Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
(6) |
Oct
|
Nov
|
Dec
|
|
From: Greg A. W. <wo...@pl...> - 2011-10-03 20:30:07
|
SSHGuard-1.5 seems to go into an infinite loop at some point, when a log
file it is watching with "-l" is archived and re-created.
It does not appear to be reading new entries from the log, and totally
missed an SSH attack, plus secondary manual testing.
This is on NetBSD-4. HAVE_KQUEUE is defined.
I've reconfigured to drive it on STDIN directly from syslogd for now,
but I'd rather have it watch the log file as a daemon than have to feed
it from syslogd. I guess I could use "tail -F" which is reliable and
working on NetBSD (and which also uses kqueue). Perhaps SSHGuard has
too many features and really should rely on something like "tail -F",
though unfortunately "tail -F" only works on one file at a time on
many(most/all?) platforms.
BTW, you'll see that after I detach from it with gdb the CPU use drops,
but still does not go down to a reasonable level, and it still continues
to ignore new entries in the log file.
12:38 [2267] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 99.7 0.0 61792 1088 ? Rsa 8:12PM 985:56.51 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
12:39 [2268] # gdb /usr/local/sbin/sshguard 20463
[GDB will not be able to debug user-mode threads: Service unavailable]
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...
Attaching to program: /usr/local/sbin/sshguard, process 20463
Reading symbols from /usr/lib/libpthread.so.0...done.
Loaded symbols for /usr/lib/libpthread.so.0
Reading symbols from /usr/lib/libc.so.12...done.
Loaded symbols for /usr/lib/libc.so.12
Reading symbols from /usr/libexec/ld.elf_so...done.
Loaded symbols for /usr/libexec/ld.elf_so
0xbbb22937 in kevent () from /usr/lib/libc.so.12
(gdb) where
#0 0xbbb22937 in kevent () from /usr/lib/libc.so.12
#1 0x0804c742 in logsuck_getline (buf=0xbfbfdcac "", buflen=1000, from_previous_source=false, whichsource=0xbfbfe0d0)
at sshguard_logsuck.c:240
#2 0x08049d6f in main (argc=74524, argv=0xbbbed400) at sshguard.c:255
(gdb) cont
Continuing.
^?
Program received signal SIGINT, Interrupt.
0xbbb22937 in kevent () from /usr/lib/libc.so.12
(gdb) where
#0 0xbbb22937 in kevent () from /usr/lib/libc.so.12
#1 0x0804c742 in logsuck_getline (buf=0xbfbfdcac "", buflen=1000, from_previous_source=false, whichsource=0xbfbfe0d0)
at sshguard_logsuck.c:240
#2 0x08049d6f in main (argc=74524, argv=0xbbbed400) at sshguard.c:255
(gdb) quit
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: /usr/local/sbin/sshguard, process 20463
12:39 [2269] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 40.8 0.0 61792 1084 ? Rsa 8:12PM 986:18.74 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
12:39 [2270] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 43.7 0.0 61792 1084 ? Rsa 8:12PM 986:20.04 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
12:39 [2271] # /etc/rc.d/sshguard status
sshguard is running as pid 20463.
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 20463 49.0 0.0 61792 1084 ? Rsa 8:12PM 986:21.64 /usr/local/sbin/sshguard -w 10.0.0.0/8 -w XXX.XXX.XXX.0/24 -l /var/log/au
--
Greg A. Woods
+1 250 762-7675 RoboHack <wo...@ro...>
Planix, Inc. <wo...@pl...> Secrets of the Weird <wo...@we...>
|
|
From: Mij <mi...@ss...> - 2011-10-03 16:53:35
|
Hi Krzysztof, As you notice, the pattern we have for dovecot is the latter. What version of dovecot produces your pattern? Please file a submission for the new pattern at http://www.sshguard.net/support/attacks/submit/ |
|
From: Mij <mi...@ss...> - 2011-10-03 16:32:17
|
Hi Bradley > Is there a place to search the mailing list archives vs browsing them? > This is where I have looked: > http://sourceforge.net/mailarchive/forum.php?set=custom&viewmonth=&viewday=&forum_name=sshguard-users&style=ultimate&max_rows=25&submit=Change+View Correct. From there, follow "Mailing Lists" > "Search Mail Lists" in the upper bar. > My question, is it currently possible to sshguard read a list of log files from a conf file as an alternative/addition to using "-l file.log" when starting sshguard? Not yet, I'll write it down among the feature requests. |
|
From: Jin C. <js...@al...> - 2011-10-03 16:18:11
|
I'm seeing recent attacks where there are a number of disconnects before the scan takes place, of the form: Received disconnect from x.x.x.x: 11: Bye Bye I don't know what hole this is targeting, but can sshguard be modified to handle this behavior as well? |
|
From: Jin C. <js...@al...> - 2011-10-03 15:57:50
|
man sshguard says
-b [thresh:]filename
enable blacklisting: blacklist after thresh (or 40) dangerousness committed, and hold
the permanent blacklist in filename. See TOUCHINESS & BLACKLISTING below.
But the source actually defines
#define DEFAULT_BLACKLIST_THRESHOLD (3 * DEFAULT_ABUSE_THRESHOLD)
So, 120. The manual should reflect that.
|
|
From: Mij <mi...@ss...> - 2011-10-03 15:44:27
|
Ciao Pietro, On Apr 27, 2011, at 23:25 , Pietro Leone wrote: > I do not understand how logsucker works, if I do not provide any log files > throught "-l" option ssh work with defaults log files? No, it defaults to standard input. > I tried launching sshguard in rc.local: > > /usr/local/sbin/sshguard -l /var/log/authlog -l /var/log/secure > > How can I be sure that sshguard is working? SSHGuard logs some messages at start-up, you can grep your logs e.g. for "Started successfully". They are all LOG_AUTH facility, which syslog typically sends to /var/log/auth* > But sshguard does not block any address. > > How can I do? For further details see http://www.sshguard.net/docs/faqs/#does-not-work . |
|
From: Mij <mi...@ss...> - 2011-10-03 15:34:58
|
Fixed in r228, thanks for reporting! |
|
From: Mij <mi...@ss...> - 2011-10-03 15:04:58
|
Hi Paul > I absolutely love SSH Guard: easy to configure and (until now) reliable. Thanks! > I configured Netfiler/iptables the following way (snippets to keep it small): > > > Chain INPUT (policy DROP) > ... > sshguard all -- anywhere anywhere > > ... > > Chain sshguard (1 references) > target prot opt source destination Your chain INPUT is "policy DROP". If SSH otherwise responds on network, this means you probably have a rule above of the sshguard rule going "allow SSH to everyone", making effectively irrelevant the sshguard rule. If that is not the case, please post the full "iptables -L" output as taken right after a "Block" has been made. |
|
From: Mij <mi...@ss...> - 2011-10-03 15:00:35
|
Hi Gilles, Thanks for reporting this. It's interesting to see cross-compilation. To which target architecture are you doing this? |
|
From: Mij <mi...@ss...> - 2011-10-03 14:54:58
|
Hi Cameos, The main reason for doing that is "KISS". SSHGuard's most common environment sees highly infrequent restarts. Having machinery to ensure addresses are re-blocked across those bring low value-to-complexity ratio. |
|
From: Mij <mi...@ss...> - 2011-10-03 14:50:29
|
> Mar 15 00:30:12 xxx sshguard[1547]: Blocking command failed. Exited: -1 > Mar 15 00:42:05 xxx sshguard[1547]: Release command failed. Exited: -1 > > Mar 16 15:54:00 tigerwalk sshguard[1534]: While blocking blacklisted > addresses, the firewall refused to block! Most often this happens up to permission issues. But in your "uwf" case: have you actually performed the necessary firewall setup? See http://www.sshguard.net/docs/setup/firewall/netfilter-iptables/ > In addition to these three error messages I can see that the software is > correctly blacklisting several IP addresses. My question is what to do > about the above errors? You can get a more detailed failure description by enabling debug mode, see http://www.sshguard.net/docs/faqs/#debugging > My system is running the 'ufw' firewall but sshguard is configured to > use iptables. If uwf is only a front-end to iptables, then refer to the "netfilter/iptables" docs. SSHGuard will work behind the frontend's curtain. |
|
From: Jin C. <js...@al...> - 2011-09-16 20:58:37
|
When running sshguard for the first time with the -b flag, version 1.5 aborts immediately on OS X Lion.
This is because in process_blacklisted_addresses(), the blacklist values are sent directly to fw_block_list() without checking to see that there were any addresses found. If we are running for the first time, there will be no blacklist values in the given file. fw_block_list() in ipfw.c calls ipfwmod_buildblockcommand() which has this line:
assert(addresses[0] != NULL /* there is at least one address to block */);
A simple fix is not to call fw_block_list unless num_blacklisted > 0.
|
|
From: J.P v. O. <je...@gi...> - 2011-09-01 17:00:22
|
Hello, On a older slackware machine with GCC 2.95.3 I get: Making all in src make[1]: Entering directory `/part2/downloads/sshguard-1.5/src' make all-recursive make[2]: Entering directory `/part2/downloads/sshguard-1.5/src' Making all in parser make[3]: Entering directory `/part2/downloads/sshguard-1.5/src/parser' make all-am make[4]: Entering directory `/part2/downloads/sshguard-1.5/src/parser' source='attack_parser.c' object='attack_parser.o' libtool=no \ DEPDIR=.deps depmode=gcc /bin/sh ../../depcomp \ gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -O2 -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -c attack_parser.c cc1: unknown C standard `c99' In file included from attack_parser.y:39: ../sshguard_logsuck.h:42: parse error before `filename' ../sshguard_logsuck.h:51: parse error before `buf' make[4]: *** [attack_parser.o] Error 1 make[4]: Leaving directory `/part2/downloads/sshguard-1.5/src/parser' make[3]: *** [all] Error 2 make[3]: Leaving directory `/part2/downloads/sshguard-1.5/src/parser' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/part2/downloads/sshguard-1.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/part2/downloads/sshguard-1.5/src' make: *** [all-recursive] Error 1 Is there a way to get sshguard to run here? Rgds.... |
|
From: <ha...@la...> - 2011-08-11 10:25:41
|
Anne C. Hanna wrote on 20110810: > As the title says, I've been experiencing a weird phenomenon where sshguard > blocks my IP address for several minutes after one failed password attempt. This is funny, you have the behaviour I want and cannot get :) Blocking for me only works after the 2nd failed password attempt. But that must be because my sshguard version is old, maybe this is a good time to upgrade :-D -- Hans |
|
From: Anne C. H. <or...@ug...> - 2011-08-11 02:42:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As the title says, I've been experiencing a weird phenomenon where sshguard blocks my IP address for several minutes after one failed password attempt. I was still able to log in from a different IP address. I'm using the Debian package version 1.5-3, which translates to sshguard version 1.5.0 (as indicated by "sshguard -v"). The relevant messages in my /var/log/auth.log file are: Aug 10 21:27:21 bb sshd[532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.13 user=orion Aug 10 21:27:23 bb sshd[532]: Failed password for orion from 192.168.1.13 port 43239 ssh2 Aug 10 21:27:23 bb sshguard[2961]: Blocking 192.168.1.13:4 for >630secs: 10 danger in 1 attacks over 0 seconds (all: 10d in 1 abuses over 0s). When I look at the process information, I see the following: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 609 0.0 0.0 14856 1140 ? Sl 21:37 0:00 /usr/sbin/sshguard -i /var/run/sshguard.pid -l /var/log/auth.log -w /etc/sshguard/whitelist -a 4 -p 420 -s 1200 As you can see, the "-a" flag has a value of 4. As far as I know my installation is vanilla and has not been manually reconfigured in any way. On the sshguard version 1.5 manpage included with the package and located at: http://www.sshguard.net/docs/man/sshguard/1_5/ this flag is is described as "sAfety_tresh" (misspelled and miscapitalized, I'd note), and is claimed to have a default value of 40. If this value were indeed in play, I'd have to fail to log in 4 (5?) times to be locked out, since each login failure increases the dangerousness by 10. However, I notice that on another version of the manpage, located here: http://www.sshguard.net/docs/man/sshguard/ the "-a" flag is described as the "abuse_tresh" (still misspelled), and is claimed to have a default value of 4. This appears to be intended as a number of attacks rather than a "dangerousness" score. It appears that somehow my default "-a" value is still set to 4 even though "-a" now represents dangerousness score rather than abuse count. I don't know if this is a problem in the Debian package or a problem in the upstream code, but I would like to know how I can fix this, seeing as how sshguard doesn't have a config file and is being automatically run on boot by its init script (in which I can't seem to figure out where the "-a" flag is being passed to the process). Can anyone help me? - Anne -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5DPpEACgkQwi82URPCSX4a4gCff2knREHnR+EnOgDPeY2JuoX9 L6sAn3V5HVdtqJbTYK9YKrMF5o/ED//F =FyyG -----END PGP SIGNATURE----- |
|
From: Bradley G. <pi...@ma...> - 2011-08-08 07:10:11
|
Hello, Is there a place to search the mailing list archives vs browsing them? This is where I have looked: http://sourceforge.net/mailarchive/forum.php?set=custom&viewmonth=&viewday=&forum_name=sshguard-users&style=ultimate&max_rows=25&submit=Change+View My question, is it currently possible to sshguard read a list of log files from a conf file as an alternative/addition to using "-l file.log" when starting sshguard? Reading the documentation I have found leads me to believe this is not currently possible. Regards, Bradley Giesbrecht (pixilla) |
|
From: Krzysztof K. <krz...@gm...> - 2011-07-10 09:17:28
|
Hi, I have FreeBSD 8.1 sshguard: sshguard-pf-1.5 Syslog configured like: box1# grep ssh /etc/syslog.conf auth.info;authpriv.info;mail.info | exec /usr/local/sbin/sshguard -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot/master.pid -w 127.0.0.1 -a 5 auth.info;authpriv.info;mail.info /var/log/sshguard.log box1# And at /var/log/sshguard.log comunicates are like: Jul 6 11:49:40 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS Jul 6 11:49:46 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS Jul 6 11:49:52 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS SSH blocking is working box1# grep guard /etc/pf.conf table <sshguard> persist block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "sshguard ssh bruteforce" block in quick on $ext_if proto tcp from <sshguard> to any port 993 label "sshguard imap bruteforce" box1# Accodring to: http://www.sshguard.net/docs/reference/attack-signatures/ It should be something like: dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 Even when I try to login many times it always report 1 login. Disconnected (auth failed, 1 attempts) Any idea where can be an issue? -- Best Regards / Pozdrawiam Krzysztof |
|
From: John T. Y. <joh...@fl...> - 2011-07-05 19:51:27
|
I keep getting the error "File '/var/log/secure' vanished while adding!" and similar for any log file I try to get sshguard to monitor. The log files aren't actually vanishing, they are still a few days old in each case. I'm running CentOS 5.6 64bit, if that makes a difference. Any ideas would be appreciated. Thanks, John |
|
From: Pietro L. <le...@di...> - 2011-04-27 21:25:33
|
Hallo, I compiled sshguard 1.5 for openbsd/pf, if I follow the faq XIV it works. I do not understand how logsucker works, if I do not provide any log files throught "-l" option ssh work with defaults log files? I tried launching sshguard in rc.local: /usr/local/sbin/sshguard -l /var/log/authlog -l /var/log/secure How can I be sure that sshguard is working? I have several failed login attempts in authlog: Apr 27 19:17:27 hagane sshd[21459]: Failed password for invalid user abagnale from 219.235.240.36 port 38991 ssh2 Apr 27 19:29:39 hagane sshd[1762]: Failed password for invalid user abagnato from 219.235.240.36 port 48869 ssh2 Apr 27 19:40:50 hagane sshd[3422]: Failed password for invalid user abatantuono from 219.235.240.36 port 55981 ssh2 Apr 27 19:46:41 hagane sshd[11022]: Failed password for invalid user abate from 219.235.240.36 port 55755 ssh2 Apr 27 19:53:57 hagane sshd[28135]: Failed password for invalid user abatecola from 219.235.240.36 port 55147 ssh2 Apr 27 20:06:03 hagane sshd[27095]: Failed password for invalid user abategiovanni from 219.235.240.36 port 44748 ssh2 Apr 27 20:12:07 hagane sshd[16368]: Failed password for invalid user abatematteo from 219.235.240.36 port 49032 ssh2 Apr 27 20:16:55 hagane sshd[4722]: Failed password for invalid user abaterusso from 219.235.240.36 port 43805 ssh2 Apr 27 20:30:11 hagane sshd[2364]: Failed password for invalid user abati from 219.235.240.36 port 60845 ssh2 Apr 27 20:42:19 hagane sshd[7750]: Failed password for invalid user abatiscianni from 219.235.240.36 port 48578 ssh2 Apr 27 21:00:14 hagane sshd[30122]: Failed password for invalid user abbagnale from 219.235.240.36 port 45965 ssh2 Apr 27 21:06:14 hagane sshd[12398]: Failed password for invalid user abbagnato from 219.235.240.36 port 39866 ssh2 Apr 27 21:10:57 hagane sshd[30242]: Failed password for invalid user abbandonati from 219.235.240.36 port 55473 ssh2 Apr 27 21:18:13 hagane sshd[22701]: Failed password for invalid user abbandonato from 219.235.240.36 port 38085 ssh2 Apr 27 22:00:03 hagane sshd[12126]: Failed password for invalid user abbategiovanni from 219.235.240.36 port 59464 ssh2 Apr 27 22:04:47 hagane sshd[759]: Failed password for invalid user abbatelli from 219.235.240.36 port 44074 ssh2 Apr 27 22:10:47 hagane sshd[20150]: Failed password for invalid user abbatematteo from 219.235.240.36 port 50982 ssh2 Apr 27 22:16:49 hagane sshd[6395]: Failed password for invalid user abbaterusso from 219.235.240.36 port 49205 ssh2 Apr 27 22:22:46 hagane sshd[18708]: Failed password for invalid user abbatescianna from 219.235.240.36 port 60744 ssh2 Apr 27 22:30:06 hagane sshd[25634]: Failed password for invalid user abbatescianni from 219.235.240.36 port 40206 ssh2 Apr 27 22:36:08 hagane sshd[17098]: Failed password for invalid user abbati from 219.235.240.36 port 49051 ssh2 Apr 27 22:42:09 hagane sshd[8535]: Failed password for invalid user abbaticola from 219.235.240.36 port 44652 ssh2 Apr 27 22:48:12 hagane sshd[8188]: Failed password for invalid user abbatiscianni from 219.235.240.36 port 54250 ssh2 Apr 27 22:54:13 hagane sshd[7680]: Failed password for invalid user abbellito from 219.235.240.36 port 43753 ssh2 Apr 27 22:59:00 hagane sshd[29030]: Failed password for invalid user abbiate from 219.235.240.36 port 48461 ssh2 Apr 27 23:05:07 hagane sshd[27663]: Failed password for invalid user abbiati from 219.235.240.36 port 36606 ssh2 Apr 27 23:11:10 hagane sshd[11346]: Failed password for invalid user abbiento from 219.235.240.36 port 47709 ssh2 Apr 27 23:18:25 hagane sshd[16162]: Failed password for invalid user abbisogni from 219.235.240.36 port 38409 ssh2 But sshguard does not block any address. How can I do? Thanks, Pietro. |
|
From: Andy W. <aj...@il...> - 2011-04-08 12:16:20
|
Hi, I've enabled sshguard using tcpwrappers. It seems there is something wrong with how the temp file for modifying hosts.allow is created: ls -l /etc/hosts.allow -rw-rw-rw- 1 root root 574 Apr 7 16:30 /etc/hosts.allow I don't think hosts.allow should become world writable. -- andy wettstein unix administrator department of physics university of illinois at urbana-champaign |
|
From: Gilles G. <gil...@fr...> - 2011-04-07 11:41:22
|
In case someone has the same issue when cross-compiling SSHGuard, the solution is to pass the following parameter: ./configure ac_cv_func_malloc_0_nonnull=yes ... |
|
From: Gilles G. <gil...@fr...> - 2011-04-04 14:38:13
|
Hello I'm no C guru but did manage to cross-compile other applications. However, compiling Sshguard 1.5 (on Ubuntu 10.04.2) fails after successfully running configure: ============= /usr/src/sshguard-1.5# ./configure --with-firewall=iptables --host=bfin-linux-uclibc CC=/usr/src/baps/opt/uClinux/bfin-linux-uclibc/bin/bfin-linux-uclibc-gcc CFLAGS="-O2 -Wall -ansi -pedantic -I/usr/src/baps/uClinux-dist/linux-2.6.x/include -I/usr/src/baps/uClinux-dist/staging/usr/include" /usr/src/sshguard-1.5# make Making all in src make[1]: Entering directory `/usr/src/sshguard-1.5/src' make all-recursive make[2]: Entering directory `/usr/src/sshguard-1.5/src' Making all in parser make[3]: Entering directory `/usr/src/sshguard-1.5/src/parser' make all-am make[4]: Entering directory `/usr/src/sshguard-1.5/src/parser' /usr/src/baps/opt/uClinux/bfin-linux-uclibc/bin/bfin-linux-uclibc-gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -O2 -std=c99 -D_POSIX_C_SOURCE=200112L -O2 -Wall -ansi -pedantic -I/usr/src/baps/uClinux-dist/linux-2.6.x/include -I/usr/src/baps/uClinux-dist/staging/usr/include -MT attack_parser.o -MD -MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c In file included from attack_parser.y:39: ../sshguard_logsuck.h:42: error: expected â;â, â,â or â)â before âfilenameâ ../sshguard_logsuck.h:51: error: expected â;â, â,â or â)â before âbufâ make[4]: *** [attack_parser.o] Error 1 make[4]: Leaving directory `/usr/src/sshguard-1.5/src/parser' make[3]: *** [all] Error 2 make[3]: Leaving directory `/usr/src/sshguard-1.5/src/parser' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/sshguard-1.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/src/sshguard-1.5/src' make: *** [all-recursive] Error 1 ============= Any idea why "make" fails? Thank you for any help. |
|
From: Peter <ssh...@pa...> - 2011-03-31 07:59:20
|
Hello, Who can help me out version 1.4 compiles fine but 1.5 has the following error: make[3]: Entering directory `/second/downloads/sshguard-1.5/src/fwalls' gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -O2 -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c In file included from command.c:35: ../sshguard_fw.h:88: error: invalid use of `restrict' command.c:62: error: invalid use of `restrict' make[3]: *** [command.o] Error 1 make[3]: Leaving directory `/second/downloads/sshguard-1.5/src/fwalls' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/second/downloads/sshguard-1.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/second/downloads/sshguard-1.5/src' make: *** [all-recursive] Error 1 gcc -v Reading specs from /usr/lib/gcc-lib/i486-slackware-linux/3.3.4/specs Configured with: ../gcc-3.3.4/configure --prefix=/usr --enable-shared --enable-threads=posix --enable-__cxa_atexit --disable-checking --with-gnu-ld --verbose --target=i486-slackware-linux --host=i486-slackware-linux Thread model: posix gcc version 3.3.4 Chrs... |
|
From: El T. <ca...@gm...> - 2011-03-24 20:08:04
|
Hi, Any good reason for not saving/restoring limbo/hell/offenders lists in between sessions of sshguard? I modified my source code to save these lists in finishup(), and load them in main() (just before calling sshguard_log_init()) then block every addrs in hell list before creating pardonBlocked thread, it seems working fine. Now when I restart the system, or restart the sshguard service, these offenders' addrs are remembered. the simclist module already has list_dump_file()/list_restore_file() and sshguard_blacklist is using them. Thanks, cameos |
|
From: Skully <sk...@ha...> - 2011-03-17 02:31:23
|
I've recently installed sshguard and I've been watching my 'auth.log' file. I see the following error messages from sshguard: Mar 15 00:30:12 xxx sshguard[1547]: Blocking command failed. Exited: -1 Mar 15 00:42:05 xxx sshguard[1547]: Release command failed. Exited: -1 ,,, Mar 16 15:54:00 tigerwalk sshguard[1534]: While blocking blacklisted addresses, the firewall refused to block! In addition to these three error messages I can see that the software is correctly blacklisting several IP addresses. My question is what to do about the above errors? My system is running the 'ufw' firewall but sshguard is configured to use iptables. Thanks |
2 messages has been excluded from this view by a project administrator.
