >>> Easiest work-around would be to turn off this portion of the message;
> >>> I've tried various LogLevels and SyslogFacilities in sshd_config to no
> >>> avail...
> >>
> >> You (and other people) are invited to test the attached patch.
> >>
> >> Let me know how it works!
> >
> > No errors here but have not been able to confirm correctness though it
> looks good.
>
> Works here. With patch, running sshguard with SSHGUARD_DEBUG matches
> attacks previously ignored.
>
>
> Regards,
> Bradley Giesbrecht (pixilla)
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Bradley G. <pi...@ma...>]

On Feb 2, 2015, at 6:11 PM, Bradley Giesbrecht <pi...@ma...> wrote:

> 
> On Feb 2, 2015, at 5:22 PM, Kevin Zheng <kev...@gm...> wrote:
> 
>> Hi Barry,
>> 
>> On 02/02/2015 18:59, Barry Muldrey wrote:
>>> Does anyone know who's responsible for printing the "...via 10.0.1.100"
>>> in the syslog message?
>>> I presume it's there to tell me which interface the attack came in on
>>> (for multiple LAN interface machines)?
>>> Easiest work-around would be to turn off this portion of the message;
>>> I've tried various LogLevels and SyslogFacilities in sshd_config to no
>>> avail...
>> 
>> You (and other people) are invited to test the attached patch.
>> 
>> Let me know how it works!
> 
> No errors here but have not been able to confirm correctness though it looks good.

Works here. With patch, running sshguard with SSHGUARD_DEBUG matches attacks previously ignored.


Regards,
Bradley Giesbrecht (pixilla)

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Bradley G. <pi...@ma...>]

On Feb 2, 2015, at 5:22 PM, Kevin Zheng <kev...@gm...> wrote:

> Hi Barry,
> 
> On 02/02/2015 18:59, Barry Muldrey wrote:
>> Does anyone know who's responsible for printing the "...via 10.0.1.100"
>> in the syslog message?
>> I presume it's there to tell me which interface the attack came in on
>> (for multiple LAN interface machines)?
>> Easiest work-around would be to turn off this portion of the message;
>> I've tried various LogLevels and SyslogFacilities in sshd_config to no
>> avail...
> 
> You (and other people) are invited to test the attached patch.
> 
> Let me know how it works!

No errors here but have not been able to confirm correctness though it looks good.


Regards,
Bradley Giesbrecht (pixilla)

Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server

[Kevin Z. <kev...@gm...>]

Hi Vjaceslavs,

On 02/02/2015 17:02, Vjaceslavs Klimovs wrote:
> Just a quick ping on this one, did you have a chance to look at this?

Thanks for the ping, otherwise, I may have forgotten about it!

SSHGuard (in the current development version) correctly detects the
following message as an attack:

Received disconnect from 103.41.124.17: 11:  [preauth]

Is this the line you intended?

Just as a sanity check, the development version is here:
https://bitbucket.org/sshguard/sshguard

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Kevin Z. <kev...@gm...>]

Hi Barry,

On 02/02/2015 18:59, Barry Muldrey wrote:
> Does anyone know who's responsible for printing the "...via 10.0.1.100"
> in the syslog message?
> I presume it's there to tell me which interface the attack came in on
> (for multiple LAN interface machines)?
> Easiest work-around would be to turn off this portion of the message;
> I've tried various LogLevels and SyslogFacilities in sshd_config to no
> avail...

You (and other people) are invited to test the attached patch.

Let me know how it works!

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

Does anyone know who's responsible for printing the "...via 10.0.1.100" in
the syslog message?
I presume it's there to tell me which interface the attack came in on (for
multiple LAN interface machines)?
Easiest work-around would be to turn off this portion of the message; I've
tried various LogLevels and SyslogFacilities in sshd_config to no avail...

thoughts?


_-_-_-_-_-_-_-_-_-_-_-_-

Barry John Muldrey Jr.

Doctoral Student and Graduate Researcher,
Georgia Institute of Technology


www.barrymuldrey.com
+1 (504) 975-7971
689 Berne St SE, Apt C
Atlanta, GA 30312-3529
USA

On Mon, Feb 2, 2015 at 7:52 PM, Barry Muldrey <bmu...@ga...> wrote:

> Thanks, Kevin.  I'll continue to poke around
> ...and monitor this thread for news
>
>
> On Mon, Feb 2, 2015 at 7:47 PM, Kevin Zheng <kev...@gm...> wrote:
>
>> Hi Barry,
>>
>> On 02/02/2015 14:52, Barry Muldrey wrote:
>> >  /* wrong password for valid user @ FreeBSD, Debian */
>> > "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
>> > ")?.+" from "            { return SSH_LOGINERR_PAM; }
>> >
>> > which seems to be the appropriate pattern...
>>
>> Not quite. You're looking at the lexer, which is responsible for
>> retrieving separable tokens. To add "via", you are interested in
>> 'attack_parser.y', in particular these lines:
>>
>> ssh_authfail:
>>     SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
>>     | SSH_LOGINERR_PAM addr
>>     ;
>>
>> The solution is to add a new lexer token along the lines of
>> SSH_OPT_ADDR_SUFFIX and append this to this yacc rule.
>>
>> This should not be difficult, but isn't exactly trivial either.
>> Hopefully I'll get around to this soon.
>>
>> Thanks,
>> Kevin Zheng
>>
>> --
>> Kevin Zheng
>> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
>

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

Thanks, Kevin.  I'll continue to poke around
...and monitor this thread for news


On Mon, Feb 2, 2015 at 7:47 PM, Kevin Zheng <kev...@gm...> wrote:

> Hi Barry,
>
> On 02/02/2015 14:52, Barry Muldrey wrote:
> >  /* wrong password for valid user @ FreeBSD, Debian */
> > "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
> > ")?.+" from "            { return SSH_LOGINERR_PAM; }
> >
> > which seems to be the appropriate pattern...
>
> Not quite. You're looking at the lexer, which is responsible for
> retrieving separable tokens. To add "via", you are interested in
> 'attack_parser.y', in particular these lines:
>
> ssh_authfail:
>     SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
>     | SSH_LOGINERR_PAM addr
>     ;
>
> The solution is to add a new lexer token along the lines of
> SSH_OPT_ADDR_SUFFIX and append this to this yacc rule.
>
> This should not be difficult, but isn't exactly trivial either.
> Hopefully I'll get around to this soon.
>
> Thanks,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Kevin Z. <kev...@gm...>]

Hi Barry,

On 02/02/2015 14:52, Barry Muldrey wrote:
>  /* wrong password for valid user @ FreeBSD, Debian */
> "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
> ")?.+" from "            { return SSH_LOGINERR_PAM; }
>  
> which seems to be the appropriate pattern... 

Not quite. You're looking at the lexer, which is responsible for
retrieving separable tokens. To add "via", you are interested in
'attack_parser.y', in particular these lines:

ssh_authfail:
    SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
    | SSH_LOGINERR_PAM addr
    ;

The solution is to add a new lexer token along the lines of
SSH_OPT_ADDR_SUFFIX and append this to this yacc rule.

This should not be difficult, but isn't exactly trivial either.
Hopefully I'll get around to this soon.

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Kevin Z. <kev...@gm...>]

On 02/02/2015 14:20, Willem Jan Withagen wrote:
> The parsing trace tells you that it accepts the ipnr as ipnr, but then
> then next word is unexpected in the grammar.
> So the via 10.0.1.100 is creating a "syntax error"
> 
> This is inherent to the way the syntax rules are build.
> And the syntax rules are only modifiable at compile time.
> And need to be written 101% matching, otherwise the line will be skipped.

Willem's analysis is correct. The solution is to add rules to parse the
"via" message correctly. I'll get around to this eventually, but anyone
is welcome to submit a patch here as well.

> I'm still not very shure if this is really a desired concept for logfile
> parsing. E.g. openssh changes its log format, and "all of a sudden" log
> output is no longer generating desired reactions.
> 
> It requires "flexible" ways of specifying scanner and parser input,
> which is not really a trivial thing.

This is a tricky issue. Several other (non-SSHGuard) log parsers have
had significant "log-injection" vulnerabilities due to weak regular
expressions or inadequate sanity checking.

SSHGuard's decision has generally been to enforce strong rules, since
the alternative is somewhat risky (i.e. root compromise).

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server

[Vjaceslavs K. <vkl...@gm...>]

Hi Kevin,
Just a quick ping on this one, did you have a chance to look at this?

On Mon, Jan 26, 2015 at 12:41 PM, Vjaceslavs Klimovs <vkl...@gm...>
wrote:

> I am happy to test code from SVN or provide more raw logs if needed.
>
>
> On Mon, Jan 26, 2015 at 11:47 AM, Kevin Zheng <kev...@gm...>
> wrote:
>
>> Hi Vjaceslavs,
>>
>> On 01/26/15 03:03, Vjaceslavs Klimovs wrote:
>> > Jan 26 00:58:28 pulley sshd[7061]: Received disconnect from
>> > 103.41.124.17 <http://103.41.124.17>: 11:  [preauth]
>> >
>> > That's all they leave in the logs (no "invalid user" and
>> > "input_userauth_request:" lines), and that does not get detected.
>> >
>> > Presumably, the second case should be detected too?
>>
>> The "Received disconnect" and "[preauth]" message should be detected as
>> an attack. SSHGuard does not use simple regex matching, but instead a
>> parser, so I'll have to check how I implemented this one.
>>
>> I suspect that it's the "11:" throwing it off, but I'll have to check. I
>> will get back to you on this soon.
>>
>> Thanks,
>> Kevin Zheng
>>
>> --
>> Kevin Zheng
>> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
>

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

>
> found this (line 146) in "attack_scanner.l":


 /* wrong password for valid user @ FreeBSD, Debian */
"error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
")?.+" from "            { return SSH_LOGINERR_PAM; }

which seems to be the appropriate pattern...
is there a quick way I can add to that pattern to keep it from spazzing out
when it gets the "via xx.xx.xx.xx"   ????

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Willem J. W. <wj...@di...>]

On 2-2-2015 20:44, Bradley Giesbrecht wrote:
> On Feb 2, 2015, at 11:05 AM, Barry Muldrey <bmu...@ga...> wrote:
> 
>> sshd is producing the following in my system.log:
>>
>>     Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication error for root from 115.239.228.9 via 10.0.1.100
>>
>> sshguard is not recognizing the threat (debug output below).
>> If I submit the following, the attack is recognized:
>>
>>     Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication error for root from 115.239.228.9
>>
>> (please note "Error: popping nterm text ()" at the end of parser output...)
>>
>> Ideas, anyone??
> 
> I'm seeing the same thing. No answer but your not alone.
> 
> Regards,
> Bradley Giesbrecht (pixilla)

The parsing trace tells you that it accepts the ipnr as ipnr, but then
then next word is unexpected in the grammar.
So the via 10.0.1.100 is creating a "syntax error"

This is inherent to the way the syntax rules are build.
And the syntax rules are only modifiable at compile time.
And need to be written 101% matching, otherwise the line will be skipped.

I'm still not very shure if this is really a desired concept for logfile
parsing. E.g. openssh changes its log format, and "all of a sudden" log
output is no longer generating desired reactions.

It requires "flexible" ways of specifying scanner and parser input,
which is not really a trivial thing.

--WjW

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Bradley G. <pi...@ma...>]

On Feb 2, 2015, at 11:05 AM, Barry Muldrey <bmu...@ga...> wrote:

> sshd is producing the following in my system.log:
> 
>     Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication error for root from 115.239.228.9 via 10.0.1.100
> 
> sshguard is not recognizing the threat (debug output below).
> If I submit the following, the attack is recognized:
> 
>     Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication error for root from 115.239.228.9
> 
> (please note "Error: popping nterm text ()" at the end of parser output...)
> 
> Ideas, anyone??

I'm seeing the same thing. No answer but your not alone.

Regards,
Bradley Giesbrecht (pixilla)

[Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

sshd is producing the following in my system.log:

    Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication
error for root from 115.239.228.9 via 10.0.1.100

sshguard is not recognizing the threat (debug output below).
If I submit the following, the attack is recognized:

    Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication
error for root from 115.239.228.9

(please note "Error: popping nterm text ()" at the end of parser output...)

Ideas, anyone??


######################
# BEGIN DEBUG OUTPUT
######################

Feb  2 13:45:59 crackfox.local sshd[8027]: error: PAM: authentication error
for root from 115.239.228.9 via 10.0.1.100
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("Feb  2 13:45:59
crackfox.local sshd[8027]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 146 ("error: PAM: authentication
error for root from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 9
Reading a token: --accepting rule at line 201 ("115.239.228.9")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
   $1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 1 9
Entering state 56
Reducing stack by rule 34 (line 279):
   $1 = token SSH_LOGINERR_PAM ()
   $2 = nterm addr ()
-> $$ = nterm ssh_authfail ()
Stack now 0 1
Entering state 32
Reducing stack by rule 27 (line 264):
   $1 = nterm ssh_authfail ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
   $1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
   $1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 24
Reducing stack by rule 1 (line 122):
   $1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: --accepting rule at line 221 (" ")
--accepting rule at line 220 ("via")
Next token is token WORD ()
Error: popping nterm text ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0

[Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

[Alan S. <st...@le...>]

Dear all,

I’m using the macports version (1.5.0) of sshguard under OSX 10.9.5 and it appears from the logs to successfully be picking up a number of attacks but not all. I have run the code in debug mode with the following outcomes

Using an example of an attack that does not trigger shhguard directly from the system.log file (I’ve replaced some text with x and the ip of the ‘via’ machine):

Jan 27 06:17:07 xxx.xxx.xxx.uk sshd[14815]: error: PAM: authentication error for root from 115.239.228.7 via 127.0.0.1

there’s a whole bunch of output and finally...

Stack now 0
Entering state 23
Reading a token: --accepting rule at line 223 (" ")
--accepting rule at line 222 ("via")
Next token is token WORD ()
Error: popping nterm text ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0

if i use

error: PAM: authentication error for root from 115.239.228.7 via 127.0.0.1

I get a similar outcome to above (i.e. the final text is the same as above)

but if I try just the following text

error: PAM: authentication error for root from 115.239.228.7

I get (again after a bit of other output)

Now at end of input.
Stack now 0 23
Cleanup: popping nterm text ()
Matched address 115.239.228.7:4 attacking service 100, dangerousness 10.
Purging stale attackers.

If I then repeat the last version (i.e. error: PAM: authentication error for root from 115.239.228.7) a further three times

I get First abuse of '115.239.228.7', adding to offenders list.
Offender '115.239.228.7:4' scored 40 danger in 1 abuses.
Blocking 115.239.228.7:4 for >630secs: 40 danger in 4 attacks over 133 seconds (all: 40d in 1 abuses over 133s).
Setting environment: SSHG_ADDR=115.239.228.7;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
No ALTQ support in kernel
ALTQ related functions disabled
1/1 addresses added.
Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0.

and one further time I get

Matched address 115.239.228.7:4 attacking service 100, dangerousness 10.
Purging stale attackers.
Asked to block '115.239.228.7', which was already blocked to my account.

Any thoughts on what I have setup incorrectly (if anything) or solutions?

regards

Alan