sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] Patch: windows login and dovecot/pop3

[Mij <mi...@ss...>]

On Jun 5, 2012, at 14:35 , Fritz Zaucker wrote:

> the following patch applied to sshguard 1.5 does
> 
> a) extend MAX_LOGFILE_LEN to 2000 needed for b)
> b) recognizes a certain type of Windows Terminal Server 2008 login failure
> c) recognizes both dovecot imap AND pop3 login attempts

Thank ya


> Works for me, your mileage might vary. Especially for b) I'd expect
> "localization", because the Windows messages might appear in different
> languages.

OMG.

Can anybody check and confirm that Windows localization affects windows
service logging? Even if that's the case, we'll just go Occam's razor.


> P.S.: It might be useful to have a HOWTO for adding new attack patterns
>       (until the next official version of sshguard is published). I am not
>       really sure if I did it the way it is supposed to be done.

The official howto is:
Submit on http://www.sshguard.net/support/attacks/submit/ and be patient.

Adding patterns DYI is fairly simple for programmers, the hardest parts are:
1) detecting patterns portably across different versions of the OS or daemon
2) building patterns robust to pumping.
3) keeping up the quality of symbol names


You mostly did a good job. Can you elaborate _which_ services this pattern
addresses (e.g. process names), or what detailed event causes them to show up?

Re: [Sshguard-users] SSHGuard 1.5.0 on OS X Lion: sshguard cannot write to ipfw

[Bradley G. <pi...@ma...>]

On Jun 5, 2012, at 10:45 AM, Daniel I Golden wrote:

> Hi all,
> 
> I'm using SSHguard 1.5.0 from macports on OS X lion. To test whether ssh guard is working, I've logged onto a different computer and attempted to "break in" to my server by SSHing in with invalid username/password combos. After four invalid attempts, I see this message in system.log (I've redacted hostnames and IP addresses):
> 
> Jun  5 10:29:58 my_hostname sshguard[16887]: Blocking xxx.xxx.xxx.xxx:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: No ALTQ support in kernel
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: ALTQ related functions disabled
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: 1/1 addresses added.
> 
> However, when I list the ipfw rules, nothing is there:
> $ sudo ipfw list
> 65535 allow ip from any to any
> 
> And I can continue to attempt to log in from my other computer.
> 
> sshguard is running as root, as verified by ps:
> 
> [my_user@my_hostname my_username]$ ps aux|grep sshguard
> my_user        17075   0.0  0.0  2434892    572 s001  R+   10:37AM   0:00.00 grep --color sshguard
> root           16998   0.0  0.0  2445088    916   ??  S    10:32AM   0:00.02 /opt/local/sbin/sshguard -l /var/log/system.log -l /var/log/secure.log -w /opt/local/etc/sshguard/whitelist -b 50:/opt/local/var/db/sshguard/blacklist.db -s 3600
> root           16995   0.0  0.0  2435492    832   ??  S    10:32AM   0:00.00 /bin/sh /opt/local/libexec/sshguard/sshguard-options-wrapper
> root           16994   0.0  0.0  2466876   1180   ??  Ss   10:32AM   0:00.00 /opt/local/bin/daemondo --label=sshguard --start-cmd /opt/local/libexec/sshguard/sshguard-options-wrapper ; --pid=exec
> 
> 
> So I don't understand why sshguard isn't writing to ipfw. Can anyone offer any debugging suggestions?

Lion has switched from ipfw to pf for it's firewall. It looks like you are using the MacPorts sshguard port in which case on Lion the port would have configured sshguard to use pf.

I am not familiar enough with pf commands to help further but it looks like pf has a man page.


Regards,
Bradley Giesbrecht (pixilla)

[Sshguard-users] SSHGuard 1.5.0 on OS X Lion: sshguard cannot write to ipfw

[Daniel I G. <dgo...@st...>]

Hi all,

I'm using SSHguard 1.5.0 from macports on OS X lion. To test whether ssh
guard is working, I've logged onto a different computer and attempted to
"break in" to my server by SSHing in with invalid username/password combos.
After four invalid attempts, I see this message in system.log (I've
redacted hostnames and IP addresses):

Jun  5 10:29:58 my_hostname sshguard[16887]: Blocking xxx.xxx.xxx.xxx:4 for
>630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over
6s).
Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: No ALTQ support
in kernel
Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: ALTQ related
functions disabled
Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: 1/1 addresses
added.

However, when I list the ipfw rules, nothing is there:
$ sudo ipfw list
65535 allow ip from any to any

And I can continue to attempt to log in from my other computer.

sshguard is running as root, as verified by ps:

[my_user@my_hostname my_username]$ ps aux|grep sshguard
my_user        17075   0.0  0.0  2434892    572 s001  R+   10:37AM
0:00.00 grep --color sshguard
root           16998   0.0  0.0  2445088    916   ??  S    10:32AM
0:00.02 /opt/local/sbin/sshguard -l /var/log/system.log -l
/var/log/secure.log -w /opt/local/etc/sshguard/whitelist -b
50:/opt/local/var/db/sshguard/blacklist.db -s 3600
root           16995   0.0  0.0  2435492    832   ??  S    10:32AM
0:00.00 /bin/sh /opt/local/libexec/sshguard/sshguard-options-wrapper
root           16994   0.0  0.0  2466876   1180   ??  Ss   10:32AM
0:00.00 /opt/local/bin/daemondo --label=sshguard --start-cmd
/opt/local/libexec/sshguard/sshguard-options-wrapper ; --pid=exec


So I don't understand why sshguard isn't writing to ipfw. Can anyone offer
any debugging suggestions?

Thank you!
Dan

[Sshguard-users] Patch: windows login and dovecot/pop3

[Fritz Z. <fri...@oe...>]

Hi,

the following patch applied to sshguard 1.5 does

a) extend MAX_LOGFILE_LEN to 2000 needed for b)

b) recognizes a certain type of Windows Terminal Server 2008 login failure

c) recognizes both dovecot imap AND pop3 login attempts

Works for me, your mileage might vary. Especially for b) I'd expect
"localization", because the Windows messages might appear in different
languages.

Obviously, it would be cool if this could be included into the next version.

Cheers,
Fritz

P.S.: It might be useful to have a HOWTO for adding new attack patterns
       (until the next official version of sshguard is published). I am not
       really sure if I did it the way it is supposed to be done.


--- sshguard-1.5/src/sshguard.c	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/sshguard.c	2012-06-05 11:33:25.000000000 +0200
@@ -56,7 +56,7 @@

  #include "sshguard.h"

-#define MAX_LOGLINE_LEN     1000
+#define MAX_LOGLINE_LEN     2000

  /* switch from 0 (normal) to 1 (suspended) with SIGTSTP and SIGCONT respectively */
  int suspended;
--- sshguard-1.5/src/sshguard_services.h	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/sshguard_services.h	2012-06-05 11:02:03.000000000 +0200
@@ -62,4 +62,9 @@

  /* vsftpd */
  #define SERVICES_VSFTPD                 330
+
+/* windows */
+#define SERVICES_WINDOWS                340
+
  #endif
+
--- sshguard-1.5/src/parser/attack_parser.y	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/parser/attack_parser.y	2012-06-01 20:41:45.000000000 +0200
@@ -91,6 +91,8 @@
  %token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
  %token SSH_REVERSEMAP_PREF SSH_REVERSEMAP_SUFF
  %token SSH_NOIDENTIFSTR SSH_BADPROTOCOLIDENTIF
+/* windows */
+%token WINDOWS_LOGINERR_PREF WINDOWS_LOGINERR_SUFF
  /* dovecot */
  %token DOVECOT_IMAP_LOGINERR_PREF DOVECOT_IMAP_LOGINERR_SUFF
  /* uwimap */
@@ -167,6 +169,7 @@

  msg_single:
      sshmsg              {   parsed_attack.service = SERVICES_SSH; }
+    | windowsmsg        {   parsed_attack.service = SERVICES_WINDOWS; }
      | dovecotmsg        {   parsed_attack.service = SERVICES_DOVECOT; }
      | uwimapmsg         {   parsed_attack.service = SERVICES_UWIMAP; }
      | cyrusimapmsg      {   parsed_attack.service = SERVICES_CYRUSIMAP; }
@@ -296,6 +299,11 @@
      DOVECOT_IMAP_LOGINERR_PREF addr DOVECOT_IMAP_LOGINERR_SUFF
      ;

+/* attack rules for windows */
+windowsmsg:
+    WINDOWS_LOGINERR_PREF addr WINDOWS_LOGINERR_SUFF
+    ;
+
  /* attack rules for UWIMAP */
  uwimapmsg:
      UWIMAP_LOGINERR '[' addr ']'
--- sshguard-1.5/src/parser/attack_scanner.l	2011-02-09 13:01:47.000000000 +0100
+++ sshguard-1.5-patched/src/parser/attack_scanner.l	2012-06-05 12:05:14.000000000 +0200
@@ -69,8 +69,10 @@
  %s dovecot_loginerr  cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied
   /* for FTP services */
  %s freebsdftpd_loginerr  proftpd_loginerr  pureftpd_loginerr vsftpd_loginerr
+ /* for Windows */
+%s windows_loginerr

-
+IMAPORPOP3  (imap|pop3)
  MONTH       (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
  DAYNO       [1-9][0-9]?
  HOUR        (0|1)[0-9]|2[0-4]
@@ -167,7 +169,7 @@
  <sendmail_relaydenied>"]"                                       { BEGIN(INITIAL); return SENDMAIL_RELAYDENIED_SUFF; }

   /* dovecot */
-"imap-login: Aborted login (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
+{IMAPORPOP3}"-login: ".+" (auth failed, "{NUMBER}" attempts): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
  <dovecot_loginerr>", lip=".+                                        { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; }

   /* UWimap login errors */
@@ -196,6 +198,10 @@
  .+"FAIL LOGIN: Client \""                                       { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; }
  <vsftpd_loginerr>"\""                                           { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; }

+ /* Windows: login error */
+{NUMBER}": An account failed to log on.".+" Source Network Address: " { BEGIN(windows_loginerr); return WINDOWS_LOGINERR_PREF; }
+<windows_loginerr>" Source Port: ".+                                  { BEGIN(INITIAL); return WINDOWS_LOGINERR_SUFF; }
+
   /**         COMMON-USE TOKENS       do not touch these          **/
   /* an IPv4 address */
  {IPV4}                                                          { yylval.str = yytext; return IPv4; }


-- 
Oetiker+Partner AG              tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

[Sshguard-users] FYI: FreeBSD jail host system ipfw protection - example

[Rick v. d. Z. <in...@ri...>]

As a little addition to the excellent FAQ entry:

`` If you control the host system as well, you can run a single SSHGuard
from it and let it monitor the log files of all jails. SSHGuard will
monitor the
activity of the jails, but operate the firewall from the host.
'' source: http://www.sshguard.net/docs/faqs/#sshguard-in-jail

I have implemented this like this on the FreeBSD jail host system.

1) Installed security/sshguard-ipfw and enabled the firewall.

2) The startup script is included below (not sure if the mailing-list
accepted attachments).

3) My system has jails in /usr/jail/<name>, which I like to included
dynamically. So in /etc/rc.conf:
  sshguard_enable="YES"
  sshguard_flags="`ls /usr/jail/*/var/log/auth.log | xargs -n1 echo
'-l ' | xargs`"

Br. /Rick

cat <<'EOF' > /usr/local/etc/rc.d/sshguard
#!/bin/sh
#
# FreeBSD rc.d style startup start for running sshguard daemon
#
# Rick van der Zwet <in...@ri...>
#

# PROVIDE: sshguard
# REQUIRE: ssh

. /etc/rc.subr

# Set defaults
: ${sshguard_enable:="NO"}
: ${sshguard_flags:=""}

name=sshguard
rcvar=`set_rcvar`

pidfile=${sshguard_pidfile:-"/var/run/${name}.pid"}
command="/usr/local/sbin/${name}"
command_args="-i ${pidfile} ${sshguard_flags} &"

extra_commands="suspend continue"

suspend_cmd=suspend_cmd
continue_cmd=continue_cmd

suspend_cmd()
{
  kill -s SIGTSTP $pidfile
}

continue_cmd()
{
  kill -s SIGCONT $pidfile
}

load_rc_config $name

run_rc_command "$1"
'EOF'

-- 
http://rickvanderzwet.nl

Re: [Sshguard-users] Risk of DoS attacks?

[Fritz Z. <za...@oe...>]

On Thu, 31 May 2012, Mij wrote:

>> I am wondering about the potential of DoS attacks on sshguard protected
>> servers. For example, if an attacker is sitting behind a NAT gateway, an
>> attack would block everybody behind that gateway, wouldn't it?
>
> If Mallory sits behind a NAT that Alice uses, then Alice will be blocked too.
>
> This is unavoidable, and this makes sense: the NAT provider is responsible
> for all of users behind it.
>
> Unless Mallory keeps attacking, SSHGuard's touchiness guarantees that early
> and sparse attacks will affect the address(es) for very limited time.
> Repeated attacks will last more, but the network operator is expected to become
> aware of that by then.

Thanks for confirming what I was thinking.

For our application we decided to configure sshguard/iptables so that the
http and https ports are not blocked so that at least our website (with
contact information) is still reachable by Alice.

Cheers,
Fritz

-- 
Oetiker+Partner AG              tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

Re: [Sshguard-users] Risk of DoS attacks?

[Mij <mi...@ss...>]

> I am wondering about the potential of DoS attacks on sshguard protected
> servers. For example, if an attacker is sitting behind a NAT gateway, an
> attack would block everybody behind that gateway, wouldn't it?

If Mallory sits behind a NAT that Alice uses, then Alice will be blocked too.

This is unavoidable, and this makes sense: the NAT provider is responsible
for all of users behind it.

Unless Mallory keeps attacking, SSHGuard's touchiness guarantees that early
and sparse attacks will affect the address(es) for very limited time.
Repeated attacks will last more, but the network operator is expected to become
aware of that by then.


> P.S.: Thanks to the sshguard team for making sshguard available!

cheers
michele

[Sshguard-users] Risk of DoS attacks?

[Fritz Z. <fri...@oe...>]

Hi,

I am wondering about the potential of DoS attacks on sshguard protected
servers. For example, if an attacker is sitting behind a NAT gateway, an
attack would block everybody behind that gateway, wouldn't it?

Cheers,
Fritz

P.S.: Thanks to the sshguard team for making sshguard available!

-- 
Oetiker+Partner AG              tel: +41 62 775 9903 (direct)
Fritz Zaucker                        +41 62 775 9900 (switch board)
Aarweg 15                            +41 79 675 0630 (mobile)
CH-4600 Olten                   fax: +41 62 775 9905
Schweiz                         web: www.oetiker.ch

[Sshguard-users] sshguard ignoring entries from unnamed hosts

[Charles S. <sp...@bw...>]

This is an odd one.  I use sshguard in FreeBSD jails quite often by having the jail send all auth.info to the host.  This generally works well, but a recent new install showed that a ton of brute-force attacks were being logged but sshguard was not acting on them.  After playing around with debug mode, I found this that it's due to the logfile containing the jail's IP rather than hostname.

ignored:

Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May 21 18:35:54 10.88.77.22 sshd[39330]: error: PAM: authentication error for root from x.x.x.x
Starting parse
Entering state 0
Reading a token: --accepting rule at line 213 ("May 21 18:35:54")
Next token is token TIMESTAMP_SYSLOG ()
Cleanup: discarding lookahead token TIMESTAMP_SYSLOG ()
Stack now 0

valid:

May 21 18:35:54 foo sshd[39330]: error: PAM: authentication error for root from x.x.x.x
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 18:35:54 foo sshd[39330]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 146 ("error: PAM: authentication error for root from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 9
[…]
Now at end of input.
Stack now 0 23
Cleanup: popping nterm text ()
Matched address x.x.x.x:4 attacking service 100, dangerousness 10.

I can fix this in /etc/hosts, but why would sshguard not accept the first form by default?  I generally don't bother with dns on the internal networks.

Thanks,

Charles
--
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
sp...@bw... - 212.982.9800

[Sshguard-users] Sshquard-pf does not pickup the ftp log.

[Ian N. <IA...@fu...>]

Ok,
I've solved the problem. Vsftpd needs to be configured to log the
connection failures using the syslog FTP logging path. For future
reference, VSFTPD needs to be configured with the xferlog_enable option
set to YES and the xferlog_std_format setting set to NO.

[Sshguard-users] Sshquard-pf does not pickup the ftp log.

[Ian N. <IA...@fu...>]

We're trying to use sshguard-pf version 1.5.0 with vsftpd on FreeBSD
8.2. It's blocking invalid users using ssh, but it does not appear to
block any FTP traffic.

Vsftpd is writing to the default /var/log/xferlog and using the
xferlog_std_format setting. We have confirmed that the connection
attempts are being logged to the file.

The sshguard syslog entry looks like this:

auth.info;authpriv.info;ftp.info     |exec /usr/local/sbin/sshguard -a 1

Auth.info;authpriv.info	    /var/log/auth.log
ftp.info                    /var/log/xferlog


When we pass an invalid user connection attempt string from the
/var/log/xferlog file to sshguard in debug mode it does process it and
add the address to the pf table, but does not appear to be reading the
/var/log/xferlog file, only the auth.log.

Any suggestions?
Thanks.

Re: [Sshguard-users] Email notification, when host is banned

[Mij <mi...@ss...>]

Hi Mika,

> Is it possible to set SSHGuard to send email notifications when host
> is banned? Something like what sudo always sends when user isn't on
> sudoers file.

For the sshguard part:
This has been in TODO for over a year as part of a more general framework
to program custom reactions to any event.

So far this was possible by design, but it took defining a bunch of macros and
recompiling sshguard to define custom actions. The SVN code (r232 on)
support this with a "-e custom_script" option, but some time will go before you
see this into a release.

For the general line: other tools are specialized for this task; notably, you'll
find some that can do event correlation.

michele

Re: [Sshguard-users] 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

[Mij <mi...@ss...>]

Hi Jo,

> Bug 1: seconds counting is broken
> 
> Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).
> 
> Yes, I had six failed passwords.  Five of them from testing sshguard more than six hours earlier in the day.  Here in the log message you see it saying "1 second" and then reporting 15625 seconds. According to the options above it should have forgotten those attempts after 20 minutes.
> 
> # grep 99.124.207.89 /var/log/auth.log
> Feb  6 15:12:04 triceratops sshd[62705]: error: PAM: authentication error for jrhett from 99.124.207.89
> Feb  6 15:12:04 triceratops sshd[62705]: Failed password for jrhett from 99.124.207.89 port 59757 ssh2
> Feb  6 18:12:01 triceratops sshd[64237]: error: PAM: authentication error for jrhett from 99.124.207.89
> Feb  6 18:12:01 triceratops sshd[64237]: Failed password for jrhett from 99.124.207.89 port 54602 ssh2
> Feb  6 18:23:04 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >450secs: 60 danger in 4 attacks over 663 seconds (all: 60d in 1 abuses over 663s).
> Feb  6 21:12:00 triceratops sshd[65838]: error: PAM: authentication error for jrhett from 99.124.207.89
> Feb  6 21:12:00 triceratops sshd[65838]: Failed password for jrhett from 99.124.207.89 port 53494 ssh2
> Feb  6 21:38:30 triceratops sshd[65968]: Accepted publickey for jrhett from 99.124.207.89 port 61698 ssh2
> Feb  6 21:38:33 triceratops sshd[65970]: Accepted publickey for jrhett from 99.124.207.89 port 61856 ssh2
> Feb  6 21:47:43 triceratops sshd[66034]: Accepted publickey for jrhett from 99.124.207.89 port 50779 ssh2
> Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

I went through the code and it looks OK. The only reason I could think of
for this to happen is, you have an NTP server that was adjusting the system
clock backwards during those 20 minutes. The logs you paste here don't
help to verify this case.

Here's the relevant logic in sshguard.c :

if (tmpent == NULL) { /* entry not already in list, add it */
[..]
	attackerinit(tmpent, & attack);	# does tmpent->whenfirst = tmpent->whenlast = time()
[..]
} else {	/* entry was already existing, update with new data */
	tmpent->whenlast = time(NULL);
[..]

sshguard_log(LOG_NOTICE, "Blocking %s:%d for >%lldsecs: %u danger in %u attacks over %lld seconds (all: %ud in %d abuses over %llds).\n",
[..]
	(long long int)(tmpent->whenlast - tmpent->whenfirst)



> Bug 2: it timed out an address in the whitelist
> 
> If you read the log report carefully, it appears to think it is blocking 99.124.207.89:4 ... not really sure why it thinks :4 is part of the IP address, but this clearly caused it to avoid the whitelist behavior for some reason.  Contents of the whitelist include
> 
> # cat /usr/local/etc/sshguard.whitelist
> 99.124.207.88/29

The ":4" part says "the type of the address is [IPv]4"; the actual firewall command is composed afterwards.

The netblock "99.124.207.88" mask 29 does match "99.124.207.88", so you are most likely not actually
pointing sshguard to use this whitelist file (check your command line).

Re: [Sshguard-users] Dovecot/PAM attacks not detected

[Armando M. <arm...@st...>]

Ciao Alberto,

On 11/11/2011 08:59 AM, Alberto Ganesh Barbati wrote:
> Hi Everybody,
> I succeeded in configuring sshguard to block attacks on sshd and vsftpd, but I still have problems with dovecot. According to the sshguard website, the attack signature for dovecot, should look like this:
>
> imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1

We support the log of the service itself, independently of the
authentication system used.

> However, I tried different dovecot settings and I am unable to let him produce the above line. The best I got is the following, in /var/log/secure:
>
> Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
> Nov 11 11:11:11 xxx dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=X.X.X.X
> Nov 11 11:11:11 xxx dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user daniela

Does dovecot logs another line similar to the one already supported by
Sshguard after this one? E.g., like the following

Nov 11 11:11:11 xxx dovecot-auth: imap-login: Aborted login (auth 
failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1

It would be hazardous to accept two logged lines instead of one.
We also want to remain as independent as possible from the authentication
system of the server.

Thanks for the report.

Cheers,
Armando

Re: [Sshguard-users] Logging of sshguard itself: logfile with succesful blocks

[Armando M. <arm...@st...>]

Hi Karlo,

On 12/07/2011 11:16 AM, Karlo Luiten wrote:
> I'd like to know how I can get sshguard to log the blocks that are made.
> Is this possible?
Sshguard logs using syslog by default, with LOG_AUTH facility. You can 
see in
which file those are stored by checking your syslog.conf. By default, 
entries
LOG_NOTICE and higher are logged.

I would suggest you to check your syslog configuration and verify where 
the auth
messages are logged.

Cheers,
Armando

Re: [Sshguard-users] Does the whitelist override an entry in the blacklist?

[Armando M. <arm...@st...>]

Hi Mike,

On 10/25/2011 06:28 PM, Ginter, Mike wrote:
>
> Does the whitelist override the blacklist?
>

No. The blacklist is loaded first, while the whitelist is applied only 
to new blocks.

> Can blacklist entries be removed?
>
>
Not in 1.5 release, which uses a binary file: you need to remove the 
blacklist
there. You can instead with the new code from SVN, which uses a plain-text
blacklist.

Hope this helps.

Cheers,
Armando

Re: [Sshguard-users] Push to multiple hosts/firewalls?

[Mij <mi...@ss...>]

Hello Nick,

> We're looking to setup sshguard on our central syslog server and have
> sshgaurd dynamically change the firewall rules on multiple hosts
> (running iptables), thus reducing the ability for an attacker to walk
> our IP ranges.
> 
> Has anyone attempted a configuration like this before, or does anyone
> have thoughts on how we should proceed?

This is one scenario SSHGuard has been designed to address.

You run SSHGuard on the central server (syslog collector); SSHGuard
will trigger a "block" or "release" action. You need to write the script to
issue the concrete command to block/release the address on the remote
server.

You can do this by writing a simple command list in command_remotes.h 
with definitions of COMMAND_BLOCK , COMMAND_RELEASE etc. See
one example in 
http://sshguard.svn.sourceforge.net/viewvc/sshguard/trunk/src/fwalls/command_iptables.h?view=markup

The next version of SSHGuard will support doing this with a simple script
that receives the relevant parameters (action, address, target service) from
the command line or the environment.

michele

Re: [Sshguard-users] Email notification, when host is banned

[Mika S. <mik...@ho...>]

On 10.04.2012 19:52, Jo Rhett wrote:
> No, I mean look at the Service Event Correlator (binary name 'sec')
> which is used to find events in your logs and take actions (including
> very complex actions) based on them.
> 
> On Apr 10, 2012, at 7:03 AM, Mika Suomalainen wrote:
>> On 09.04.2012 06:55, Jo Rhett wrote:
>>> Look at sec.
>>>
>>> On Apr 7, 2012, at 1:56 AM, Mika Suomalainen wrote:
>>> Hi,
>>>
>>> Is it possible to set SSHGuard to send email notifications when host
>>> is banned? Something like what sudo always sends when user isn't on
>>> sudoers file.
>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> For Developers, A Lot Can Happen In A Second.
>>>> Boundary is the first to Know...and Tell You.
>>>> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
>>>> http://p.sf.net/sfu/Boundary-d2dvs2
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> <mailto:Ssh...@li...>
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>
>> I have looked at the manual page and /etc/default/sshguard and tried
>> Googling about this.
>>
>> If you mean PGP/INLINE signature, which is little long due to my key
>> being 4096 bits long, I have moved to PGP/MIME.
>>
>> -- 
>> Mika Suomalainen
>> gpg --keyserver pool.sks-keyservers.net
>> <http://pool.sks-keyservers.net> --recv-keys 4DB53CFE82A46728
>> Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
>>
> 
> -- 
> Jo Rhett
> Net Consonance : consonant endings by net philanthropy, open source and
> other randomness
> 

Oh, sorry. I misread what you said "as look a sec." I will look at sec
now. Thanks for replying :)

-- 
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728

Re: [Sshguard-users] Email notification, when host is banned

[Jo R. <jr...@ne...>]

No, I mean look at the Service Event Correlator (binary name 'sec') which is used to find events in your logs and take actions (including very complex actions) based on them.

On Apr 10, 2012, at 7:03 AM, Mika Suomalainen wrote:
> On 09.04.2012 06:55, Jo Rhett wrote:
>> Look at sec.
>> 
>> On Apr 7, 2012, at 1:56 AM, Mika Suomalainen wrote:
>> Hi,
>> 
>> Is it possible to set SSHGuard to send email notifications when host
>> is banned? Something like what sudo always sends when user isn't on
>> sudoers file.
>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> For Developers, A Lot Can Happen In A Second.
>>> Boundary is the first to Know...and Tell You.
>>> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
>>> http://p.sf.net/sfu/Boundary-d2dvs2
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>> 
> 
> I have looked at the manual page and /etc/default/sshguard and tried
> Googling about this.
> 
> If you mean PGP/INLINE signature, which is little long due to my key
> being 4096 bits long, I have moved to PGP/MIME.
> 
> -- 
> Mika Suomalainen
> gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
> Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728
> 

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

Re: [Sshguard-users] Email notification, when host is banned

[Mika S. <mik...@ho...>]

On 09.04.2012 06:55, Jo Rhett wrote:
> Look at sec.
> 
> On Apr 7, 2012, at 1:56 AM, Mika Suomalainen wrote:
> Hi,
> 
> Is it possible to set SSHGuard to send email notifications when host
> is banned? Something like what sudo always sends when user isn't on
> sudoers file.
> 
>>
>> ------------------------------------------------------------------------------
>> For Developers, A Lot Can Happen In A Second.
>> Boundary is the first to Know...and Tell You.
>> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
>> http://p.sf.net/sfu/Boundary-d2dvs2
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 

I have looked at the manual page and /etc/default/sshguard and tried
Googling about this.

If you mean PGP/INLINE signature, which is little long due to my key
being 4096 bits long, I have moved to PGP/MIME.

-- 
Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728

Re: [Sshguard-users] Email notification, when host is banned

[Jo R. <jr...@ne...>]

Look at sec.

On Apr 7, 2012, at 1:56 AM, Mika Suomalainen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Is it possible to set SSHGuard to send email notifications when host
> is banned? Something like what sudo always sends when user isn't on
> sudoers file.
> 
> - -- 
> Mika Suomalainen
>> gpg --keyserver pool.sks-keyservers.net --recv-keys
>> 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65
>> 4DB5 3CFE 82A4 6728
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJPgAFQAAoJEE21PP6CpGcoXncP/2pgQZMkSPYzE3WQlD3RBUy2
> 4Jb52JVChOXVeeGE5aEOKjDrdgMSyXQLyatGgxP52DFHs7tWw9S9SzVgI43j6hCb
> QkLL0bf27A852WAGBAsGvZOdXTd+ZYhawJmhrI6yzjMl81y6vyME7YGKrXPDZnW1
> osCxqP6ETTtgs2OuMSisMv6gBJ9LYmiNJZAfjf+W9YfyORk7jBDTEw1iEILrLHpd
> XGNFb6ywBsZYC2D6DqRrdaTu8uCSuHXPmacqHvGToobTWg3Xz3ep2US/n99TRfIw
> D8yuPsq7yCIsXINMuNe8qusQZVgX3VDD71ESRcn2Rv7Ye19nG0yMTOsFUzO8929n
> ZttudLA0qGYW1xp4Yv0YGT17UiwyUJ+aXc/WSr3Q7R8us/96a5B5p2p6EQsZ8Gy+
> UKW9UWj/a6MwSradLf/AnEpyLasEHgIlIL+PTSEIHTC8UGvZx+BnN8vrOIKV5PxV
> NcXHPWPvPQdTpp4/KLzywg+JZOMQyVjCYBWZ54YRYov0ehFEmyqSSSPUb812mLJd
> 4jVmuMEXhU63FooPtaaEilpKul1VO23IgJyPLKbV8Y05nJIBzF7Yvb5DgBzXpwoB
> dlwBkEtEW33F55xzXqzf8HifEY+aqUPXDBtxt6x9bxnhYVfoHT3rH51IIIb5xdHV
> 8lcAm78bwA9HHm6759iN
> =J2p6
> -----END PGP SIGNATURE-----
> 
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

[Sshguard-users] Email notification, when host is banned

[Mika S. <mik...@ho...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Is it possible to set SSHGuard to send email notifications when host
is banned? Something like what sudo always sends when user isn't on
sudoers file.

- -- 
Mika Suomalainen
> gpg --keyserver pool.sks-keyservers.net --recv-keys
> 4DB53CFE82A46728 Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65
> 4DB5 3CFE 82A4 6728
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPgAFQAAoJEE21PP6CpGcoXncP/2pgQZMkSPYzE3WQlD3RBUy2
4Jb52JVChOXVeeGE5aEOKjDrdgMSyXQLyatGgxP52DFHs7tWw9S9SzVgI43j6hCb
QkLL0bf27A852WAGBAsGvZOdXTd+ZYhawJmhrI6yzjMl81y6vyME7YGKrXPDZnW1
osCxqP6ETTtgs2OuMSisMv6gBJ9LYmiNJZAfjf+W9YfyORk7jBDTEw1iEILrLHpd
XGNFb6ywBsZYC2D6DqRrdaTu8uCSuHXPmacqHvGToobTWg3Xz3ep2US/n99TRfIw
D8yuPsq7yCIsXINMuNe8qusQZVgX3VDD71ESRcn2Rv7Ye19nG0yMTOsFUzO8929n
ZttudLA0qGYW1xp4Yv0YGT17UiwyUJ+aXc/WSr3Q7R8us/96a5B5p2p6EQsZ8Gy+
UKW9UWj/a6MwSradLf/AnEpyLasEHgIlIL+PTSEIHTC8UGvZx+BnN8vrOIKV5PxV
NcXHPWPvPQdTpp4/KLzywg+JZOMQyVjCYBWZ54YRYov0ehFEmyqSSSPUb812mLJd
4jVmuMEXhU63FooPtaaEilpKul1VO23IgJyPLKbV8Y05nJIBzF7Yvb5DgBzXpwoB
dlwBkEtEW33F55xzXqzf8HifEY+aqUPXDBtxt6x9bxnhYVfoHT3rH51IIIb5xdHV
8lcAm78bwA9HHm6759iN
=J2p6
-----END PGP SIGNATURE-----

[Sshguard-users] 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

[Jo R. <jr...@ne...>]

I am running sshguard with the following options.
	root   66430  0.0  0.1  3424  1284  u0  I    10:42PM   0:00.01 /usr/local/sbin/sshguard -a 60 -p 300 -s 1200 -i /var/run/sshguard.pid -l /var/log/auth.log -w /usr/local/etc/sshguard.whitelist

However, I managed to get myself blocked today, which is a matter of two bugs:

Bug 1: seconds counting is broken

Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

Yes, I had six failed passwords.  Five of them from testing sshguard more than six hours earlier in the day.  Here in the log message you see it saying "1 second" and then reporting 15625 seconds. According to the options above it should have forgotten those attempts after 20 minutes.

# grep 99.124.207.89 /var/log/auth.log
Feb  6 15:12:04 triceratops sshd[62705]: error: PAM: authentication error for jrhett from 99.124.207.89
Feb  6 15:12:04 triceratops sshd[62705]: Failed password for jrhett from 99.124.207.89 port 59757 ssh2
Feb  6 18:12:01 triceratops sshd[64237]: error: PAM: authentication error for jrhett from 99.124.207.89
Feb  6 18:12:01 triceratops sshd[64237]: Failed password for jrhett from 99.124.207.89 port 54602 ssh2
Feb  6 18:23:04 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >450secs: 60 danger in 4 attacks over 663 seconds (all: 60d in 1 abuses over 663s).
Feb  6 21:12:00 triceratops sshd[65838]: error: PAM: authentication error for jrhett from 99.124.207.89
Feb  6 21:12:00 triceratops sshd[65838]: Failed password for jrhett from 99.124.207.89 port 53494 ssh2
Feb  6 21:38:30 triceratops sshd[65968]: Accepted publickey for jrhett from 99.124.207.89 port 61698 ssh2
Feb  6 21:38:33 triceratops sshd[65970]: Accepted publickey for jrhett from 99.124.207.89 port 61856 ssh2
Feb  6 21:47:43 triceratops sshd[66034]: Accepted publickey for jrhett from 99.124.207.89 port 50779 ssh2
Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

Bug 2: it timed out an address in the whitelist

If you read the log report carefully, it appears to think it is blocking 99.124.207.89:4 ... not really sure why it thinks :4 is part of the IP address, but this clearly caused it to avoid the whitelist behavior for some reason.  Contents of the whitelist include

# cat /usr/local/etc/sshguard.whitelist
99.124.207.88/29

Platform information:
# uname -a
FreeBSD triceratops.netconsonance.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011     ro...@i3...:/usr/obj/usr/src/sys/GENERIC  i386

For what it is worth, we were running this on CentOS linux at the shop and never saw this problem, so it seems to be related to FreeBSD port in some way.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

[Sshguard-users] Push to multiple hosts/firewalls?

[Nick G. <ga...@su...>]

We're looking to setup sshguard on our central syslog server and have
sshgaurd dynamically change the firewall rules on multiple hosts
(running iptables), thus reducing the ability for an attacker to walk
our IP ranges.

Has anyone attempted a configuration like this before, or does anyone
have thoughts on how we should proceed?

-Nick

--
Nicholas P. Gasparovich
Systems Administrator
Technology Integration Services
SUNY Institute of Technology
Utica, New York 13504-3050

[Sshguard-users] Logging of sshguard itself: logfile with succesful blocks

[Karlo L. <ma...@ka...>]

Hello all,

I installed and configured sshguard on a freeBSD machine. So far so
good.

I'd like to know how I can get sshguard to log the blocks that are made.

Is this possible?
Thanks,
Karlo