sshguard-users — User questions and answers, bugs, and general support

[Sshguard-users] Blocking root user logins

[William M. <wm...@be...>]

I always set
PermitRootLogin no
in my sshd_config.

Is there a way to block attempts to connect as root after
2 or 3 tries? That would get rid of half of the attacks on my
systems.

-- 
William Meigs
Beyond Management LLC

[Sshguard-users] Error parsing hostnames with 'ssh' in them

[jason <ja...@in...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I installed sshguard on a machine named 'sshbox' and found that it
failed parsing the syslog entry.  Changing the hostname to something
without 'ssh' in it allowed sshguard to function normally.


root@sshbox:~# sshguard -v
sshguard 1.5.0

Copyright (c) 2007,2008 Mij <mi...@ss...>
This is free software; see the source for conditions on copying.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQEBDiAAoJEFBPX7xqwa0X9eAIAIXAdX+rbfgTYj1ozABRsT62
iMU089KPTOBkdPBS1PMYMGiD6mauU0z68lS1I0kDE9GqxbYJjLzf83+IzUNDJ5Ly
NgNxym4SkjdpSEkD76MBbMxhDcJU/wUdLGPfT7B+nJxqVQqoYFu5E/dhVJC8NK8I
+ozUq/kO5RMtNEBzROuCoSUxihH0tGqTetkBg+XfPVIhfpX787pLGykQ56FWbZ1m
yyt6Rsa16hBPmHh/4UhIgaK6zcJRQ6gNwUtMGhOZhxesm0+VQKmFk/CaOTkIIkLs
GwM13BBNKmGHATpF8t6T4IPEvumrHTXkkgN6b1WJWI/WDtsgHEIOGUEbXvhsf3Q=
=4R9/
-----END PGP SIGNATURE-----

Re: [Sshguard-users] sshguard 1.5 not recognizing invalid user log messages from sshd on OpenBSD.

[Henry Y. <he...@Ae...>]

On Sun, Jun 24, 2012 at 18:03:28PM -0600, Richard Johnson wrote:
> The quick patch here fixes the recognition problem if I do a direct
> paste of the truncated 'invalid user staff from 122.70.128.5' portion
> into sshguard when it is running in debug mode.

Instead of adding a separate lower-case pattern:

   "Invalid user ".+" from "
   "invalid user ".+" from "

you should be able to specify a case-insensitive pattern:

   (?i:i)"nvalid user ".+" from "

(This is from the linux documentation for "flex" (which is the
flavor of "lex" used in many/most linux systems); I'd assume that
you're unlikely to still be using the original "lex".  I'm no
expert at lex, by the way, but I've used the case-insensitve
option successfully in my own custom patterns.)

> But that patch does not fix the recognition of the pattern within the
> longer lines when running 'sshguard -l /var/log/authlog'.
> 
> It also does not fix recognition of even the truncated portion of the
> line mentioned above when it's appended to a separate log file and
> watched with 'sshguard -l /tmp/truncatedtest'.

For that, I don't know...

-- 
Henry Yen <Hen...@Ae...>               Aegis Information Systems, Inc.
Senior Systems Programmer                       Hicksville, New York
(800) AEGIS-00 x949                             1-800-AEGIS-00 (800-234-4700)

Re: [Sshguard-users] sshguard 1.5 not recognizing invalid user log messages from sshd on OpenBSD.

[Richard J. <rjt...@sa...>]

On Sun, Jun 24, 2012 at 06:03:28PM -0600, Richard Johnson wrote:
> But that patch does not fix the recognition of the pattern within the
> longer lines when running 'sshguard -l /var/log/authlog'.

This looks to be a timestamp issue rather than a more general parsing
problem on the longer lines.

When I feed the log messages a couple per second with accurate timestamps,
sshguard picks up on the simulated brute forcing.

It appears that the patch for allowing a lower case 'i' on 'invalid user'
has given me a working sshguard for ssh brute forcing of nonexistent
users on OpenBSD 5.1.


Richard

[Sshguard-users] sshguard 1.5 not recognizing invalid user log messages from sshd on OpenBSD.

[Richard J. <rjt...@sa...>]

sshguard 1.5 is not recognizing messages in /var/log/authlog from sshd
on an OpenBSD 4.9 or 5.1 system [1] as containing an attack signature.

Apparently, it's been a problem since at least OpenBSD 4.8, per:
http://sourceforge.net/mailarchive/forum.php?thread_name=AE3E9B9A-6376-4572-ACF9-128256676CD9%40sshguard.net&forum_name=sshguard-users

Example messages in /var/log/authlog:

Jun  9 21:46:07 green sshd[28212]: Failed password for invalid user staff from 122.70.128.5 port 35686 ssh2
Jun  9 21:46:07 green sshd[28212]: input_userauth_request: invalid user staff [preauth]
Jun  9 21:46:09 green sshd[19052]: Failed password for invalid user sales from 122.70.128.5 port 37580 ssh2
Jun  9 21:46:09 green sshd[19052]: input_userauth_request: invalid user sales [preauth]
Jun  9 21:46:11 green sshd[16201]: Failed password for invalid user recruit from 122.70.128.5 port 39886 ssh2
Jun  9 21:46:11 green sshd[16201]: input_userauth_request: invalid user recruit [preauth]

Your attack pattern web docs say sshguard is looking for the form:
	Invalid user inexu from 6.6.6.0
and attack_patternsl.l indeed lists an insistence for uppercase 'I' on
the word invalid:
	"Invalid user ".+" from"

The quick patch here fixes the recognition problem if I do a direct
paste of the truncated 'invalid user staff from 122.70.128.5' portion
into sshguard when it is running in debug mode.

--- src/parser/attack_scanner.l.orig	Wed Feb  9 05:01:47 2011
+++ src/parser/attack_scanner.l	Sun Jun 24 17:07:02 2012
@@ -128,6 +128,8 @@
 
  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
 "Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
+ /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
+"invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
 "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }


But that patch does not fix the recognition of the pattern within the
longer lines when running 'sshguard -l /var/log/authlog'.

It also does not fix recognition of even the truncated portion of the
line mentioned above when it's appended to a separate log file and
watched with 'sshguard -l /tmp/truncatedtest'.

Still, am I at least heading in the right direction?  Is there other
parsing that is too specific to match those sshd authlog entries? 
Thanks!


Richard

-------
[1]
sshd on OpenBSD 5.1:	OpenSSH_6.0, OpenSSL 1.0.0f 4 Jan 2012
sshd on OpenBSD 4.9:	OpenSSH_5.6, OpenSSL 0.9.8k25 Mar 2009

-------
PS - sourceforge mailing list subscription finally came through after I
put the above info here as well:
http://www.sshguard.net/support/submission/detail/37ce7e8f4d7cc1cf7af6/

Re: [Sshguard-users] Patch: windows login and dovecot/pop3

[Fritz Z. <za...@oe...>]

On Fri, 8 Jun 2012, Mij wrote:

> On Jun 5, 2012, at 14:35 , Fritz Zaucker wrote:
>
>> the following patch applied to sshguard 1.5 does
>>
>> a) extend MAX_LOGFILE_LEN to 2000 needed for b)
>> b) recognizes a certain type of Windows Terminal Server 2008 login failure
>> c) recognizes both dovecot imap AND pop3 login attempts
>
> Thank ya

Welcome.

>> Works for me, your mileage might vary. Especially for b) I'd expect
>> "localization", because the Windows messages might appear in different
>> languages.
>
> OMG.
>
> Can anybody check and confirm that Windows localization affects windows
> service logging? Even if that's the case, we'll just go Occam's razor.

It's just a suspicion as we have another Windows Systems logging in German.

>> P.S.: It might be useful to have a HOWTO for adding new attack patterns
>>       (until the next official version of sshguard is published). I am
>>       not really sure if I did it the way it is supposed to be done.
>
> The official howto is:
> Submit on http://www.sshguard.net/support/attacks/submit/ and be patient.

That is a nice offer, however, in an operational environment it is not
feasible to not do something about breakin attempts for a longer time period
if a nice tool is available.

> Adding patterns DYI is fairly simple for programmers, the hardest parts
> are:

> 1) detecting patterns portably across different versions of the OS or
>    daemon

That is something that can of course best be accomblished by you with as
much input from other sites as possible.

> 2) building patterns robust to pumping.
> 3) keeping up the quality of symbol names

I agree that for these reasons it's best that more patterns are introduced
by you.

> You mostly did a good job.

Thanks. What should I have done differently?


I still think that it could be helpful to have a short explanation for
programmers (what to add in which files, what to look out for), as you might
get more input that you then can consolidate.

But as sshguard is cleanly implemented, with some "reverse engineering" and
looking at another patch on the mailing list it was possible to put in the
most urgent patterns in our environment.

> Can you elaborate _which_ services this pattern addresses (e.g.  process
> names), or what detailed event causes them to show up?

I guess, patch c) is clear? Dovecot does provide a pop3 service in addition
to the (probably more used) imap service. The do log failed login attempts
slightly differently and thus need a different pattern for matching (perhaps
it would be better to have two different patterns?).

Patch b) recognizes failed remote login attempts to a Windows 2008
terminal server with the RDP protocol. As I said, I am not sure how generic
this pattern is.

Patch a) is needed as the Windows messages are longer than the 1000
characters defined in sshguard.c.

Cheers,
Fritz

-- 
Oetiker+Partner AG		tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

Re: [Sshguard-users] Patch: windows login and dovecot/pop3

[Mij <mi...@ss...>]

On Jun 5, 2012, at 14:35 , Fritz Zaucker wrote:

> the following patch applied to sshguard 1.5 does
> 
> a) extend MAX_LOGFILE_LEN to 2000 needed for b)
> b) recognizes a certain type of Windows Terminal Server 2008 login failure
> c) recognizes both dovecot imap AND pop3 login attempts

Thank ya


> Works for me, your mileage might vary. Especially for b) I'd expect
> "localization", because the Windows messages might appear in different
> languages.

OMG.

Can anybody check and confirm that Windows localization affects windows
service logging? Even if that's the case, we'll just go Occam's razor.


> P.S.: It might be useful to have a HOWTO for adding new attack patterns
>       (until the next official version of sshguard is published). I am not
>       really sure if I did it the way it is supposed to be done.

The official howto is:
Submit on http://www.sshguard.net/support/attacks/submit/ and be patient.

Adding patterns DYI is fairly simple for programmers, the hardest parts are:
1) detecting patterns portably across different versions of the OS or daemon
2) building patterns robust to pumping.
3) keeping up the quality of symbol names


You mostly did a good job. Can you elaborate _which_ services this pattern
addresses (e.g. process names), or what detailed event causes them to show up?

Re: [Sshguard-users] SSHGuard 1.5.0 on OS X Lion: sshguard cannot write to ipfw

[Bradley G. <pi...@ma...>]

On Jun 5, 2012, at 10:45 AM, Daniel I Golden wrote:

> Hi all,
> 
> I'm using SSHguard 1.5.0 from macports on OS X lion. To test whether ssh guard is working, I've logged onto a different computer and attempted to "break in" to my server by SSHing in with invalid username/password combos. After four invalid attempts, I see this message in system.log (I've redacted hostnames and IP addresses):
> 
> Jun  5 10:29:58 my_hostname sshguard[16887]: Blocking xxx.xxx.xxx.xxx:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: No ALTQ support in kernel
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: ALTQ related functions disabled
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: 1/1 addresses added.
> 
> However, when I list the ipfw rules, nothing is there:
> $ sudo ipfw list
> 65535 allow ip from any to any
> 
> And I can continue to attempt to log in from my other computer.
> 
> sshguard is running as root, as verified by ps:
> 
> [my_user@my_hostname my_username]$ ps aux|grep sshguard
> my_user        17075   0.0  0.0  2434892    572 s001  R+   10:37AM   0:00.00 grep --color sshguard
> root           16998   0.0  0.0  2445088    916   ??  S    10:32AM   0:00.02 /opt/local/sbin/sshguard -l /var/log/system.log -l /var/log/secure.log -w /opt/local/etc/sshguard/whitelist -b 50:/opt/local/var/db/sshguard/blacklist.db -s 3600
> root           16995   0.0  0.0  2435492    832   ??  S    10:32AM   0:00.00 /bin/sh /opt/local/libexec/sshguard/sshguard-options-wrapper
> root           16994   0.0  0.0  2466876   1180   ??  Ss   10:32AM   0:00.00 /opt/local/bin/daemondo --label=sshguard --start-cmd /opt/local/libexec/sshguard/sshguard-options-wrapper ; --pid=exec
> 
> 
> So I don't understand why sshguard isn't writing to ipfw. Can anyone offer any debugging suggestions?

Lion has switched from ipfw to pf for it's firewall. It looks like you are using the MacPorts sshguard port in which case on Lion the port would have configured sshguard to use pf.

I am not familiar enough with pf commands to help further but it looks like pf has a man page.


Regards,
Bradley Giesbrecht (pixilla)

[Sshguard-users] SSHGuard 1.5.0 on OS X Lion: sshguard cannot write to ipfw

[Daniel I G. <dgo...@st...>]

Hi all,

I'm using SSHguard 1.5.0 from macports on OS X lion. To test whether ssh
guard is working, I've logged onto a different computer and attempted to
"break in" to my server by SSHing in with invalid username/password combos.
After four invalid attempts, I see this message in system.log (I've
redacted hostnames and IP addresses):

Jun  5 10:29:58 my_hostname sshguard[16887]: Blocking xxx.xxx.xxx.xxx:4 for
>630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over
6s).
Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: No ALTQ support
in kernel
Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: ALTQ related
functions disabled
Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: 1/1 addresses
added.

However, when I list the ipfw rules, nothing is there:
$ sudo ipfw list
65535 allow ip from any to any

And I can continue to attempt to log in from my other computer.

sshguard is running as root, as verified by ps:

[my_user@my_hostname my_username]$ ps aux|grep sshguard
my_user        17075   0.0  0.0  2434892    572 s001  R+   10:37AM
0:00.00 grep --color sshguard
root           16998   0.0  0.0  2445088    916   ??  S    10:32AM
0:00.02 /opt/local/sbin/sshguard -l /var/log/system.log -l
/var/log/secure.log -w /opt/local/etc/sshguard/whitelist -b
50:/opt/local/var/db/sshguard/blacklist.db -s 3600
root           16995   0.0  0.0  2435492    832   ??  S    10:32AM
0:00.00 /bin/sh /opt/local/libexec/sshguard/sshguard-options-wrapper
root           16994   0.0  0.0  2466876   1180   ??  Ss   10:32AM
0:00.00 /opt/local/bin/daemondo --label=sshguard --start-cmd
/opt/local/libexec/sshguard/sshguard-options-wrapper ; --pid=exec


So I don't understand why sshguard isn't writing to ipfw. Can anyone offer
any debugging suggestions?

Thank you!
Dan

[Sshguard-users] Patch: windows login and dovecot/pop3

[Fritz Z. <fri...@oe...>]

Hi,

the following patch applied to sshguard 1.5 does

a) extend MAX_LOGFILE_LEN to 2000 needed for b)

b) recognizes a certain type of Windows Terminal Server 2008 login failure

c) recognizes both dovecot imap AND pop3 login attempts

Works for me, your mileage might vary. Especially for b) I'd expect
"localization", because the Windows messages might appear in different
languages.

Obviously, it would be cool if this could be included into the next version.

Cheers,
Fritz

P.S.: It might be useful to have a HOWTO for adding new attack patterns
       (until the next official version of sshguard is published). I am not
       really sure if I did it the way it is supposed to be done.


--- sshguard-1.5/src/sshguard.c	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/sshguard.c	2012-06-05 11:33:25.000000000 +0200
@@ -56,7 +56,7 @@

  #include "sshguard.h"

-#define MAX_LOGLINE_LEN     1000
+#define MAX_LOGLINE_LEN     2000

  /* switch from 0 (normal) to 1 (suspended) with SIGTSTP and SIGCONT respectively */
  int suspended;
--- sshguard-1.5/src/sshguard_services.h	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/sshguard_services.h	2012-06-05 11:02:03.000000000 +0200
@@ -62,4 +62,9 @@

  /* vsftpd */
  #define SERVICES_VSFTPD                 330
+
+/* windows */
+#define SERVICES_WINDOWS                340
+
  #endif
+
--- sshguard-1.5/src/parser/attack_parser.y	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/parser/attack_parser.y	2012-06-01 20:41:45.000000000 +0200
@@ -91,6 +91,8 @@
  %token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
  %token SSH_REVERSEMAP_PREF SSH_REVERSEMAP_SUFF
  %token SSH_NOIDENTIFSTR SSH_BADPROTOCOLIDENTIF
+/* windows */
+%token WINDOWS_LOGINERR_PREF WINDOWS_LOGINERR_SUFF
  /* dovecot */
  %token DOVECOT_IMAP_LOGINERR_PREF DOVECOT_IMAP_LOGINERR_SUFF
  /* uwimap */
@@ -167,6 +169,7 @@

  msg_single:
      sshmsg              {   parsed_attack.service = SERVICES_SSH; }
+    | windowsmsg        {   parsed_attack.service = SERVICES_WINDOWS; }
      | dovecotmsg        {   parsed_attack.service = SERVICES_DOVECOT; }
      | uwimapmsg         {   parsed_attack.service = SERVICES_UWIMAP; }
      | cyrusimapmsg      {   parsed_attack.service = SERVICES_CYRUSIMAP; }
@@ -296,6 +299,11 @@
      DOVECOT_IMAP_LOGINERR_PREF addr DOVECOT_IMAP_LOGINERR_SUFF
      ;

+/* attack rules for windows */
+windowsmsg:
+    WINDOWS_LOGINERR_PREF addr WINDOWS_LOGINERR_SUFF
+    ;
+
  /* attack rules for UWIMAP */
  uwimapmsg:
      UWIMAP_LOGINERR '[' addr ']'
--- sshguard-1.5/src/parser/attack_scanner.l	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/parser/attack_scanner.l	2012-06-05 12:05:14.000000000 +0200
@@ -69,8 +69,10 @@
  %s dovecot_loginerr  cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied
   /* for FTP services */
  %s freebsdftpd_loginerr  proftpd_loginerr  pureftpd_loginerr vsftpd_loginerr
+ /* for Windows */
+%s windows_loginerr

-
+IMAPORPOP3  (imap|pop3)
  MONTH       (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
  DAYNO       [1-9][0-9]?
  HOUR        (0|1)[0-9]|2[0-4]
@@ -167,7 +169,7 @@
  <sendmail_relaydenied>"]"                                       { BEGIN(INITIAL); return SENDMAIL_RELAYDENIED_SUFF; }

   /* dovecot */
-"imap-login: Aborted login (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
+{IMAPORPOP3}"-login: ".+" (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
  <dovecot_loginerr>", lip=".+                                        { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; }

   /* UWimap login errors */
@@ -196,6 +198,10 @@
  .+"FAIL LOGIN: Client \""                                       { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; }
  <vsftpd_loginerr>"\""                                           { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; }

+ /* Windows: login error */
+{NUMBER}": An account failed to log on.".+" Source Network Address: " { BEGIN(windows_loginerr); return WINDOWS_LOGINERR_PREF; }
+<windows_loginerr>" Source Port: ".+                                  { BEGIN(INITIAL); return WINDOWS_LOGINERR_SUFF; }
+
   /**         COMMON-USE TOKENS       do not touch these          **/
   /* an IPv4 address */
  {IPV4}                                                          { yylval.str = yytext; return IPv4; }


-- 
Oetiker+Partner AG              tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

[Sshguard-users] FYI: FreeBSD jail host system ipfw protection - example

[Rick v. d. Z. <in...@ri...>]

As a little addition to the excellent FAQ entry:

`` If you control the host system as well, you can run a single SSHGuard
from it and let it monitor the log files of all jails. SSHGuard will
monitor the
activity of the jails, but operate the firewall from the host.
'' source: http://www.sshguard.net/docs/faqs/#sshguard-in-jail

I have implemented this like this on the FreeBSD jail host system.

1) Installed security/sshguard-ipfw and enabled the firewall.

2) The startup script is included below (not sure if the mailing-list
accepted attachments).

3) My system has jails in /usr/jail/<name>, which I like to included
dynamically. So in /etc/rc.conf:
  sshguard_enable="YES"
  sshguard_flags="`ls /usr/jail/*/var/log/auth.log | xargs -n1 echo
'-l ' | xargs`"

Br. /Rick

cat <<'EOF' > /usr/local/etc/rc.d/sshguard
#!/bin/sh
#
# FreeBSD rc.d style startup start for running sshguard daemon
#
# Rick van der Zwet <in...@ri...>
#

# PROVIDE: sshguard
# REQUIRE: ssh

. /etc/rc.subr

# Set defaults
: ${sshguard_enable:="NO"}
: ${sshguard_flags:=""}

name=sshguard
rcvar=`set_rcvar`

pidfile=${sshguard_pidfile:-"/var/run/${name}.pid"}
command="/usr/local/sbin/${name}"
command_args="-i ${pidfile} ${sshguard_flags} &"

extra_commands="suspend continue"

suspend_cmd=suspend_cmd
continue_cmd=continue_cmd

suspend_cmd()
{
  kill -s SIGTSTP $pidfile
}

continue_cmd()
{
  kill -s SIGCONT $pidfile
}

load_rc_config $name

run_rc_command "$1"
'EOF'

-- 
http://rickvanderzwet.nl

Re: [Sshguard-users] Risk of DoS attacks?

[Fritz Z. <za...@oe...>]

On Thu, 31 May 2012, Mij wrote:

>> I am wondering about the potential of DoS attacks on sshguard protected
>> servers. For example, if an attacker is sitting behind a NAT gateway, an
>> attack would block everybody behind that gateway, wouldn't it?
>
> If Mallory sits behind a NAT that Alice uses, then Alice will be blocked too.
>
> This is unavoidable, and this makes sense: the NAT provider is responsible
> for all of users behind it.
>
> Unless Mallory keeps attacking, SSHGuard's touchiness guarantees that early
> and sparse attacks will affect the address(es) for very limited time.
> Repeated attacks will last more, but the network operator is expected to become
> aware of that by then.

Thanks for confirming what I was thinking.

For our application we decided to configure sshguard/iptables so that the
http and https ports are not blocked so that at least our website (with
contact information) is still reachable by Alice.

Cheers,
Fritz

-- 
Oetiker+Partner AG              tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

Re: [Sshguard-users] Risk of DoS attacks?

[Mij <mi...@ss...>]

> I am wondering about the potential of DoS attacks on sshguard protected
> servers. For example, if an attacker is sitting behind a NAT gateway, an
> attack would block everybody behind that gateway, wouldn't it?

If Mallory sits behind a NAT that Alice uses, then Alice will be blocked too.

This is unavoidable, and this makes sense: the NAT provider is responsible
for all of users behind it.

Unless Mallory keeps attacking, SSHGuard's touchiness guarantees that early
and sparse attacks will affect the address(es) for very limited time.
Repeated attacks will last more, but the network operator is expected to become
aware of that by then.


> P.S.: Thanks to the sshguard team for making sshguard available!

cheers
michele

[Sshguard-users] Risk of DoS attacks?

[Fritz Z. <fri...@oe...>]

Hi,

I am wondering about the potential of DoS attacks on sshguard protected
servers. For example, if an attacker is sitting behind a NAT gateway, an
attack would block everybody behind that gateway, wouldn't it?

Cheers,
Fritz

P.S.: Thanks to the sshguard team for making sshguard available!

-- 
Oetiker+Partner AG              tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

[Sshguard-users] sshguard ignoring entries from unnamed hosts

[Charles S. <sp...@bw...>]

This is an odd one.  I use sshguard in FreeBSD jails quite often by having the jail send all auth.info to the host.  This generally works well, but a recent new install showed that a ton of brute-force attacks were being logged but sshguard was not acting on them.  After playing around with debug mode, I found this that it's due to the logfile containing the jail's IP rather than hostname.

ignored:

Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May 21 18:35:54 10.88.77.22 sshd[39330]: error: PAM: authentication error for root from x.x.x.x
Starting parse
Entering state 0
Reading a token: --accepting rule at line 213 ("May 21 18:35:54")
Next token is token TIMESTAMP_SYSLOG ()
Cleanup: discarding lookahead token TIMESTAMP_SYSLOG ()
Stack now 0

valid:

May 21 18:35:54 foo sshd[39330]: error: PAM: authentication error for root from x.x.x.x
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 18:35:54 foo sshd[39330]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 146 ("error: PAM: authentication error for root from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 9
[…]
Now at end of input.
Stack now 0 23
Cleanup: popping nterm text ()
Matched address x.x.x.x:4 attacking service 100, dangerousness 10.

I can fix this in /etc/hosts, but why would sshguard not accept the first form by default?  I generally don't bother with dns on the internal networks.

Thanks,

Charles
--
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
sp...@bw... - 212.982.9800

[Sshguard-users] Sshquard-pf does not pickup the ftp log.

[Ian N. <IA...@fu...>]

Ok,
I've solved the problem. Vsftpd needs to be configured to log the
connection failures using the syslog FTP logging path. For future
reference, VSFTPD needs to be configured with the xferlog_enable option
set to YES and the xferlog_std_format setting set to NO.

[Sshguard-users] Sshquard-pf does not pickup the ftp log.

[Ian N. <IA...@fu...>]

We're trying to use sshguard-pf version 1.5.0 with vsftpd on FreeBSD
8.2. It's blocking invalid users using ssh, but it does not appear to
block any FTP traffic.

Vsftpd is writing to the default /var/log/xferlog and using the
xferlog_std_format setting. We have confirmed that the connection
attempts are being logged to the file.

The sshguard syslog entry looks like this:

auth.info;authpriv.info;ftp.info     |exec /usr/local/sbin/sshguard -a 1

Auth.info;authpriv.info	    /var/log/auth.log
ftp.info                    /var/log/xferlog


When we pass an invalid user connection attempt string from the
/var/log/xferlog file to sshguard in debug mode it does process it and
add the address to the pf table, but does not appear to be reading the
/var/log/xferlog file, only the auth.log.

Any suggestions?
Thanks.

Re: [Sshguard-users] Email notification, when host is banned

[Mij <mi...@ss...>]

Hi Mika,

> Is it possible to set SSHGuard to send email notifications when host
> is banned? Something like what sudo always sends when user isn't on
> sudoers file.

For the sshguard part:
This has been in TODO for over a year as part of a more general framework
to program custom reactions to any event.

So far this was possible by design, but it took defining a bunch of macros and
recompiling sshguard to define custom actions. The SVN code (r232 on)
support this with a "-e custom_script" option, but some time will go before you
see this into a release.

For the general line: other tools are specialized for this task; notably, you'll
find some that can do event correlation.

michele

Re: [Sshguard-users] 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

[Mij <mi...@ss...>]

Hi Jo,

> Bug 1: seconds counting is broken
> 
> Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).
> 
> Yes, I had six failed passwords.  Five of them from testing sshguard more than six hours earlier in the day.  Here in the log message you see it saying "1 second" and then reporting 15625 seconds. According to the options above it should have forgotten those attempts after 20 minutes.
> 
> # grep 99.124.207.89 /var/log/auth.log
> Feb  6 15:12:04 triceratops sshd[62705]: error: PAM: authentication error for jrhett from 99.124.207.89
> Feb  6 15:12:04 triceratops sshd[62705]: Failed password for jrhett from 99.124.207.89 port 59757 ssh2
> Feb  6 18:12:01 triceratops sshd[64237]: error: PAM: authentication error for jrhett from 99.124.207.89
> Feb  6 18:12:01 triceratops sshd[64237]: Failed password for jrhett from 99.124.207.89 port 54602 ssh2
> Feb  6 18:23:04 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >450secs: 60 danger in 4 attacks over 663 seconds (all: 60d in 1 abuses over 663s).
> Feb  6 21:12:00 triceratops sshd[65838]: error: PAM: authentication error for jrhett from 99.124.207.89
> Feb  6 21:12:00 triceratops sshd[65838]: Failed password for jrhett from 99.124.207.89 port 53494 ssh2
> Feb  6 21:38:30 triceratops sshd[65968]: Accepted publickey for jrhett from 99.124.207.89 port 61698 ssh2
> Feb  6 21:38:33 triceratops sshd[65970]: Accepted publickey for jrhett from 99.124.207.89 port 61856 ssh2
> Feb  6 21:47:43 triceratops sshd[66034]: Accepted publickey for jrhett from 99.124.207.89 port 50779 ssh2
> Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

I went through the code and it looks OK. The only reason I could think of
for this to happen is, you have an NTP server that was adjusting the system
clock backwards during those 20 minutes. The logs you paste here don't
help to verify this case.

Here's the relevant logic in sshguard.c :

if (tmpent == NULL) { /* entry not already in list, add it */
[..]
	attackerinit(tmpent, & attack);	# does tmpent->whenfirst = tmpent->whenlast = time()
[..]
} else {	/* entry was already existing, update with new data */
	tmpent->whenlast = time(NULL);
[..]

sshguard_log(LOG_NOTICE, "Blocking %s:%d for >%lldsecs: %u danger in %u attacks over %lld seconds (all: %ud in %d abuses over %llds).\n",
[..]
	(long long int)(tmpent->whenlast - tmpent->whenfirst)



> Bug 2: it timed out an address in the whitelist
> 
> If you read the log report carefully, it appears to think it is blocking 99.124.207.89:4 ... not really sure why it thinks :4 is part of the IP address, but this clearly caused it to avoid the whitelist behavior for some reason.  Contents of the whitelist include
> 
> # cat /usr/local/etc/sshguard.whitelist
> 99.124.207.88/29

The ":4" part says "the type of the address is [IPv]4"; the actual firewall command is composed afterwards.

The netblock "99.124.207.88" mask 29 does match "99.124.207.88", so you are most likely not actually
pointing sshguard to use this whitelist file (check your command line).

Re: [Sshguard-users] Dovecot/PAM attacks not detected

[Armando M. <arm...@st...>]

Ciao Alberto,

On 11/11/2011 08:59 AM, Alberto Ganesh Barbati wrote:
> Hi Everybody,
> I succeeded in configuring sshguard to block attacks on sshd and vsftpd, but I still have problems with dovecot. According to the sshguard website, the attack signature for dovecot, should look like this:
>
> imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1

We support the log of the service itself, independently of the
authentication system used.

> However, I tried different dovecot settings and I am unable to let him produce the above line. The best I got is the following, in /var/log/secure:
>
> Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=X.X.X.X
> Nov 11 11:11:11 xxx dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user daniela

Does dovecot logs another line similar to the one already supported by
Sshguard after this one? E.g., like the following

Nov 11 11:11:11 xxx dovecot-auth: imap-login: Aborted login (auth 
failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1

It would be hazardous to accept two logged lines instead of one.
We also want to remain as independent as possible from the authentication
system of the server.

Thanks for the report.

Cheers,
Armando

Re: [Sshguard-users] Logging of sshguard itself: logfile with succesful blocks

[Armando M. <arm...@st...>]

Hi Karlo,

On 12/07/2011 11:16 AM, Karlo Luiten wrote:
> I'd like to know how I can get sshguard to log the blocks that are made.
> Is this possible?
Sshguard logs using syslog by default, with LOG_AUTH facility. You can 
see in
which file those are stored by checking your syslog.conf. By default, 
entries
LOG_NOTICE and higher are logged.

I would suggest you to check your syslog configuration and verify where 
the auth
messages are logged.

Cheers,
Armando

Re: [Sshguard-users] Does the whitelist override an entry in the blacklist?

[Armando M. <arm...@st...>]

Hi Mike,

On 10/25/2011 06:28 PM, Ginter, Mike wrote:
>
> Does the whitelist override the blacklist?
>

No. The blacklist is loaded first, while the whitelist is applied only 
to new blocks.

> Can blacklist entries be removed?
>
>
Not in 1.5 release, which uses a binary file: you need to remove the 
blacklist
there. You can instead with the new code from SVN, which uses a plain-text
blacklist.

Hope this helps.

Cheers,
Armando

Re: [Sshguard-users] Push to multiple hosts/firewalls?

[Mij <mi...@ss...>]

Hello Nick,

> We're looking to setup sshguard on our central syslog server and have
> sshgaurd dynamically change the firewall rules on multiple hosts
> (running iptables), thus reducing the ability for an attacker to walk
> our IP ranges.
> 
> Has anyone attempted a configuration like this before, or does anyone
> have thoughts on how we should proceed?

This is one scenario SSHGuard has been designed to address.

You run SSHGuard on the central server (syslog collector); SSHGuard
will trigger a "block" or "release" action. You need to write the script to
issue the concrete command to block/release the address on the remote
server.

You can do this by writing a simple command list in command_remotes.h 
with definitions of COMMAND_BLOCK , COMMAND_RELEASE etc. See
one example in 
http://sshguard.svn.sourceforge.net/viewvc/sshguard/trunk/src/fwalls/command_iptables.h?view=markup

The next version of SSHGuard will support doing this with a simple script
that receives the relevant parameters (action, address, target service) from
the command line or the environment.

michele

Re: [Sshguard-users] Email notification, when host is banned

[Mika S. <mik...@ho...>]

On 10.04.2012 19:52, Jo Rhett wrote:
> No, I mean look at the Service Event Correlator (binary name 'sec')
> which is used to find events in your logs and take actions (including
> very complex actions) based on them.
> 
> On Apr 10, 2012, at 7:03 AM, Mika Suomalainen wrote:
>> On 09.04.2012 06:55, Jo Rhett wrote:
>>> Look at sec.
>>>
>>> On Apr 7, 2012, at 1:56 AM, Mika Suomalainen wrote:
>>> Hi,
>>>
>>> Is it possible to set SSHGuard to send email notifications when host
>>> is banned? Something like what sudo always sends when user isn't on
>>> sudoers file.
>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> For Developers, A Lot Can Happen In A Second.
>>>> Boundary is the first to Know...and Tell You.
>>>> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
>>>> http://p.sf.net/sfu/Boundary-d2dvs2
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> <mailto:Ssh...@li...>
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>
>> I have looked at the manual page and /etc/default/sshguard and tried
>> Googling about this.
>>
>> If you mean PGP/INLINE signature, which is little long due to my key
>> being 4096 bits long, I have moved to PGP/MIME.
>>
>> -- 
>> Mika Suomalainen
>> gpg --keyserver pool.sks-keyservers.net
>> <http://pool.sks-keyservers.net> --recv-keys 4DB53CFE82A46728
>> Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
>>
> 
> -- 
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and
> other randomness
> 

Oh, sorry. I misread what you said "as look a sec." I will look at sec
now. Thanks for replying :)

-- 
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728

Re: [Sshguard-users] Email notification, when host is banned

[Jo R. <jr...@ne...>]

No, I mean look at the Service Event Correlator (binary name 'sec') which is used to find events in your logs and take actions (including very complex actions) based on them.

On Apr 10, 2012, at 7:03 AM, Mika Suomalainen wrote:
> On 09.04.2012 06:55, Jo Rhett wrote:
>> Look at sec.
>> 
>> On Apr 7, 2012, at 1:56 AM, Mika Suomalainen wrote:
>> Hi,
>> 
>> Is it possible to set SSHGuard to send email notifications when host
>> is banned? Something like what sudo always sends when user isn't on
>> sudoers file.
>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> For Developers, A Lot Can Happen In A Second.
>>> Boundary is the first to Know...and Tell You.
>>> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
>>> http://p.sf.net/sfu/Boundary-d2dvs2
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>> 
> 
> I have looked at the manual page and /etc/default/sshguard and tried
> Googling about this.
> 
> If you mean PGP/INLINE signature, which is little long due to my key
> being 4096 bits long, I have moved to PGP/MIME.
> 
> -- 
> Mika Suomalainen
> gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
> Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
> 

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness