sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] Dolphin and Sshguard

[Muhammed Y. <ben...@gm...>]

27-08-2013 15:41 tarihinde, Muhammed YILDIRIM yazdı:
> Hello.
> When I use Dolphin as a SFTP client and connect to a server Sshguard 
> installed. Sshguard is banning me.
> Can you test with Dolphin and fix this?
I think opening more than one connection causing this.

Re: [Sshguard-users] sshguard arguments question

[Joop B. <joo...@bo...>]

Dear all,

It would also be fine with me if this feature would be add. Then the
"old" option will be still useble.
So that both -l .. -l .. etc and -l .. .. etc will be still OK.
The same for -w .. -w .. etc and -w .. .. etc and -w <space> will be
still OK.

Regards,

Joop.

On Sep 4, 2013 13:41 "Joop Boonen" <joo...@bo...> wrote:

> Dear all,
> 
> I have a question/request about the sshguard arguments.
> 
> Currently the white lists are entered via -w .. -w .. -w etc
> And the watched logs via -l .. -l .. -l etc
> 
> As this is not easily maintainable via a configuration files that
> holds
> the variable with white spaces.
> I have a request could the input for the white lists and the watched
> logs be changed?
> For -w <var1> -w <var2> etc to -w <var1> <var2> etc and the the white
> list will also except an empty with list -w <space>
> 
> And for the watched logs -l <var1> -l <var2> etc to -l <var1> <var2>
> an
> empty value is in the case not needed, as it doesn't make sense.
> 
> Regards,
> 
> Joop.
> 
> 
> ----------------------------------------------------------------------
> --------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft
> technologies
> and advance your career. Get an incredible 1,500+ hours of
> step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> <http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.
> clktrk>
> _______________________________________________
> Sshguard-users mailing list
> <Ssh...@li...>
> <https://lists.sourceforge.net/lists/listinfo/sshguard-users>
> 

[Sshguard-users] sshguard arguments question

[Joop B. <joo...@we...>]

Dear all,

I have a question/request about the sshguard arguments.

Currently the white lists are entered via -w .. -w .. -w etc
And the watched logs via -l .. -l .. -l etc

As this is not easily maintainable via a configuration files that holds 
the variable with white spaces.
I have a request could the input for the white lists and the watched 
logs be changed?
For -w <var1> -w <var2> etc to -w <var1> <var2> etc and the the white 
list will also except an empty with list -w <space>

And for the watched logs -l <var1> -l <var2> etc to -l <var1> <var2> an 
empty value is in the case not needed, as it doesn't make sense.

Regards,

Joop.

[Sshguard-users] sshguard arguments question

[Joop B. <joo...@bo...>]

Dear all,

I have a question/request about the sshguard arguments.

Currently the white lists are entered via -w .. -w .. -w etc
And the watched logs via -l .. -l .. -l etc

As this is not easily maintainable via a configuration files that holds 
the variable with white spaces.
I have a request could the input for the white lists and the watched 
logs be changed?
For -w <var1> -w <var2> etc to -w <var1> <var2> etc and the the white 
list will also except an empty with list -w <space>

And for the watched logs -l <var1> -l <var2> etc to -l <var1> <var2> an 
empty value is in the case not needed, as it doesn't make sense.

Regards,

Joop.

[Sshguard-users] Dolphin and Sshguard

[Muhammed Y. <ben...@gm...>]

Hello.
When I use Dolphin as a SFTP client and connect to a server Sshguard 
installed. Sshguard is banning me.
Can you test with Dolphin and fix this?

[Sshguard-users] Reset of information about an IP ?

[<jo...@te...>]

Hello again !

Another thing that would be nice is a reset in an IP.  For instance,
an IP gets up to being banned for 30 minutes today.  If the same IP
gets at it again in 2 weeks, the 30 minutes will not be forgotten (I
presume) and that same IP will be blocked for even a longer time.
Possibly same if the IP gets back 6 months from now.  Is it possible
to reset the information about an IP after a certain time ?

Thanks again !

[Sshguard-users] sshguard blacklists automatically (sshgaurd behaviour)

[<jo...@te...>]

Hello,

From the documentation I would think that the blocked time still keeps
increasing, unless the '-b ' option is given.  The IP is blocked, then
released, then blocked for a longer time, etc...  Man page on web
site:

  "For example, if address A attacks repeatedly and the base blocking
  time is 420 seconds, A will be blocked for 420 seconds (7 mins) at
  the first abuse, 2*420 (14 mins) the second, 2*2*420 (28 mins) the
  third ... and 2^(n-1)*420 the n-th time."

But that's not it.  By default an IP will be blacklisted after a few
failed logins.  I want it to keep on going instead.

So I've added some debug statements in *pardonBlocked(void *par).
In sshguard 1.15 as downloaded from the web site.

  for (pos = 0; pos < list_size(& hell); pos++) {
      tmpel = list_get_at(&hell, pos);
      /* skip blacklisted hosts (pardontime = infinite/0) */

      sshguard_log(LOG_DEBUG, "DEBUG: tmpel->pardontime: %d",
(int)tmpel->pardontime);

      if (tmpel->pardontime == 0) continue;
      /* process hosts with finite pardon time */

      sshguard_log(LOG_DEBUG, "DEBUG: now: %d tmpel->whenlast: %d
      tmpel->pardontime: %d ", (int)now, (int)tmpel->whenlast,
      (int)tmpel->pardontime);

      if (now - tmpel->whenlast > tmpel->pardontime) {
          /* pardon time passed, release block */

     [ ... ]

This time sshguard was started using the following parameters, to have
short debug cycles.  SSHGUARD_DEBUG was also set.

% sshguard -a 30 -p 5 -s 30 -l /var/log/auth.log

Started successfully [(a,p,s)=(30, 5, 30)], now ready to scan.

I've added '-s 30' in the hope that this will provoke the release of
any blocked IP, no matter what. 

ssh was used to connect to the device running sshguard, and wrong
passwords repeatedly entered.  Always fron the same IP.

After the third batch of failed logins (3 failed logins per batch) the
IP is never released.  fw_release() is never executed.  It never gets
executed because for some reason tmpel->pardontime, after being 15,
becomes 0, while sshguard still thinks it has to check it out.
Eg. the list used by the pardonBlocked() thread still has something in
it.

In other words, after three failed logis, the IP becomes blacklisted.

This is because the cumulated danger comes to equate the
opts.blacklist_threshold (120 for both) in report_address() and this
makes tempent->pardontime equal to 0.

And this happens because: 

#define DEFAULT_BLACKLIST_THRESHOLD (3 * DEFAULT_ABUSE_THRESHOLD)

With DEFAULT_ABUSE_THRESHOLD being 40.  The only thing that can change
that is by passing a value using the '-b ' option.

So what I did is to first define DEFAULT_BLACKLIST_THRESHOLD as 0.
Then comment out the check about it right below it.  Then I added:

if (opts.blacklist_threshold != 0) {
  if (offenderent->cumulated_danger >= opts.blacklist_threshold) {

This works OK for the use I'm concerned with, which is an
ever-increasing blocking time w/o any blacklisting.  The '-s ' switch
does not seem to work, though, as I would expect that information
about an IP would be erased after '-s n seconds', if I read the
documentation correctly.  In which case, I'm not sure I did.

Let me know if this makes sense, or if I'm totally wrong, or somewhere
in-between.

Thanks !


Some debug messages.  There's an error popping a token, but I haven't
paid attention to that.

2nd failed login:

 Matched address 10.200.22.27:4 attacking service 100, dangerousness 20.
 Purging stale attackers.
 Offender '10.200.22.27:4' scored 60 danger in 2 abuses.
 Blocking 10.200.22.27:4 for >10secs: 30 danger in 2 attacks over 7
seconds (all: 60d in 2 abuses over 59s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:21:35
thishost sshd[3791]: ") Next token is token SYSLOG_BANNER_PID ()
 Shifting token SYSLOG_BANNER_PID ()
 Entering state 1
 Reading a token: --accepting rule at line 220 ("PAM")
 Next token is token WORD ()
 Error: popping token SYSLOG_BANNER_PID ()
 Stack now 0
 Cleanup: discarding lookahead token WORD ()
 Stack now 0
 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149696  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149699  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149701  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149704  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
 DEBUG: now: 1369149707  tmpel->whenlast: 1369149695
tmpel->pardontime: 10 Releasing 10.200.22.27 after 12 seconds.
 Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip


3rd failed login:

 Offender '10.200.22.27:4' scored 90 danger in 3 abuses.
 Blocking 10.200.22.27:4 for >15secs: 30 danger in 2 attacks over 7
seconds (all: 90d in 3 abuses over 128s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:22:43
thishost sshd[4391]: ") Next token is token SYSLOG_BANNER_PID ()
 Shifting token SYSLOG_BANNER_PID ()
 Entering state 1
 Reading a token: --accepting rule at line 220 ("PAM")
 Next token is token WORD ()
 Error: popping token SYSLOG_BANNER_PID ()
 Stack now 0
 Cleanup: discarding lookahead token WORD ()
 Stack now 0
 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149764  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149766  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149769  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149772  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149775  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149777  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
 DEBUG: now: 1369149780  tmpel->whenlast: 1369149764
tmpel->pardontime: 15 Releasing 10.200.22.27 after 16 seconds.
 Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /s

4th failed login:

 Matched address 10.200.22.27:4 attacking service 100, dangerousness 20.
 Purging stale attackers.
 Blocking 10.200.22.27:4 for >0secs: 30 danger in 2 attacks over 8
seconds (all: 120d in 4 abuses over 198s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:23:53
thishost sshd[4976]: ") Next token is token SYSLOG_BANNER_PID ()
 Shifting token SYSLOG_BANNER_PID ()
 Entering state 1
 Reading a token: --accepting rule at line 220 ("PAM")
 Next token is token WORD ()
 Error: popping token SYSLOG_BANNER_PID ()
 Stack now 0
 Cleanup: discarding lookahead token WORD ()
 Stack now 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 Read line from '/var/log/auth.log'.
 Starting parse
 Entering state 0
 Reading a token: --accepting rule at line 110 ("May 21 11:24:01
thishost CRON[5201]: ") Next token is token SYSLOG_BANNER_PID ()

Now sshguard checks for pardon time in the thread, which is always
repeated:

 Stack now 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
 DEBUG: tmpel->pardontime: 0
[...]
 Read line from '/var/log/auth.log'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:25:01
thishost CRON[5737]: ") Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("pam_unix")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0

[Sshguard-users] sshguard behaviour

[<jo...@te...>]

Hello,

  This is a basic question about how sshgaurd works.  Using the latest
version, sshguard does not seems to react on the IP for the 3rd
occurence of failed logins.  Eg. the '>secs' value becomes 0.

  I would like a confirmation about the algorithm used by sshguard and
how it should behave, it would be much appreciated - thanks !

  Here are the log messages:

May 16 13:27:53 ruggedrouter sshguard[24946]: Started successfully
[(a,p,s)=(50, 420, 600)], now ready to scan.

1st try, OK:

May 16 13:28:59 ruggedrouter sshguard[24946]: Blocking
 10.200.22.27:4 for >630secs: 50 danger in 4 attacks over 21 seconds
 (all: 50d in 1 abuses over 21s).

2nd try, blocks for a longer time:

May 16 13:44:41 ruggedrouter sshguard[24946]: Blocking
 10.200.22.27:4 for >945secs: 50 danger in 5 attacks over 12 seconds
 (all: 100d in 2 abuses over 963s).

3rd try, block time is now 0.

May 16 14:08:07 ruggedrouter sshguard[24946]: Blocking
10.200.22.27:4 for >0secs: 60 danger in 4 attacks over 2 2 seconds
(all: 160d in 3 abuses over 2369s).

[Sshguard-users] Small fix when reading from stdin

[Jeremie Le H. <je...@le...>]

Hey guys,

I'm not subscribed so I hope this mail will go through.

When reading from stdin, this is very probably syslogd(8).  But when
logrotate(8) on Linux or newsyslog(8) on *BSD decices to rotate a
logfile, it will send a SIGHUP to syslogd(8) to tell it to close all
its file descriptors and reopen them.  This leads sshguard to get an EOF
and shut down itself, thus flushing the blacklist from the firewall.

The problem is that on busy servers, log rotation may happen every hour.
Consequently the blacklist will be flushed at the same frequency,
defeating the whole point of blacklisting.

Cheers,

Index: sshguard.c
===================================================================
--- sshguard.c  (revision 238)
+++ sshguard.c  (working copy)
@@ -478,9 +478,13 @@
 
 /* finalization routine */
 static void finishup(void) {
-    /* flush blocking rules */
+    /* flush blocking rules except if we are reading from stdin:
+     * if so we're probably reading syslogd(8) and it will close all its fd
+     * each time a logfile is rotated.  On busy servers this may happen hourly,
+     * defeating the whole point of blacklisting. */
     sshguard_log(LOG_NOTICE, "Got exit signal, flushing blocked addresses and exiting...");
-    fw_flush();
+    if (opts.has_polled_files)
+        fw_flush();
     if (fw_fin() != FWALL_OK) sshguard_log(LOG_ERR, "Cound not finalize firewall.");
     if (whitelist_fin() != 0) sshguard_log(LOG_ERR, "Could not finalize the whitelisting system.");
     if (procauth_fin() != 0) sshguard_log(LOG_ERR, "Could not finalize the process authorization subsystem.");


-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.

Re: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

[Laurent A. <l.a...@fr...>]

Thank you very much Richard.

Cheers,


Laurent.


Le 18/04/2013 00:36, Richard Johnson a écrit :
> On Wed, Apr 17, 2013 at 11:59:06PM +0200, Laurent Alebarde wrote:
>> Thanks Richard. Could you elaborate a bit more please for the pf&
>> networking newbbie I am ?
> A typical basic pf.conf will say:
>
>    block
>    pass out
>
> That blocks with ICMP or TCP RST reply all inbound traffic, except traffic
> which matches a state table entry created by the 'pass out' rule (in other
> words, replies to connections you make outbound from your system).
>
> Add anywhere in that rule set:
>
>    block drop in log quick proto tcp from<sshguard>  to any
>
> sshguard will use the<sshguard>  table when it finds an IP doing something
> it considers unfriendly.
>
> That rule will silently block all inbound TCP from a bad IP, except for
> replies to connections you make outbound from your system.
>
> For more, see the sshguard.net web site, which refers to the pf
> man pages and instructions.
>
> Good luck!
>
>
> Richard
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis&  visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

[Richard J. <rjt...@sa...>]

On Wed, Apr 17, 2013 at 11:59:06PM +0200, Laurent Alebarde wrote:
> Thanks Richard. Could you elaborate a bit more please for the pf & 
> networking newbbie I am ?

A typical basic pf.conf will say:

  block
  pass out

That blocks with ICMP or TCP RST reply all inbound traffic, except traffic
which matches a state table entry created by the 'pass out' rule (in other
words, replies to connections you make outbound from your system).

Add anywhere in that rule set:

  block drop in log quick proto tcp from <sshguard> to any

sshguard will use the <sshguard> table when it finds an IP doing something
it considers unfriendly.

That rule will silently block all inbound TCP from a bad IP, except for
replies to connections you make outbound from your system.

For more, see the sshguard.net web site, which refers to the pf
man pages and instructions.

Good luck!


Richard

Re: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

[Laurent A. <l.a...@fr...>]

Thanks Richard. Could you elaborate a bit more please for the pf & 
networking newbbie I am ?

Le 17/04/2013 23:12, Richard Johnson a écrit :
> On Wed, Apr 17, 2013 at 05:52:58PM +0200, Laurent Alebarde wrote:
>> Hi,
>>
>> I am a potential new user of sshguard. It looks appealing. However, I
>> wonder if I can mix sshguard with other non ssh pf rules ?
> But of course.
>
> Here's one line from near the start of my approximately 300 line pf.conf:
>
>     block drop in log quick proto tcp from<sshguard>  to any \
>     	label "ssh bruteforce"
>
>
> Richard
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis&  visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

[Richard J. <rjt...@sa...>]

On Wed, Apr 17, 2013 at 05:52:58PM +0200, Laurent Alebarde wrote:
> Hi,
> 
> I am a potential new user of sshguard. It looks appealing. However, I 
> wonder if I can mix sshguard with other non ssh pf rules ?

But of course.

Here's one line from near the start of my approximately 300 line pf.conf:

   block drop in log quick proto tcp from <sshguard> to any \
   	label "ssh bruteforce"


Richard

Re: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

[Jo R. <jr...@ne...>]

Look at "fail2ban" which has plugins for many different logfiles.

On Apr 17, 2013, at 8:52 AM, Laurent Alebarde <l.a...@fr...> wrote:
> I am a potential new user of sshguard. It looks appealing. However, I wonder if I can mix sshguard with other non ssh pf rules ?
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

Author of Instant Puppet 3 Starter: http://www.netconsonance.com/instant-puppet-3-starter-book-homepage/

[Sshguard-users] mix of sshguard with other non ssh pf rules ?

[Laurent A. <l.a...@fr...>]

Hi,

I am a potential new user of sshguard. It looks appealing. However, I 
wonder if I can mix sshguard with other non ssh pf rules ?

Re: [Sshguard-users] DNS exploit blocking?

[Henry Y. <he...@Ae...>]

On Fri, Apr 12, 2013 at 11:07:45AM +0100, Paco Hope wrote:
> 12-Apr-2013 21:49:57.806 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied
> 
> A bit of research suggests that this is probably logged when someone is
> trying to exploit this vulnerability:
> https://www.isc.org/software/bind/advisories/cve-2012-5166

The queries against isc.org are almost certainly part of the world-wide
DDoS DNS amplification attack (see cloudfare, spamhaus, etc.).

Although sshguard could be used to block these, it's better to make
sure your DNS server doesn't respond to these at all; the attack
isn't against your DNS server but rather against the system whose
IP address to which your server would otherwise respond.

[Sshguard-users] DNS exploit blocking?

[Paco H. <pa...@pa...>]

Hi all,

I noticed a bunch of log messages in my bind server logs that look like this:
12-Apr-2013 21:32:05.692 security: client 117.197.202.83#4762 (ns.nova.org): query (cache) 'ns.nova.org/A/IN' denied
12-Apr-2013 21:32:06.707 security: client 117.197.202.83#4774 (mp1.mail.nova.org): query (cache) 'mp1.mail.nova.org/A/IN' denied
12-Apr-2013 21:40:02.704 security: client 190.34.213.4#2029 (mp1.mail.nova.org): query (cache) 'mp1.mail.nova.org/A/IN' denied
12-Apr-2013 21:40:08.385 security: client 190.79.216.111#1075 (mp1.mail.nova.org): query (cache) 'mp1.mail.nova.org/A/IN' denied
12-Apr-2013 21:47:55.083 security: client 69.197.42.102#14705 (isc.org): query (cache) 'isc.org/ANY/IN' denied
12-Apr-2013 21:47:58.911 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied
12-Apr-2013 21:48:54.411 security: client 69.197.42.102#14705 (isc.org): query (cache) 'isc.org/ANY/IN' denied
12-Apr-2013 21:48:57.818 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied
12-Apr-2013 21:49:53.984 security: client 69.197.42.102#14705 (isc.org): query (cache) 'isc.org/ANY/IN' denied
12-Apr-2013 21:49:57.806 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied

A bit of research suggests that this is probably logged when someone is trying to exploit this vulnerability:
https://www.isc.org/software/bind/advisories/cve-2012-5166

Seems to me we could use these to block hosts as well. Any thoughts?

Regards,
Paco

[Sshguard-users] sshguard on Mountain Lion

[Mike L. <ml...@gm...>]

Hacking around in the code, it looks like there are a couple of things
mangling the scanner:

1) It chokes on the "<Error>:" term and doesn't scan the rest of the line.
2) It use the word "via" instead of "from".

I don't much know my way around lex, so I'm pretty much shooting in the
dark.

This patch at least recognizes an attack, but it seems to attribute it to
*MY* IP address.  It seesm to grab the address after the "via" instead of
the "from" and think that is the attacker.

diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 45e7c22..1123bf3 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -107,7 +107,7 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
   */

  /* handle entries with PID and without PID from processes other than
sshguard */
-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"] "{SOLARIS_MSGID_TAG}? {
         /* extract PID */
         yylval.num = getsyslogpid(yytext, yyleng);
         return SYSLOG_BANNER_PID;
@@ -145,6 +145,9 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
  /* wrong password for valid user @ FreeBSD, Debian */
 "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
")?.+" from "            { return SSH_LOGINERR_PAM; }

+ /* wrong password for valid user @ OS X 10.8.x */
+"<Error>: error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal
user ")?.+" via "            { return SSH_LOGINERR_PAM; }
+
  /* SSH: reverse mapping "possible break-in attempt!" */
 "reverse mapping checking getaddrinfo for "[^\[]*"["            {
BEGIN(ssh_reversemap); return SSH_REVERSEMAP_PREF; }
 <ssh_reversemap>"] ".*"POSSIBLE BREAK-IN ATTEMPT!"              {
BEGIN(INITIAL); return SSH_REVERSEMAP_SUFF; }

[Sshguard-users] sshguard on OS X Mountain Lion

[Mike L. <ml...@gm...>]

Does anyone have any patches available to make SSHGuard work on Mountain
Lion?

The syslog entry for a failed ssh attempt seems to be:

Apr  7 09:23:37 myhost.sample.com sshd[40585] <Error>: error: PAM:
authentication error for root from attacker.sample.com via 192.168.1.10


In testing, no matter how many times I fail the login attempt, my test
machine never gets blocked.

I built with:

./configure --with-firewall=pf

Re: [Sshguard-users] Postfix?

[Mij <mi...@ss...>]

Hello Charles,

Correct, SSHGuard does not support Postfix ATM. Please submit your
attack strings here, and we'll add them next round:

http://www.sshguard.net/support/attacks/submit/

You can find a synthesized list of supported patterns here:

http://www.sshguard.net/docs/reference/attack-signatures/


On Apr 2, 2013, at 01:00 , Charles Sprickman wrote:

> Hello,
> 
> I've been using sshguard with sshd for ages.  I'm starting to get a bit 
> cheezed-off with all the smtp-auth guessing going on, but I'm not seeing 
> Postfix as a supported option.  Is this correct?
> 
> Thanks,
> 
> Charles
> 
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game 
> on Steam. $5K grand prize plus 10 genre and skill prizes. 
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Postfix?

[Jo R. <jr...@ne...>]

Look at fail2ban, where you can monitor many services and correlate attacks between then.

On Apr 1, 2013, at 4:00 PM, Charles Sprickman <sp...@bw...> wrote:
> I've been using sshguard with sshd for ages.  I'm starting to get a bit 
> cheezed-off with all the smtp-auth guessing going on, but I'm not seeing 
> Postfix as a supported option.  Is this correct?
> 
> Thanks,
> 
> Charles
> 
> ------------------------------------------------------------------------------
> Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game 
> on Steam. $5K grand prize plus 10 genre and skill prizes. 
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

[Sshguard-users] Postfix?

[Charles S. <sp...@bw...>]

Hello,

I've been using sshguard with sshd for ages.  I'm starting to get a bit 
cheezed-off with all the smtp-auth guessing going on, but I'm not seeing 
Postfix as a supported option.  Is this correct?

Thanks,

Charles

[Sshguard-users] join mailing list

[Douglas D. <do...@sa...>]

[Sshguard-users] join

[Douglas D. <do...@sa...>]

[Sshguard-users] Dovecot dictionary attack goes unnoticed

[WarnerJan V. <war...@qp...>]

Hello list,

My Dovecot server is getting hammered with dictionary logins. I can't 
get SSHGuard to block these. I can confirm SSHGuard is working since all 
the SSH attempts get properly blocked. I can see their IP's in iptables -nL.

In /var/log/auth.log are hundreds of these lines:
Mar  7 10:28:51 XXX dovecot-auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=root 
rhost=190.15.174.126  user=root

I find similar lines in /var/log/syslog (but I don't feed that logfile 
to the LogSucker, should I??)
Mar  7 10:29:23 xxx dovecot: pop3-login: Disconnected (auth failed, 1 
attempts): user=<root>, method=PLAIN, rip=190.15.174.126, lip=X.X.X.X

This is the line that starts SSHGuard in init.d/sshguard:
/usr/local/sbin/sshguard -l /var/log/mail.info -l /var/log/auth.log -w 
/etc/sshguard_whitelist  > /dev/null 2>&1 &

What more should I do that have SSHGuard catch the dovecot attempts? 
(Running Debian 6, Dovecot 1.2.15, SSHGuard 1.5.0)

Cheers!

WarnerJan