Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Mij <mi...@ss...> - 2011-10-03 15:34:58
|
Fixed in r228, thanks for reporting! |
|
From: Mij <mi...@ss...> - 2011-10-03 15:04:58
|
Hi Paul > I absolutely love SSH Guard: easy to configure and (until now) reliable. Thanks! > I configured Netfiler/iptables the following way (snippets to keep it small): > > > Chain INPUT (policy DROP) > ... > sshguard all -- anywhere anywhere > > ... > > Chain sshguard (1 references) > target prot opt source destination Your chain INPUT is "policy DROP". If SSH otherwise responds on network, this means you probably have a rule above of the sshguard rule going "allow SSH to everyone", making effectively irrelevant the sshguard rule. If that is not the case, please post the full "iptables -L" output as taken right after a "Block" has been made. |
|
From: Mij <mi...@ss...> - 2011-10-03 15:00:35
|
Hi Gilles, Thanks for reporting this. It's interesting to see cross-compilation. To which target architecture are you doing this? |
|
From: Mij <mi...@ss...> - 2011-10-03 14:54:58
|
Hi Cameos, The main reason for doing that is "KISS". SSHGuard's most common environment sees highly infrequent restarts. Having machinery to ensure addresses are re-blocked across those bring low value-to-complexity ratio. |
|
From: Mij <mi...@ss...> - 2011-10-03 14:50:29
|
> Mar 15 00:30:12 xxx sshguard[1547]: Blocking command failed. Exited: -1 > Mar 15 00:42:05 xxx sshguard[1547]: Release command failed. Exited: -1 > > Mar 16 15:54:00 tigerwalk sshguard[1534]: While blocking blacklisted > addresses, the firewall refused to block! Most often this happens up to permission issues. But in your "uwf" case: have you actually performed the necessary firewall setup? See http://www.sshguard.net/docs/setup/firewall/netfilter-iptables/ > In addition to these three error messages I can see that the software is > correctly blacklisting several IP addresses. My question is what to do > about the above errors? You can get a more detailed failure description by enabling debug mode, see http://www.sshguard.net/docs/faqs/#debugging > My system is running the 'ufw' firewall but sshguard is configured to > use iptables. If uwf is only a front-end to iptables, then refer to the "netfilter/iptables" docs. SSHGuard will work behind the frontend's curtain. |
|
From: Jin C. <js...@al...> - 2011-09-16 20:58:37
|
When running sshguard for the first time with the -b flag, version 1.5 aborts immediately on OS X Lion.
This is because in process_blacklisted_addresses(), the blacklist values are sent directly to fw_block_list() without checking to see that there were any addresses found. If we are running for the first time, there will be no blacklist values in the given file. fw_block_list() in ipfw.c calls ipfwmod_buildblockcommand() which has this line:
assert(addresses[0] != NULL /* there is at least one address to block */);
A simple fix is not to call fw_block_list unless num_blacklisted > 0.
|
|
From: J.P v. O. <je...@gi...> - 2011-09-01 17:00:22
|
Hello, On a older slackware machine with GCC 2.95.3 I get: Making all in src make[1]: Entering directory `/part2/downloads/sshguard-1.5/src' make all-recursive make[2]: Entering directory `/part2/downloads/sshguard-1.5/src' Making all in parser make[3]: Entering directory `/part2/downloads/sshguard-1.5/src/parser' make all-am make[4]: Entering directory `/part2/downloads/sshguard-1.5/src/parser' source='attack_parser.c' object='attack_parser.o' libtool=no \ DEPDIR=.deps depmode=gcc /bin/sh ../../depcomp \ gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -O2 -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -c attack_parser.c cc1: unknown C standard `c99' In file included from attack_parser.y:39: ../sshguard_logsuck.h:42: parse error before `filename' ../sshguard_logsuck.h:51: parse error before `buf' make[4]: *** [attack_parser.o] Error 1 make[4]: Leaving directory `/part2/downloads/sshguard-1.5/src/parser' make[3]: *** [all] Error 2 make[3]: Leaving directory `/part2/downloads/sshguard-1.5/src/parser' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/part2/downloads/sshguard-1.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/part2/downloads/sshguard-1.5/src' make: *** [all-recursive] Error 1 Is there a way to get sshguard to run here? Rgds.... |
|
From: <ha...@la...> - 2011-08-11 10:25:41
|
Anne C. Hanna wrote on 20110810: > As the title says, I've been experiencing a weird phenomenon where sshguard > blocks my IP address for several minutes after one failed password attempt. This is funny, you have the behaviour I want and cannot get :) Blocking for me only works after the 2nd failed password attempt. But that must be because my sshguard version is old, maybe this is a good time to upgrade :-D -- Hans |
|
From: Anne C. H. <or...@ug...> - 2011-08-11 02:42:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As the title says, I've been experiencing a weird phenomenon where sshguard blocks my IP address for several minutes after one failed password attempt. I was still able to log in from a different IP address. I'm using the Debian package version 1.5-3, which translates to sshguard version 1.5.0 (as indicated by "sshguard -v"). The relevant messages in my /var/log/auth.log file are: Aug 10 21:27:21 bb sshd[532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.13 user=orion Aug 10 21:27:23 bb sshd[532]: Failed password for orion from 192.168.1.13 port 43239 ssh2 Aug 10 21:27:23 bb sshguard[2961]: Blocking 192.168.1.13:4 for >630secs: 10 danger in 1 attacks over 0 seconds (all: 10d in 1 abuses over 0s). When I look at the process information, I see the following: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 609 0.0 0.0 14856 1140 ? Sl 21:37 0:00 /usr/sbin/sshguard -i /var/run/sshguard.pid -l /var/log/auth.log -w /etc/sshguard/whitelist -a 4 -p 420 -s 1200 As you can see, the "-a" flag has a value of 4. As far as I know my installation is vanilla and has not been manually reconfigured in any way. On the sshguard version 1.5 manpage included with the package and located at: http://www.sshguard.net/docs/man/sshguard/1_5/ this flag is is described as "sAfety_tresh" (misspelled and miscapitalized, I'd note), and is claimed to have a default value of 40. If this value were indeed in play, I'd have to fail to log in 4 (5?) times to be locked out, since each login failure increases the dangerousness by 10. However, I notice that on another version of the manpage, located here: http://www.sshguard.net/docs/man/sshguard/ the "-a" flag is described as the "abuse_tresh" (still misspelled), and is claimed to have a default value of 4. This appears to be intended as a number of attacks rather than a "dangerousness" score. It appears that somehow my default "-a" value is still set to 4 even though "-a" now represents dangerousness score rather than abuse count. I don't know if this is a problem in the Debian package or a problem in the upstream code, but I would like to know how I can fix this, seeing as how sshguard doesn't have a config file and is being automatically run on boot by its init script (in which I can't seem to figure out where the "-a" flag is being passed to the process). Can anyone help me? - Anne -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5DPpEACgkQwi82URPCSX4a4gCff2knREHnR+EnOgDPeY2JuoX9 L6sAn3V5HVdtqJbTYK9YKrMF5o/ED//F =FyyG -----END PGP SIGNATURE----- |
|
From: Bradley G. <pi...@ma...> - 2011-08-08 07:10:11
|
Hello, Is there a place to search the mailing list archives vs browsing them? This is where I have looked: http://sourceforge.net/mailarchive/forum.php?set=custom&viewmonth=&viewday=&forum_name=sshguard-users&style=ultimate&max_rows=25&submit=Change+View My question, is it currently possible to sshguard read a list of log files from a conf file as an alternative/addition to using "-l file.log" when starting sshguard? Reading the documentation I have found leads me to believe this is not currently possible. Regards, Bradley Giesbrecht (pixilla) |
|
From: Krzysztof K. <krz...@gm...> - 2011-07-10 09:17:28
|
Hi, I have FreeBSD 8.1 sshguard: sshguard-pf-1.5 Syslog configured like: box1# grep ssh /etc/syslog.conf auth.info;authpriv.info;mail.info | exec /usr/local/sbin/sshguard -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot/master.pid -w 127.0.0.1 -a 5 auth.info;authpriv.info;mail.info /var/log/sshguard.log box1# And at /var/log/sshguard.log comunicates are like: Jul 6 11:49:40 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS Jul 6 11:49:46 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS Jul 6 11:49:52 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS SSH blocking is working box1# grep guard /etc/pf.conf table <sshguard> persist block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "sshguard ssh bruteforce" block in quick on $ext_if proto tcp from <sshguard> to any port 993 label "sshguard imap bruteforce" box1# Accodring to: http://www.sshguard.net/docs/reference/attack-signatures/ It should be something like: dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 Even when I try to login many times it always report 1 login. Disconnected (auth failed, 1 attempts) Any idea where can be an issue? -- Best Regards / Pozdrawiam Krzysztof |
|
From: John T. Y. <joh...@fl...> - 2011-07-05 19:51:27
|
I keep getting the error "File '/var/log/secure' vanished while adding!" and similar for any log file I try to get sshguard to monitor. The log files aren't actually vanishing, they are still a few days old in each case. I'm running CentOS 5.6 64bit, if that makes a difference. Any ideas would be appreciated. Thanks, John |
|
From: Pietro L. <le...@di...> - 2011-04-27 21:25:33
|
Hallo, I compiled sshguard 1.5 for openbsd/pf, if I follow the faq XIV it works. I do not understand how logsucker works, if I do not provide any log files throught "-l" option ssh work with defaults log files? I tried launching sshguard in rc.local: /usr/local/sbin/sshguard -l /var/log/authlog -l /var/log/secure How can I be sure that sshguard is working? I have several failed login attempts in authlog: Apr 27 19:17:27 hagane sshd[21459]: Failed password for invalid user abagnale from 219.235.240.36 port 38991 ssh2 Apr 27 19:29:39 hagane sshd[1762]: Failed password for invalid user abagnato from 219.235.240.36 port 48869 ssh2 Apr 27 19:40:50 hagane sshd[3422]: Failed password for invalid user abatantuono from 219.235.240.36 port 55981 ssh2 Apr 27 19:46:41 hagane sshd[11022]: Failed password for invalid user abate from 219.235.240.36 port 55755 ssh2 Apr 27 19:53:57 hagane sshd[28135]: Failed password for invalid user abatecola from 219.235.240.36 port 55147 ssh2 Apr 27 20:06:03 hagane sshd[27095]: Failed password for invalid user abategiovanni from 219.235.240.36 port 44748 ssh2 Apr 27 20:12:07 hagane sshd[16368]: Failed password for invalid user abatematteo from 219.235.240.36 port 49032 ssh2 Apr 27 20:16:55 hagane sshd[4722]: Failed password for invalid user abaterusso from 219.235.240.36 port 43805 ssh2 Apr 27 20:30:11 hagane sshd[2364]: Failed password for invalid user abati from 219.235.240.36 port 60845 ssh2 Apr 27 20:42:19 hagane sshd[7750]: Failed password for invalid user abatiscianni from 219.235.240.36 port 48578 ssh2 Apr 27 21:00:14 hagane sshd[30122]: Failed password for invalid user abbagnale from 219.235.240.36 port 45965 ssh2 Apr 27 21:06:14 hagane sshd[12398]: Failed password for invalid user abbagnato from 219.235.240.36 port 39866 ssh2 Apr 27 21:10:57 hagane sshd[30242]: Failed password for invalid user abbandonati from 219.235.240.36 port 55473 ssh2 Apr 27 21:18:13 hagane sshd[22701]: Failed password for invalid user abbandonato from 219.235.240.36 port 38085 ssh2 Apr 27 22:00:03 hagane sshd[12126]: Failed password for invalid user abbategiovanni from 219.235.240.36 port 59464 ssh2 Apr 27 22:04:47 hagane sshd[759]: Failed password for invalid user abbatelli from 219.235.240.36 port 44074 ssh2 Apr 27 22:10:47 hagane sshd[20150]: Failed password for invalid user abbatematteo from 219.235.240.36 port 50982 ssh2 Apr 27 22:16:49 hagane sshd[6395]: Failed password for invalid user abbaterusso from 219.235.240.36 port 49205 ssh2 Apr 27 22:22:46 hagane sshd[18708]: Failed password for invalid user abbatescianna from 219.235.240.36 port 60744 ssh2 Apr 27 22:30:06 hagane sshd[25634]: Failed password for invalid user abbatescianni from 219.235.240.36 port 40206 ssh2 Apr 27 22:36:08 hagane sshd[17098]: Failed password for invalid user abbati from 219.235.240.36 port 49051 ssh2 Apr 27 22:42:09 hagane sshd[8535]: Failed password for invalid user abbaticola from 219.235.240.36 port 44652 ssh2 Apr 27 22:48:12 hagane sshd[8188]: Failed password for invalid user abbatiscianni from 219.235.240.36 port 54250 ssh2 Apr 27 22:54:13 hagane sshd[7680]: Failed password for invalid user abbellito from 219.235.240.36 port 43753 ssh2 Apr 27 22:59:00 hagane sshd[29030]: Failed password for invalid user abbiate from 219.235.240.36 port 48461 ssh2 Apr 27 23:05:07 hagane sshd[27663]: Failed password for invalid user abbiati from 219.235.240.36 port 36606 ssh2 Apr 27 23:11:10 hagane sshd[11346]: Failed password for invalid user abbiento from 219.235.240.36 port 47709 ssh2 Apr 27 23:18:25 hagane sshd[16162]: Failed password for invalid user abbisogni from 219.235.240.36 port 38409 ssh2 But sshguard does not block any address. How can I do? Thanks, Pietro. |
|
From: Andy W. <aj...@il...> - 2011-04-08 12:16:20
|
Hi, I've enabled sshguard using tcpwrappers. It seems there is something wrong with how the temp file for modifying hosts.allow is created: ls -l /etc/hosts.allow -rw-rw-rw- 1 root root 574 Apr 7 16:30 /etc/hosts.allow I don't think hosts.allow should become world writable. -- andy wettstein unix administrator department of physics university of illinois at urbana-champaign |
|
From: Gilles G. <gil...@fr...> - 2011-04-07 11:41:22
|
In case someone has the same issue when cross-compiling SSHGuard, the solution is to pass the following parameter: ./configure ac_cv_func_malloc_0_nonnull=yes ... |
|
From: Gilles G. <gil...@fr...> - 2011-04-04 14:38:13
|
Hello I'm no C guru but did manage to cross-compile other applications. However, compiling Sshguard 1.5 (on Ubuntu 10.04.2) fails after successfully running configure: ============= /usr/src/sshguard-1.5# ./configure --with-firewall=iptables --host=bfin-linux-uclibc CC=/usr/src/baps/opt/uClinux/bfin-linux-uclibc/bin/bfin-linux-uclibc-gcc CFLAGS="-O2 -Wall -ansi -pedantic -I/usr/src/baps/uClinux-dist/linux-2.6.x/include -I/usr/src/baps/uClinux-dist/staging/usr/include" /usr/src/sshguard-1.5# make Making all in src make[1]: Entering directory `/usr/src/sshguard-1.5/src' make all-recursive make[2]: Entering directory `/usr/src/sshguard-1.5/src' Making all in parser make[3]: Entering directory `/usr/src/sshguard-1.5/src/parser' make all-am make[4]: Entering directory `/usr/src/sshguard-1.5/src/parser' /usr/src/baps/opt/uClinux/bfin-linux-uclibc/bin/bfin-linux-uclibc-gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -O2 -std=c99 -D_POSIX_C_SOURCE=200112L -O2 -Wall -ansi -pedantic -I/usr/src/baps/uClinux-dist/linux-2.6.x/include -I/usr/src/baps/uClinux-dist/staging/usr/include -MT attack_parser.o -MD -MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c In file included from attack_parser.y:39: ../sshguard_logsuck.h:42: error: expected â;â, â,â or â)â before âfilenameâ ../sshguard_logsuck.h:51: error: expected â;â, â,â or â)â before âbufâ make[4]: *** [attack_parser.o] Error 1 make[4]: Leaving directory `/usr/src/sshguard-1.5/src/parser' make[3]: *** [all] Error 2 make[3]: Leaving directory `/usr/src/sshguard-1.5/src/parser' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/src/sshguard-1.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/src/sshguard-1.5/src' make: *** [all-recursive] Error 1 ============= Any idea why "make" fails? Thank you for any help. |
|
From: Peter <ssh...@pa...> - 2011-03-31 07:59:20
|
Hello, Who can help me out version 1.4 compiles fine but 1.5 has the following error: make[3]: Entering directory `/second/downloads/sshguard-1.5/src/fwalls' gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -O2 -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c In file included from command.c:35: ../sshguard_fw.h:88: error: invalid use of `restrict' command.c:62: error: invalid use of `restrict' make[3]: *** [command.o] Error 1 make[3]: Leaving directory `/second/downloads/sshguard-1.5/src/fwalls' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/second/downloads/sshguard-1.5/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/second/downloads/sshguard-1.5/src' make: *** [all-recursive] Error 1 gcc -v Reading specs from /usr/lib/gcc-lib/i486-slackware-linux/3.3.4/specs Configured with: ../gcc-3.3.4/configure --prefix=/usr --enable-shared --enable-threads=posix --enable-__cxa_atexit --disable-checking --with-gnu-ld --verbose --target=i486-slackware-linux --host=i486-slackware-linux Thread model: posix gcc version 3.3.4 Chrs... |
|
From: El T. <ca...@gm...> - 2011-03-24 20:08:04
|
Hi, Any good reason for not saving/restoring limbo/hell/offenders lists in between sessions of sshguard? I modified my source code to save these lists in finishup(), and load them in main() (just before calling sshguard_log_init()) then block every addrs in hell list before creating pardonBlocked thread, it seems working fine. Now when I restart the system, or restart the sshguard service, these offenders' addrs are remembered. the simclist module already has list_dump_file()/list_restore_file() and sshguard_blacklist is using them. Thanks, cameos |
|
From: Skully <sk...@ha...> - 2011-03-17 02:31:23
|
I've recently installed sshguard and I've been watching my 'auth.log' file. I see the following error messages from sshguard: Mar 15 00:30:12 xxx sshguard[1547]: Blocking command failed. Exited: -1 Mar 15 00:42:05 xxx sshguard[1547]: Release command failed. Exited: -1 ,,, Mar 16 15:54:00 tigerwalk sshguard[1534]: While blocking blacklisted addresses, the firewall refused to block! In addition to these three error messages I can see that the software is correctly blacklisting several IP addresses. My question is what to do about the above errors? My system is running the 'ufw' firewall but sshguard is configured to use iptables. Thanks |
|
From: Paul E. <hi...@pa...> - 2011-02-19 12:39:47
|
Hi SSH Guard community, I absolutely love SSH Guard: easy to configure and (until now) reliable. But there's a problem coming up: SSH Guard has problems blocking attackers but isn't throwing any errors. I configured Netfiler/iptables the following way (snippets to keep it small): Chain INPUT (policy DROP) ... sshguard all -- anywhere anywhere ... Chain sshguard (1 references) target prot opt source destination This is how /var/log/auth.log looks like (this is just small attack to keep it clean): (195 more (unblocked) brute-force attacks above) Feb 19 02:02:06 localhost sshd[7575]: Invalid user weblogic from 59.50.36.46 Feb 19 02:02:06 localhost sshguard[2820]: Blocking 59.50.36.46:4 for >945secs: 40 danger in 4 attacks over 9 seconds (all: 80d in 2 abuses over 651s). Feb 19 02:02:08 localhost sshd[7578]: Invalid user ircd from 59.50.36.46 (Attacker stopped 150 attacks later) As you can see SSH Guard tries to block the attacker but isn't printing out any errors. The attacker is still able to attack. Is there anything I am missing? Something I can try? Thanks for your help! :) Regards Paul Engstler Designer, Developer and Student. |
|
From: Joe G. <jg...@ns...> - 2011-01-27 22:37:38
|
> Your logs seem to say that sshguard is not receiving those messages. > > Please try out the following possibilities: > > 1) replace "|/usr/local/sbin/sshguard" with "|exec /usr/local/sbin/sshguard" in syslog.conf (and reload) I just checked, both will work, with or without additional arguments/parameters to sshguard, on a FreeBSD 8.1R box. > 2) if you still see nothing, replace > "|/usr/local/sbin/sshguard" with "|tee -a /tmp/myfile | /usr/local/sbin/sshguard" (and reload) then > see with "tail -F /tmp/myfile" if log entries are actually received. That's probably the best advice; see what's happening to the data. Here, sshguard was one of those too-good-to-be-true gadgets - it just installed, ran, and functioned out of the box. We had to tweak it just a bit to avoid it getting paranoid about our NMS port checks, but that was it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. |
|
From: Mij <mi...@ss...> - 2011-01-27 18:52:04
|
Hi Marcus, Your logs seem to say that sshguard is not receiving those messages. Please try out the following possibilities: 1) replace "|/usr/local/sbin/sshguard" with "|exec /usr/local/sbin/sshguard" in syslog.conf (and reload) 2) if you still see nothing, replace "|/usr/local/sbin/sshguard" with "|tee -a /tmp/myfile | /usr/local/sbin/sshguard" (and reload) then see with "tail -F /tmp/myfile" if log entries are actually received. 3) comment the sshguard line in syslog, try to run sshguard in this mode: http://www.sshguard.net/docs/setup/getlogs/raw-file/ and see if /var/log/auth.log contains notifications from sshguard. Essentially, you should find messages going: Jan 2 18:57:40 x sshd[92019]: Invalid user heroin from 70.84.184.242 Jan 2 18:57:40 x sshd[92019]: Invalid user heroin from 70.84.184.242 Jan 2 18:57:40 x sshd[92019]: Invalid user heroin from 70.84.184.242 Jan 2 18:57:41 x sshd[92022]: Invalid user heroin from 70.84.184.242 Jan 2 18:57:41 x sshguard[92021]: Blocking 70.84.184.242:4 for >630secs: 20 danger in 2 attacks over 1 seconds (all: 20d in 1 abuses over 1s). On Dec 28, 2010, at 02:34 , Marcus wrote: > I have ask the same question in forums.freebsd.org, no reply solved the problem. > > ------------ > > in /etc/syslog.conf have two lines > > auth.info;authpriv.info |/usr/local/sbin/sshguard > auth.info;authpriv.info /var/log/auth.log > > # /etc/rc.d/syslogd reload > > > /etc/pf.conf have only 5 lines > > ext_if="bce1" > table <sshguard> persist > block in quick on $ext_if from <sshguard> > pass in > pass out > > > # pfctl -f /etc/pf.conf > > # top | grep sshg > 1296 root 2 44 0 7184K 1604K nanslp 0 0:00 0.00% sshguard > > > test the brute force ssh, nothing found excecpt > ---------- > Dec 28 09:32:13 b sshguard[1445]: Started successfully [(a,p,s)=(4, > 420, 1200)], now ready to scan. > Dec 28 09:32:42 b sshd[1447]: Invalid user a from 10.0.0.88 > Dec 28 09:32:42 b sshd[1447]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:32:42 b sshd[1447]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49464 ssh2 > Dec 28 09:32:43 b sshd[1447]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:32:43 b sshd[1447]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49464 ssh2 > Dec 28 09:32:48 b sshd[1451]: Invalid user a from 10.0.0.88 > Dec 28 09:32:48 b sshd[1451]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:32:48 b sshd[1451]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49465 ssh2 > Dec 28 09:32:48 b sshd[1451]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:32:48 b sshd[1451]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49465 ssh2 > Dec 28 09:32:52 b sshd[1455]: Invalid user ab from 10.0.0.88 > Dec 28 09:32:52 b sshd[1455]: error: PAM: authentication error for > illegal user ab from 10.0.0.88 > Dec 28 09:32:52 b sshd[1455]: Failed keyboard-interactive/pam for > invalid user ab from 10.0.0.88 port 49466 ssh2 > Dec 28 09:32:52 b sshd[1455]: error: PAM: authentication error for > illegal user ab from 10.0.0.88 > Dec 28 09:32:52 b sshd[1455]: Failed keyboard-interactive/pam for > invalid user ab from 10.0.0.88 port 49466 ssh2 > Dec 28 09:32:56 b sshd[1459]: Invalid user a from 10.0.0.88 > Dec 28 09:32:56 b sshd[1459]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:32:56 b sshd[1459]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49467 ssh2 > Dec 28 09:32:56 b sshd[1459]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:32:56 b sshd[1459]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49467 ssh2 > Dec 28 09:33:00 b sshd[1463]: Invalid user a from 10.0.0.88 > Dec 28 09:33:00 b sshd[1463]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:33:00 b sshd[1463]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49468 ssh2 > Dec 28 09:33:01 b sshd[1463]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:33:01 b sshd[1463]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49468 ssh2 > Dec 28 09:33:04 b sshd[1479]: Invalid user a from 10.0.0.88 > Dec 28 09:33:05 b sshd[1479]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:33:05 b sshd[1479]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49469 ssh2 > Dec 28 09:33:05 b sshd[1479]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:33:05 b sshd[1479]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49469 ssh2 > Dec 28 09:33:09 b sshd[1483]: Invalid user a from 10.0.0.88 > Dec 28 09:33:09 b sshd[1483]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:33:09 b sshd[1483]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49470 ssh2 > Dec 28 09:33:09 b sshd[1483]: error: PAM: authentication error for > illegal user a from 10.0.0.88 > Dec 28 09:33:09 b sshd[1483]: Failed keyboard-interactive/pam for > invalid user a from 10.0.0.88 port 49470 ssh2 > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2011-01-27 18:37:19
|
Hi John On Oct 26, 2010, at 18:34 , John Vinopal wrote: > Hi, thanks for the helpful application. I've built a FreeBSD port for 1.5rc4 and have been running it for several days. > > Here are the few issues I've noticed: > > -v reports 1.4.4 updated in r218, as 1.5 is being released soon > -i path-to-pidfile not documented in sshguard.8 committed in r219, thanks > start of process doesn't print startup log message (FreeBSD std syslog.conf) > - uses LOG_INFO, should probably use LOG_NOTICE I see no reasons against this: committed as r220 > no option to daemonize on start? any problem doing it from the start script? The shell can do that easily. > missing log message to indicate end of blocking (FreeBSD std syslog.conf) > - block and unblock should probably use same logging level > - currently block uses LOG_NOTICE and unblock LOG_INFO I believe block is quite more important than unblock. Block is the apex of an attack, whereas unblock is only a technical req for avoiding "trapping" addresses. > kill of sshguard process yields log message: > Oct 25 16:29:02 gabriella sshguard[42655]: Got CONTINUE signal, resuming activity. The logic looks sane there (sshguard.c:197), are you sending a SIGCONT? |
|
From: Mij <mi...@ss...> - 2011-01-27 07:29:20
|
Hi Julian
PATH_MAX is required by POSIX.1 from limits.h, and the _XOPEN_SOURCE
def I see passed in your gcc logs should enable that.
You could try to trace why PATH_MAX is not defined with some of these commands:
gcc -dD -E -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_XOPEN_SOURCE -g -O2 -c sshguard_logsuck.c
--> see PATH_MAX in output? If not, cross-check with limits.h and find the variable
closest (in the headers) to it.
gcc -dD -E -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_XOPEN_SOURCE -g -O2 -c sshguard_logsuck.c
--> this tells you what sequence of headers is included. If your OS has PATH_MAX (only) in
sys/syslimits.h, that should end up showing up there.
Feature-test macros normally wind up being tweaked by educated trial & error, since they
are compiler-specific but the headers are system-specific. Your OS is a special combo, so
there they could take some extra care.
On Dec 28, 2010, at 23:57 , Julián Moreno Patiño wrote:
> Hi Mij,
>
> This FTBFS could be avoided if is added in src/sshguard_logsuck.c :
>
> #ifndef PATH_MAX
> # define PATH_MAX 4096
> #endif
>
> I find best solution:
>
> #ifndef PATH_MAX
> # include <sys/syslimits.h>
> #endif
>
> In kfreeBSD PATH_MAX value is in sys/syslimits.h , please considerer added in src/sshguard_logsuck.c
>
> Kind regards,
> --
> Julián Moreno Patiño
> .''`. Debian GNU/{Linux,KfreeBSD}
> : :' : Free Operating Systems
> `. `' http://debian.org/
> `- PGP KEY ID 6168BF60
> Registered GNU Linux User ID 488513
> ------------------------------------------------------------------------------
> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> to consolidate database storage, standardize their database environment, and,
> should the need arise, upgrade to a full multi-node Oracle RAC database
> without downtime or disruption
> http://p.sf.net/sfu/oracle-sfdevnl_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Mail U. <tem...@go...> - 2011-01-26 16:03:15
|
When FreeBSD's syslogd runs with -v -v, the log changes from
Jan 26 15:18:35 box sshd[57785]: error: PAM: authentication error for
user from evil
to
Jan 26 15:18:35 <auth.err> box sshd[57785]: error: PAM: authentication
error for user from evil
The following patch fixes this problem:
--- src/parser/attack_scanner.l.ORI 2011-01-26 16:23:43.000000000 +0100
+++ src/parser/attack_scanner.l 2011-01-26 16:24:01.000000000 +0100
@@ -99,12 +99,18 @@
*/
/* handle entries with PID and without PID from processes other than
sshguard */
+{TIMESTAMP_SYSLOG}[ ]+<[[:alnum:]]+\.[[:alnum:]]+>[
]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]:" {
+ /* extract PID */
+ yylval.num = getsyslogpid(yytext, yyleng);
+ return SYSLOG_BANNER_PID;
+ }
{TIMESTAMP_SYSLOG}[ ]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]:" {
/* extract PID */
yylval.num = getsyslogpid(yytext, yyleng);
return SYSLOG_BANNER_PID;
}
+{TIMESTAMP_SYSLOG}[ ]+<[[:alnum:]]+\.[[:alnum:]]+>[
]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}":" { return SYSLOG_BANNER; }
{TIMESTAMP_SYSLOG}[ ]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}":" {
return SYSLOG_BANNER; }
/* metalog banner */
|
2 messages has been excluded from this view by a project administrator.
