Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <jo...@te...> - 2013-05-21 21:04:57
|
Hello,
From the documentation I would think that the blocked time still keeps
increasing, unless the '-b ' option is given. The IP is blocked, then
released, then blocked for a longer time, etc... Man page on web
site:
"For example, if address A attacks repeatedly and the base blocking
time is 420 seconds, A will be blocked for 420 seconds (7 mins) at
the first abuse, 2*420 (14 mins) the second, 2*2*420 (28 mins) the
third ... and 2^(n-1)*420 the n-th time."
But that's not it. By default an IP will be blacklisted after a few
failed logins. I want it to keep on going instead.
So I've added some debug statements in *pardonBlocked(void *par).
In sshguard 1.15 as downloaded from the web site.
for (pos = 0; pos < list_size(& hell); pos++) {
tmpel = list_get_at(&hell, pos);
/* skip blacklisted hosts (pardontime = infinite/0) */
sshguard_log(LOG_DEBUG, "DEBUG: tmpel->pardontime: %d",
(int)tmpel->pardontime);
if (tmpel->pardontime == 0) continue;
/* process hosts with finite pardon time */
sshguard_log(LOG_DEBUG, "DEBUG: now: %d tmpel->whenlast: %d
tmpel->pardontime: %d ", (int)now, (int)tmpel->whenlast,
(int)tmpel->pardontime);
if (now - tmpel->whenlast > tmpel->pardontime) {
/* pardon time passed, release block */
[ ... ]
This time sshguard was started using the following parameters, to have
short debug cycles. SSHGUARD_DEBUG was also set.
% sshguard -a 30 -p 5 -s 30 -l /var/log/auth.log
Started successfully [(a,p,s)=(30, 5, 30)], now ready to scan.
I've added '-s 30' in the hope that this will provoke the release of
any blocked IP, no matter what.
ssh was used to connect to the device running sshguard, and wrong
passwords repeatedly entered. Always fron the same IP.
After the third batch of failed logins (3 failed logins per batch) the
IP is never released. fw_release() is never executed. It never gets
executed because for some reason tmpel->pardontime, after being 15,
becomes 0, while sshguard still thinks it has to check it out.
Eg. the list used by the pardonBlocked() thread still has something in
it.
In other words, after three failed logis, the IP becomes blacklisted.
This is because the cumulated danger comes to equate the
opts.blacklist_threshold (120 for both) in report_address() and this
makes tempent->pardontime equal to 0.
And this happens because:
#define DEFAULT_BLACKLIST_THRESHOLD (3 * DEFAULT_ABUSE_THRESHOLD)
With DEFAULT_ABUSE_THRESHOLD being 40. The only thing that can change
that is by passing a value using the '-b ' option.
So what I did is to first define DEFAULT_BLACKLIST_THRESHOLD as 0.
Then comment out the check about it right below it. Then I added:
if (opts.blacklist_threshold != 0) {
if (offenderent->cumulated_danger >= opts.blacklist_threshold) {
This works OK for the use I'm concerned with, which is an
ever-increasing blocking time w/o any blacklisting. The '-s ' switch
does not seem to work, though, as I would expect that information
about an IP would be erased after '-s n seconds', if I read the
documentation correctly. In which case, I'm not sure I did.
Let me know if this makes sense, or if I'm totally wrong, or somewhere
in-between.
Thanks !
Some debug messages. There's an error popping a token, but I haven't
paid attention to that.
2nd failed login:
Matched address 10.200.22.27:4 attacking service 100, dangerousness 20.
Purging stale attackers.
Offender '10.200.22.27:4' scored 60 danger in 2 abuses.
Blocking 10.200.22.27:4 for >10secs: 30 danger in 2 attacks over 7
seconds (all: 60d in 2 abuses over 59s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:21:35
thishost sshd[3791]: ") Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("PAM")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
DEBUG: tmpel->pardontime: 10
DEBUG: now: 1369149696 tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
DEBUG: now: 1369149699 tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
DEBUG: now: 1369149701 tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
DEBUG: now: 1369149704 tmpel->whenlast: 1369149695
tmpel->pardontime: 10 DEBUG: tmpel->pardontime: 10
DEBUG: now: 1369149707 tmpel->whenlast: 1369149695
tmpel->pardontime: 10 Releasing 10.200.22.27 after 12 seconds.
Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip
3rd failed login:
Offender '10.200.22.27:4' scored 90 danger in 3 abuses.
Blocking 10.200.22.27:4 for >15secs: 30 danger in 2 attacks over 7
seconds (all: 90d in 3 abuses over 128s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:22:43
thishost sshd[4391]: ") Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("PAM")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149764 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149766 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149769 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149772 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149775 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149777 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 DEBUG: tmpel->pardontime: 15
DEBUG: now: 1369149780 tmpel->whenlast: 1369149764
tmpel->pardontime: 15 Releasing 10.200.22.27 after 16 seconds.
Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /s
4th failed login:
Matched address 10.200.22.27:4 attacking service 100, dangerousness 20.
Purging stale attackers.
Blocking 10.200.22.27:4 for >0secs: 30 danger in 2 attacks over 8
seconds (all: 120d in 4 abuses over 198s). Setting environment:
SSHG_ADDR=10.200.22.27;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Run command
"case $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s
$SSHG_ADDR -j DROP ;; 6) exec /sbin/ip. Read line from
'/var/log/auth.log'. Starting parse Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:23:53
thishost sshd[4976]: ") Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("PAM")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
DEBUG: tmpel->pardontime: 0
DEBUG: tmpel->pardontime: 0
DEBUG: tmpel->pardontime: 0
Read line from '/var/log/auth.log'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:24:01
thishost CRON[5201]: ") Next token is token SYSLOG_BANNER_PID ()
Now sshguard checks for pardon time in the thread, which is always
repeated:
Stack now 0
DEBUG: tmpel->pardontime: 0
DEBUG: tmpel->pardontime: 0
DEBUG: tmpel->pardontime: 0
DEBUG: tmpel->pardontime: 0
[...]
Read line from '/var/log/auth.log'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 11:25:01
thishost CRON[5737]: ") Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("pam_unix")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
|
|
From: <jo...@te...> - 2013-05-20 19:28:54
|
Hello, This is a basic question about how sshgaurd works. Using the latest version, sshguard does not seems to react on the IP for the 3rd occurence of failed logins. Eg. the '>secs' value becomes 0. I would like a confirmation about the algorithm used by sshguard and how it should behave, it would be much appreciated - thanks ! Here are the log messages: May 16 13:27:53 ruggedrouter sshguard[24946]: Started successfully [(a,p,s)=(50, 420, 600)], now ready to scan. 1st try, OK: May 16 13:28:59 ruggedrouter sshguard[24946]: Blocking 10.200.22.27:4 for >630secs: 50 danger in 4 attacks over 21 seconds (all: 50d in 1 abuses over 21s). 2nd try, blocks for a longer time: May 16 13:44:41 ruggedrouter sshguard[24946]: Blocking 10.200.22.27:4 for >945secs: 50 danger in 5 attacks over 12 seconds (all: 100d in 2 abuses over 963s). 3rd try, block time is now 0. May 16 14:08:07 ruggedrouter sshguard[24946]: Blocking 10.200.22.27:4 for >0secs: 60 danger in 4 attacks over 2 2 seconds (all: 160d in 3 abuses over 2369s). |
|
From: Jeremie Le H. <je...@le...> - 2013-05-03 18:47:12
|
Hey guys,
I'm not subscribed so I hope this mail will go through.
When reading from stdin, this is very probably syslogd(8). But when
logrotate(8) on Linux or newsyslog(8) on *BSD decices to rotate a
logfile, it will send a SIGHUP to syslogd(8) to tell it to close all
its file descriptors and reopen them. This leads sshguard to get an EOF
and shut down itself, thus flushing the blacklist from the firewall.
The problem is that on busy servers, log rotation may happen every hour.
Consequently the blacklist will be flushed at the same frequency,
defeating the whole point of blacklisting.
Cheers,
Index: sshguard.c
===================================================================
--- sshguard.c (revision 238)
+++ sshguard.c (working copy)
@@ -478,9 +478,13 @@
/* finalization routine */
static void finishup(void) {
- /* flush blocking rules */
+ /* flush blocking rules except if we are reading from stdin:
+ * if so we're probably reading syslogd(8) and it will close all its fd
+ * each time a logfile is rotated. On busy servers this may happen hourly,
+ * defeating the whole point of blacklisting. */
sshguard_log(LOG_NOTICE, "Got exit signal, flushing blocked addresses and exiting...");
- fw_flush();
+ if (opts.has_polled_files)
+ fw_flush();
if (fw_fin() != FWALL_OK) sshguard_log(LOG_ERR, "Cound not finalize firewall.");
if (whitelist_fin() != 0) sshguard_log(LOG_ERR, "Could not finalize the whitelisting system.");
if (procauth_fin() != 0) sshguard_log(LOG_ERR, "Could not finalize the process authorization subsystem.");
--
Jeremie Le Hen
Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
|
|
From: Laurent A. <l.a...@fr...> - 2013-04-18 07:22:42
|
Thank you very much Richard. Cheers, Laurent. Le 18/04/2013 00:36, Richard Johnson a écrit : > On Wed, Apr 17, 2013 at 11:59:06PM +0200, Laurent Alebarde wrote: >> Thanks Richard. Could you elaborate a bit more please for the pf& >> networking newbbie I am ? > A typical basic pf.conf will say: > > block > pass out > > That blocks with ICMP or TCP RST reply all inbound traffic, except traffic > which matches a state table entry created by the 'pass out' rule (in other > words, replies to connections you make outbound from your system). > > Add anywhere in that rule set: > > block drop in log quick proto tcp from<sshguard> to any > > sshguard will use the<sshguard> table when it finds an IP doing something > it considers unfriendly. > > That rule will silently block all inbound TCP from a bad IP, except for > replies to connections you make outbound from your system. > > For more, see the sshguard.net web site, which refers to the pf > man pages and instructions. > > Good luck! > > > Richard > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis& visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Richard J. <rjt...@sa...> - 2013-04-17 22:36:54
|
On Wed, Apr 17, 2013 at 11:59:06PM +0200, Laurent Alebarde wrote: > Thanks Richard. Could you elaborate a bit more please for the pf & > networking newbbie I am ? A typical basic pf.conf will say: block pass out That blocks with ICMP or TCP RST reply all inbound traffic, except traffic which matches a state table entry created by the 'pass out' rule (in other words, replies to connections you make outbound from your system). Add anywhere in that rule set: block drop in log quick proto tcp from <sshguard> to any sshguard will use the <sshguard> table when it finds an IP doing something it considers unfriendly. That rule will silently block all inbound TCP from a bad IP, except for replies to connections you make outbound from your system. For more, see the sshguard.net web site, which refers to the pf man pages and instructions. Good luck! Richard |
|
From: Laurent A. <l.a...@fr...> - 2013-04-17 21:59:16
|
Thanks Richard. Could you elaborate a bit more please for the pf & networking newbbie I am ? Le 17/04/2013 23:12, Richard Johnson a écrit : > On Wed, Apr 17, 2013 at 05:52:58PM +0200, Laurent Alebarde wrote: >> Hi, >> >> I am a potential new user of sshguard. It looks appealing. However, I >> wonder if I can mix sshguard with other non ssh pf rules ? > But of course. > > Here's one line from near the start of my approximately 300 line pf.conf: > > block drop in log quick proto tcp from<sshguard> to any \ > label "ssh bruteforce" > > > Richard > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis& visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Richard J. <rjt...@sa...> - 2013-04-17 21:44:30
|
On Wed, Apr 17, 2013 at 05:52:58PM +0200, Laurent Alebarde wrote: > Hi, > > I am a potential new user of sshguard. It looks appealing. However, I > wonder if I can mix sshguard with other non ssh pf rules ? But of course. Here's one line from near the start of my approximately 300 line pf.conf: block drop in log quick proto tcp from <sshguard> to any \ label "ssh bruteforce" Richard |
|
From: Jo R. <jr...@ne...> - 2013-04-17 17:14:25
|
Look at "fail2ban" which has plugins for many different logfiles. On Apr 17, 2013, at 8:52 AM, Laurent Alebarde <l.a...@fr...> wrote: > I am a potential new user of sshguard. It looks appealing. However, I wonder if I can mix sshguard with other non ssh pf rules ? > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. Author of Instant Puppet 3 Starter: http://www.netconsonance.com/instant-puppet-3-starter-book-homepage/ |
|
From: Laurent A. <l.a...@fr...> - 2013-04-17 15:53:06
|
Hi, I am a potential new user of sshguard. It looks appealing. However, I wonder if I can mix sshguard with other non ssh pf rules ? |
|
From: Henry Y. <he...@Ae...> - 2013-04-13 17:12:54
|
On Fri, Apr 12, 2013 at 11:07:45AM +0100, Paco Hope wrote: > 12-Apr-2013 21:49:57.806 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied > > A bit of research suggests that this is probably logged when someone is > trying to exploit this vulnerability: > https://www.isc.org/software/bind/advisories/cve-2012-5166 The queries against isc.org are almost certainly part of the world-wide DDoS DNS amplification attack (see cloudfare, spamhaus, etc.). Although sshguard could be used to block these, it's better to make sure your DNS server doesn't respond to these at all; the attack isn't against your DNS server but rather against the system whose IP address to which your server would otherwise respond. |
|
From: Paco H. <pa...@pa...> - 2013-04-12 22:30:40
|
Hi all, I noticed a bunch of log messages in my bind server logs that look like this: 12-Apr-2013 21:32:05.692 security: client 117.197.202.83#4762 (ns.nova.org): query (cache) 'ns.nova.org/A/IN' denied 12-Apr-2013 21:32:06.707 security: client 117.197.202.83#4774 (mp1.mail.nova.org): query (cache) 'mp1.mail.nova.org/A/IN' denied 12-Apr-2013 21:40:02.704 security: client 190.34.213.4#2029 (mp1.mail.nova.org): query (cache) 'mp1.mail.nova.org/A/IN' denied 12-Apr-2013 21:40:08.385 security: client 190.79.216.111#1075 (mp1.mail.nova.org): query (cache) 'mp1.mail.nova.org/A/IN' denied 12-Apr-2013 21:47:55.083 security: client 69.197.42.102#14705 (isc.org): query (cache) 'isc.org/ANY/IN' denied 12-Apr-2013 21:47:58.911 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied 12-Apr-2013 21:48:54.411 security: client 69.197.42.102#14705 (isc.org): query (cache) 'isc.org/ANY/IN' denied 12-Apr-2013 21:48:57.818 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied 12-Apr-2013 21:49:53.984 security: client 69.197.42.102#14705 (isc.org): query (cache) 'isc.org/ANY/IN' denied 12-Apr-2013 21:49:57.806 security: client 69.197.42.102#43120 (isc.org): query (cache) 'isc.org/ANY/IN' denied A bit of research suggests that this is probably logged when someone is trying to exploit this vulnerability: https://www.isc.org/software/bind/advisories/cve-2012-5166 Seems to me we could use these to block hosts as well. Any thoughts? Regards, Paco |
|
From: Mike L. <ml...@gm...> - 2013-04-07 16:44:37
|
Hacking around in the code, it looks like there are a couple of things
mangling the scanner:
1) It chokes on the "<Error>:" term and doesn't scan the rest of the line.
2) It use the word "via" instead of "from".
I don't much know my way around lex, so I'm pretty much shooting in the
dark.
This patch at least recognizes an attack, but it seems to attribute it to
*MY* IP address. It seesm to grab the address after the "via" instead of
the "from" and think that is the attacker.
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 45e7c22..1123bf3 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -107,7 +107,7 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
*/
/* handle entries with PID and without PID from processes other than
sshguard */
-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"] "{SOLARIS_MSGID_TAG}? {
/* extract PID */
yylval.num = getsyslogpid(yytext, yyleng);
return SYSLOG_BANNER_PID;
@@ -145,6 +145,9 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
/* wrong password for valid user @ FreeBSD, Debian */
"error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
")?.+" from " { return SSH_LOGINERR_PAM; }
+ /* wrong password for valid user @ OS X 10.8.x */
+"<Error>: error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal
user ")?.+" via " { return SSH_LOGINERR_PAM; }
+
/* SSH: reverse mapping "possible break-in attempt!" */
"reverse mapping checking getaddrinfo for "[^\[]*"[" {
BEGIN(ssh_reversemap); return SSH_REVERSEMAP_PREF; }
<ssh_reversemap>"] ".*"POSSIBLE BREAK-IN ATTEMPT!" {
BEGIN(INITIAL); return SSH_REVERSEMAP_SUFF; }
|
|
From: Mike L. <ml...@gm...> - 2013-04-07 16:26:15
|
Does anyone have any patches available to make SSHGuard work on Mountain Lion? The syslog entry for a failed ssh attempt seems to be: Apr 7 09:23:37 myhost.sample.com sshd[40585] <Error>: error: PAM: authentication error for root from attacker.sample.com via 192.168.1.10 In testing, no matter how many times I fail the login attempt, my test machine never gets blocked. I built with: ./configure --with-firewall=pf |
|
From: Mij <mi...@ss...> - 2013-04-03 18:26:46
|
Hello Charles, Correct, SSHGuard does not support Postfix ATM. Please submit your attack strings here, and we'll add them next round: http://www.sshguard.net/support/attacks/submit/ You can find a synthesized list of supported patterns here: http://www.sshguard.net/docs/reference/attack-signatures/ On Apr 2, 2013, at 01:00 , Charles Sprickman wrote: > Hello, > > I've been using sshguard with sshd for ages. I'm starting to get a bit > cheezed-off with all the smtp-auth guessing going on, but I'm not seeing > Postfix as a supported option. Is this correct? > > Thanks, > > Charles > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Jo R. <jr...@ne...> - 2013-04-01 23:50:31
|
Look at fail2ban, where you can monitor many services and correlate attacks between then. On Apr 1, 2013, at 4:00 PM, Charles Sprickman <sp...@bw...> wrote: > I've been using sshguard with sshd for ages. I'm starting to get a bit > cheezed-off with all the smtp-auth guessing going on, but I'm not seeing > Postfix as a supported option. Is this correct? > > Thanks, > > Charles > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. |
|
From: Charles S. <sp...@bw...> - 2013-04-01 23:18:44
|
Hello, I've been using sshguard with sshd for ages. I'm starting to get a bit cheezed-off with all the smtp-auth guessing going on, but I'm not seeing Postfix as a supported option. Is this correct? Thanks, Charles |
|
From: Douglas D. <do...@sa...> - 2013-03-30 01:08:29
|
|
From: Douglas D. <do...@sa...> - 2013-03-30 01:07:57
|
|
From: WarnerJan V. <war...@qp...> - 2013-03-07 10:53:59
|
Hello list, My Dovecot server is getting hammered with dictionary logins. I can't get SSHGuard to block these. I can confirm SSHGuard is working since all the SSH attempts get properly blocked. I can see their IP's in iptables -nL. In /var/log/auth.log are hundreds of these lines: Mar 7 10:28:51 XXX dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=root rhost=190.15.174.126 user=root I find similar lines in /var/log/syslog (but I don't feed that logfile to the LogSucker, should I??) Mar 7 10:29:23 xxx dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=190.15.174.126, lip=X.X.X.X This is the line that starts SSHGuard in init.d/sshguard: /usr/local/sbin/sshguard -l /var/log/mail.info -l /var/log/auth.log -w /etc/sshguard_whitelist > /dev/null 2>&1 & What more should I do that have SSHGuard catch the dovecot attempts? (Running Debian 6, Dovecot 1.2.15, SSHGuard 1.5.0) Cheers! WarnerJan |
|
From: Douglas D. <dt...@gm...> - 2013-03-03 00:07:00
|
I put sshguard on our mail server using inetd as a backend. The default install works very well. Tens of thousands of logins are reduced to a few dozen daily. Occasionally an attack is missed as shown: Mar 2 06:01:47 myhost sshd[74730]: Invalid user magazine from 219.92.5.182 Mar 2 06:01:48 myhost sshd[74732]: Invalid user magazine from 219.92.5.182 Mar 2 06:01:48 myhost sshguard[62471]: Offender '219.92.5.182:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted. Mar 2 06:01:49 myhost sshguard[62471]: Blocking 219.92.5.182:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s). Mar 2 06:01:50 myhost sshd[74737]: refused connect from usj-5-182.tm.net.my(219.92.5.182) Mar 2 06:01:49 myhost sshd[74736]: refused connect from usj-5-182.tm.net.my(219.92.5.182) Mar 2 06:02:35 myhost sshd[74782]: Invalid user oracle from 61.142.106.34 Mar 2 06:02:40 myhost sshd[74792]: Invalid user oracle from 61.142.106.34 Mar 2 06:04:59 myhost sshd[75023]: Invalid user oracle from 61.142.106.34 Mar 2 06:05:01 myhost sshd[75026]: Invalid user oracle from 61.142.106.34 Mar 2 06:05:03 myhost sshd[75037]: Invalid user oracle from 61.142.106.34 Mar 2 06:05:06 myhost sshd[75039]: Invalid user bwadmin from 61.142.106.34 Mar 2 06:05:10 myhost sshd[75047]: Invalid user cacti from 61.142.106.34 Mar 2 06:05:12 myhost sshd[75049]: Invalid user oracle from 61.142.106.34 Mar 2 06:05:14 myhost sshd[75053]: Invalid user oracle from 61.142.106.34 Mar 2 06:05:16 myhost sshd[75057]: Invalid user oracle from 61.142.106.34 Mar 2 06:05:19 myhost sshd[75059]: Invalid user bwadmin from 61.142.106.34 Mar 2 06:05:24 myhost sshd[75063]: Invalid user cacti from 61.142.106.34 I see no reason 61.142.106.34 was not blocked unless it is a timing issue reading the logs but 06:01:50 --> 06:02:35 seems like a long time. 61.142.106.34 tried 12 logins My other though was there was enough time between the first two attempts and the remaining 10 so that 61.142.106.34 was deemed to be okay. Alias my c is not good enough to figure that out from the code. Thanks for any thoughts on this. |
|
From: Samuel P. <em...@em...> - 2013-02-12 15:04:15
|
Hi, i am trying to figure out the correct way to permanently ban a blocked address by sshguard. i have googled and read the man page which seems the -p flag can do this but i dont understand the format to permanently block. Does anybody have an example? Thanks |
|
From: Brian P. <bri...@bo...> - 2013-02-11 21:46:36
|
Hello, I'm finding that some break in attempts are being missed by sshguard while others aren't. I'm seeing: Feb 11 00:00:53 server1 sshd[57146]: Invalid user www-data from 121.197.3.180 Feb 11 00:00:53 server1 sshd[57147]: Address 121.197.3.180 maps to ip197.hichina.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! This IP isn't blocked and occurs hundreds of times. But lines like: Feb 11 13:35:36 server1 sshd[10749]: Invalid user a from 121.125.73.22 Feb 11 13:35:36 server1 sshd[10750]: Invalid user a from 121.125.73.22 Feb 11 13:35:37 server1 sshd[10751]: Invalid user a from 121.125.73.22 Feb 11 13:35:37 server1 sshd[10752]: Invalid user a from 121.125.73.22 Does result in a block sshguard 1.5.0 on FreeBSD 8.0 RELEASE. In interactive mode it appears that sshguard is reading both lines as one. Thanks, Brian |
|
From: Mij <mi...@ss...> - 2013-01-18 00:42:38
|
Hi Benedikt, > 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s). > So what does the "40 danger" mean in this context and what is it derived from? The attack performed 4 times by the attacker had danger 10. So danger 40 was scored, and the "abuse" threshold was reached. This attacker was blocked for the first time, so it historically scored 40 danger in 1 abuse. For more details see http://www.sshguard.net/docs/terminology/ michele |
|
From: Benedikt B. <ma...@be...> - 2013-01-16 19:20:39
|
Hi, I searched all the man pages and documentation on the website but could't really find some information on how to understand the log messages that sshguard writes if it blocks some attack. When there is something blocked, there is a message like <timestamp> <hostname> sshguard[1767]: Blocking <attacker IP> for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s). So what does the "40 danger" mean in this context and what is it derived from? Am I right to say that the part in parentheses means that this IP has overall caused 40 danger points (wherever they may come from) with one abusive attempt within 9 seconds? Tanks for some answers or help. Greetz Benedikt |
|
From: Mij <mi...@ss...> - 2012-12-10 10:13:08
|
Moin Harald, Thanks for reporting this. The hosts backend code is very old and I'm not sure when this change occurred. Editing via /tmp is definitely the way to go. We'll fix this in the next sprint. m On Dec 9, 2012, at 17:22 , Harald Schmalzbauer <h.s...@om...> wrote: > Hello, > > thanks a lot for that nifty tool! > I've bin using it for quiet some time. > Very often, I have jails which are read-only / mounted. /etc/hosts.allow > is then a symlink somehere into /var (which is writable). > This has been working fine with older versions of sshguard, but it > stopped working with version 1.6 for me. Not sure if that's really the > first version where the behaviour changed though. > > sshguard want's to create a temporary file inside /etc reflecting the pid: > "Could not create temporary file /etc/hosts.allow-sshguard.4020" > > Why doesn't it use TMPDIR? > > Any hint's where to work arround that in the code? > > Thanks, > > -Harry (not subscribed!) > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
2 messages has been excluded from this view by a project administrator.
