sshguard-users Mailing List for SSHGuard (Page 51)

Intelligently block brute-force attacks by aggregating system logs

Brought to you by: mijio, partmedia

sshguard-users — User questions and answers, bugs, and general support

You can subscribe to this list here.

2007	Jan	Feb	Mar (10)	Apr (7)	May (6)	Jun (13)	Jul (4)	Aug	Sep	Oct (17)	Nov (5)	Dec (4)
2008	Jan (2)	Feb	Mar	Apr (4)	May (2)	Jun (7)	Jul (10)	Aug (4)	Sep (14)	Oct	Nov (1)	Dec (7)
2009	Jan (17)	Feb (20)	Mar (11)	Apr (14)	May (8)	Jun (3)	Jul (22)	Aug (9)	Sep (8)	Oct (6)	Nov (4)	Dec (8)
2010	Jan (17)	Feb (9)	Mar (15)	Apr (24)	May (14)	Jun (1)	Jul (21)	Aug (6)	Sep (2)	Oct (2)	Nov (6)	Dec (9)
2011	Jan (11)	Feb (1)	Mar (3)	Apr (4)	May	Jun	Jul (2)	Aug (3)	Sep (2)	Oct (29)	Nov (1)	Dec (1)
2012	Jan (1)	Feb (1)	Mar	Apr (13)	May (4)	Jun (9)	Jul (2)	Aug (2)	Sep (1)	Oct (2)	Nov (11)	Dec (4)
2013	Jan (2)	Feb (2)	Mar (4)	Apr (13)	May (4)	Jun	Jul	Aug (1)	Sep (5)	Oct (3)	Nov (1)	Dec (3)
2014	Jan	Feb (3)	Mar (3)	Apr (6)	May (8)	Jun	Jul	Aug (1)	Sep (1)	Oct (3)	Nov (14)	Dec (8)
2015	Jan (16)	Feb (30)	Mar (20)	Apr (5)	May (33)	Jun (11)	Jul (15)	Aug (91)	Sep (23)	Oct (10)	Nov (7)	Dec (9)
2016	Jan (22)	Feb (8)	Mar (6)	Apr (23)	May (38)	Jun (29)	Jul (43)	Aug (43)	Sep (18)	Oct (8)	Nov (2)	Dec (25)
2017	Jan (38)	Feb (3)	Mar (1)	Apr	May (18)	Jun (2)	Jul (16)	Aug (2)	Sep	Oct (1)	Nov (4)	Dec (14)
2018	Jan (15)	Feb (2)	Mar (3)	Apr (5)	May (8)	Jun (12)	Jul (19)	Aug (16)	Sep (8)	Oct (13)	Nov (15)	Dec (10)
2019	Jan (9)	Feb (3)	Mar	Apr (2)	May	Jun (1)	Jul	Aug (5)	Sep (5)	Oct (12)	Nov (4)	Dec
2020	Jan (2)	Feb (6)	Mar	Apr	May (11)	Jun (1)	Jul (3)	Aug (22)	Sep (8)	Oct	Nov (2)	Dec
2021	Jan (7)	Feb	Mar (19)	Apr	May (10)	Jun (5)	Jul (7)	Aug (3)	Sep (1)	Oct	Nov (10)	Dec (4)
2022	Jan (17)	Feb	Mar (7)	Apr (3)	May	Jun (1)	Jul (3)	Aug	Sep	Oct (6)	Nov	Dec
2023	Jan	Feb (5)	Mar (1)	Apr (3)	May	Jun (3)	Jul (2)	Aug	Sep	Oct	Nov (6)	Dec
2024	Jan	Feb	Mar	Apr	May (3)	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar (15)	Apr (8)	May (10)	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 49 50 51 52 53 .. 64 > >> (Page 51 of 64)

Re: [Sshguard-users] sshguard - how to start with Log Sucker

From: Mij <mi...@ss...> - 2010-07-04 23:32:20

I put some indication on the FAQ.
Yeah, I know.. :) I have word from some maintainers to get nice per-OS/distribution
implementations as soon as 1.5 stable is out


On May 11, 2010, at 13:59 , Karel Rys wrote:

> Hi, even thought I have read the documentation and FAQ, I did not find the most important information: how to make our 
> server to start sshguard automatically after reboot? I have seen a script for starting older versions, but to be true, I do 
> not understand its most important part:  
> 
>  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
> /usr/local/sbin/sshguard $ARGS > /dev/null
> 
> Please could you write a simple FAQ for this? I guess lots of people do want to run sshguard automatically... Or, may be you 
> could add a /etc/rc.d/init.d/sshguard into /script directory...  
> 
> Kind regards,
> 
> Karel Rys
> 
> 
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard not guarding

From: Daniel <ne...@ot...> - 2010-07-01 02:29:50

Hi,

After using sshguard successfully for a long time with the current setup, I
noticed upon reboot that it was not guarding anymore. I'm using the
sshguard-ipfw version. It doesn't seem to do any detection of the login
failures and so doesn't respond.
It was working as recently as two weeks ago and my version has not changed.
Below is the log. I'm more used to seeing this:

system.log.1:Jun 28 04:40:55 naruto sshguard[785]: Blocking
118.97.232.236:4for >420secs: 4 failures
over 2 seconds.

Now I get:

Successfully resolved 'ec2-12-12-12-12.compute-1.amazonaws.com' -->
4:'12.12.12.12'.



Any input of why it may not be working is appriciated.

whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain ip 127.0.0.1.
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Jun 30 18:24:57 naruto
sshd[2229]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 121 ("error: PAM: authentication error for
daniel from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 7
Reading a token: --accepting rule at line 169
("ec2-12-12-12-12.compute-1.amazonaws.com")
Next token is token HOSTADDR ()
Shifting token HOSTADDR ()
Entering state 40
Reducing stack by rule 18 (line 118):
   $1 = token HOSTADDR ()
Successfully resolved 'ec2-12-12-12-12.compute-1.amazonaws.com' -->
4:'12.12.12.12'.
-> $$ = nterm addr ()
Stack now 0 1 7
Entering state 44
Reducing stack by rule 27 (line 187):
   $1 = token SSH_LOGINERR_PAM ()
   $2 = nterm addr ()
-> $$ = nterm ssh_authfail ()
Stack now 0 1
Entering state 25
Reducing stack by rule 20 (line 172):
   $1 = nterm ssh_authfail ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 23
Reducing stack by rule 9 (line 99):
   $1 = nterm sshmsg ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 35
Reducing stack by rule 5 (line 76):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 19
Reducing stack by rule 1 (line 60):
   $1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 18
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 179 ("via")
Next token is token WORD ()
Error: popping nterm text ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Jun 30 18:24:57 naruto
sshd[2235]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 179 ("in")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
Got exit signal, flushing blocked addresses and exiting...


-- 
"America was founded by men who understood that the threat of domestic
tyranny is as great as any threat from abroad. If we want to be worthy of
their legacy, we must resist the rush toward ever-increasing state control
of our society. Otherwise, our own government will become a greater threat
to our freedoms than any foreign terrorist."
- Ron Paul, Texas Straight Talk, May 31, 2004

[Sshguard-users] Needed configuration file sshguard.conf for daemon script

From: Julián M. P. <dar...@gm...> - 2010-06-01 04:57:58

Hi Mij,

It would be nice to implement a configuration file sshguard.conf to enable
options such as log sucker, whitelisting, blacklisting, port service and use
them in different services (sshd, sendmail, exim, dovecot, etc), it's more
easier and I can create more generic daemon script to Debian Distribution.

Thank you very much, see you.

Kind Regards,

-- 
Julián Moreno Patiño
Registered GNU Linux User ID 488513
PGP KEY ID 6168BF60

[Sshguard-users] sshguard hostname parsing

From: Johan B. <jo...@be...> - 2010-05-21 08:36:48

Hey,

While trying to figure out why sshguard never blocked any users I found an issue that perhaps some other users has run into - sshguard seems to disregard log lines with one-letter hostnames (verified in sshguard 1.4, 1.5rc3 and r199). I'm at a Gentoo box if that should matter, with syslog-ng 3.0.4

I use a fictive hostname in style with a.com, and since syslog-ng defaults to options { use_fqdn(no); } the actual log stamp will be something like:
May 21 09:06:35 a sshguard[20427]: Run command "iptables -L": exited 0.

Here's a debug session with the hostname "a":

May 21 09:23:37 a sshd[24341]: Invalid user asd from 123.123.123.123
Checking to refresh sources...
Refreshing sources showed 0 changes.
Checking to refresh sources...
Refreshing sources showed 0 changes.
Read line from '-'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 206 ("May 21 09:23:37")
Next token is token TIMESTAMP_SYSLOG ()
Cleanup: discarding lookahead token TIMESTAMP_SYSLOG ()
Stack now 0



Here's a hostname with two characters:

May 21 09:23:37 ab sshd[24341]: Invalid user asd from 123.123.123.123
Checking to refresh sources...
Refreshing sources showed 0 changes.
Checking to refresh sources...
Refreshing sources showed 0 changes.
Read line from '-'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 113 ("May 21 09:23:37 ab sshd[24341]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 214 (" ")
--accepting rule at line 132 ("Invalid user asd from ")
Next token is token SSH_INVALUSERPREF ()
Shifting token SSH_INVALUSERPREF ()
Entering state 6
Reading a token: --accepting rule at line 194 ("123.123.123.123")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
   $1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 1 6
Entering state 53
Reducing stack by rule 31 (line 272):
   $1 = token SSH_INVALUSERPREF ()
   $2 = nterm addr ()
-> $$ = nterm ssh_illegaluser ()
Stack now 0 1
Entering state 31
Reducing stack by rule 26 (line 262):
   $1 = nterm ssh_illegaluser ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
   $1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
   $1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 24
Reducing stack by rule 1 (line 122):
   $1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 214 ("
")
--(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token $end ()
Entering state 70
Stack now 0 23 70
Cleanup: popping token $end ()
Cleanup: popping nterm text ()
Matched address 123.123.123.123:4 attacking service 100, dangerousness 10.
Purging stale attackers.


Not sure if this really is a bug or intentional; but since you can set your hostname to one letter I guess sshguard at least should know about it.

Cheers,
Johan

[Sshguard-users] fifo stops receiving output

From: Adam C. <ada...@be...> - 2010-05-17 18:43:12

greetings,
I'm adding sshguard (r1.5rc2) to a system running Ubuntu (8.1 / intrepid)

Configure for iptables, looks good
Built from sources, looks good
Configure /etc/syslog.conf as below:

#  /etc/syslog.conf	Configuration file for syslogd.
auth.info;authpriv.info		|/var/log/sshguard.fifo
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog

Restart syslog
/etc/init.d/sysklogd restart

Start sshguard
initctl start sshguard

sshguard works fine as FIFO receives messages

But after a while...FIFO stops receiving messages and so sshguard gets no input to scan.  This seems like an Ubuntu issue but could there be something wrong with my syslog.conf?

thanks
Adam

-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
http://www.energybiosciencesinstitute.org

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Robert S <rob...@gm...> - 2010-05-14 09:20:05

Hi.

I have tried this with log sucking and direct feed from a FIFO with
similar results.  This is certainly a lot better, but there are still
some false positives:

May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193'
has been forged for service 100.
May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for
>630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses
over 12s).
May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341'
has been forged for service 100.
May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for
>630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses
over 5s).
May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376'
has been forged for service 100.
May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4
for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1
abuses over 9s).
May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for
>630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses
over 11s).

Robert.

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Mij <mi...@ss...> - 2010-05-12 20:12:57

Hey Robert,

thanks for your perseverance. I found a subtle regression there.
Please check out r199 and let me know.


On May 12, 2010, at 11:36 , Robert S wrote:

> Sadly this problem still seems to occur in the latest svn version :(
> 
> May 12 16:49:20 hostname sshd[8739]: Invalid user desktop from 67.218.16.28
> May 12 16:49:20 hostname sshguard[31623]: Ignore attack as pid '8739'
> has been forged for service 100.
> May 12 16:49:22 hostname sshd[8742]: Invalid user workshop from 67.218.16.28
> May 12 16:49:22 hostname sshguard[31623]: Ignore attack as pid '8742'
> has been forged for service 100.
> May 12 16:49:24 hostname sshd[8745]: Invalid user mailnull from 67.218.16.28
> May 12 16:49:24 hostname sshguard[31623]: Ignore attack as pid '8745'
> has been forged for service 100.
> 
> # ps ax |grep sshguard
> 31623 ?        Sl     0:00 /usr/local/sbin/sshguard -l
> /var/log/sshguard.fifo -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist -f 100:/var/run/sshd.pid

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Robert S <rob...@gm...> - 2010-05-12 09:36:30

Sadly this problem still seems to occur in the latest svn version :(

May 12 16:49:20 hostname sshd[8739]: Invalid user desktop from 67.218.16.28
May 12 16:49:20 hostname sshguard[31623]: Ignore attack as pid '8739'
has been forged for service 100.
May 12 16:49:22 hostname sshd[8742]: Invalid user workshop from 67.218.16.28
May 12 16:49:22 hostname sshguard[31623]: Ignore attack as pid '8742'
has been forged for service 100.
May 12 16:49:24 hostname sshd[8745]: Invalid user mailnull from 67.218.16.28
May 12 16:49:24 hostname sshguard[31623]: Ignore attack as pid '8745'
has been forged for service 100.

 # ps ax |grep sshguard
31623 ?        Sl     0:00 /usr/local/sbin/sshguard -l
/var/log/sshguard.fifo -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist -f 100:/var/run/sshd.pid

[Sshguard-users] sshguard - how to start with Log Sucker

From: Karel R. <de...@za...> - 2010-05-11 12:51:35

Hi, even thought I have read the documentation and FAQ, I did not find the most important information: how to make our 
server to start sshguard automatically after reboot? I have seen a script for starting older versions, but to be true, I do 
not understand its most important part:  

  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS > /dev/null

Please could you write a simple FAQ for this? I guess lots of people do want to run sshguard automatically... Or, may be you 
could add a /etc/rc.d/init.d/sshguard into /script directory...  

Kind regards,

Karel Rys

Re: [Sshguard-users] sshguard - how to start with Log Sucker

From: Mij <mi...@ss...> - 2010-05-10 08:43:32

Users are increasingly asking for this. The distribution does not include
start-up scripts since they are too system-dependant.

Users who wrote a start up script for their system, please submit it.
We'll consider them for inclusion in the distribution or on the website.


On May 6, 2010, at 22:43 , Karel Rys wrote:

> Hi, even thought I have read the documentation and FAQ, I did not 
> find the most important information: how to make our server to start 
> sshguard automatically after reboot? I have seen a script for 
> starting older versions, but to be true, I do not understand its 
> most important part:
> 
>  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
> /usr/local/sbin/sshguard $ARGS > /dev/null
> 
> Please could you write a simple FAQ for this? I guess lots of people 
> do want to run sshguard automatically... Or, may be you could add a 
> /etc/rc.d/init.d/sshguard into /script directory...
> 
> Kind regards,
> 
> Karel Rys
> 
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] About the service code .

From: Mij <mi...@ss...> - 2010-05-10 08:37:03

fixed, thanks.
For the archives, the reference/oracle is always the "service-codes" page.


On May 8, 2010, at 09:57 , Jing Lu wrote:

> I found the service code of sshd is 10 in this page : http://www.sshguard.net/docs/log-validation/ . But in this page:http://www.sshguard.net/docs/reference/service-codes/, the service code of sshd is 100 . what result of this difference . and which one is useful .
>  
>     Thanks！
>  
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Mij <mi...@ss...> - 2010-05-10 08:34:13

A missing fclose() could cause this to occur after a while for descriptor
exhaustion; please try r196. Note that, for a few patterns (currently
"Did not receive identification string") procauth can inherently not succeed
as the log message appears after the emitting process exited.


On May 3, 2010, at 13:08 , Robert S wrote:

> Unfortunately process authentication isn't working.  I received 953
> "Ignore" messages today:
> 
> # grep sshguard /var/log/messages
> May  3 18:22:26 hostname sshguard[25226]: Ignore attack as pid '9922'
> has been forged for service 100.
> May  3 18:22:29 hostname sshguard[9927]: Running 'ps axo pid,ppid'.
> May  3 18:22:29 hostname sshguard[25226]: Process 9925 is not child of 4639.
> May  3 18:22:29 hostname sshguard[25226]: Ignore attack as pid '9925'
> has been forged for service 100.
> May  3 18:22:31 hostname sshguard[9930]: Running 'ps axo pid,ppid'.
> May  3 18:22:31 hostname sshguard[25226]: Process 9928 is not child of 4639.
> May  3 18:22:31 hostname sshguard[25226]: Ignore attack as pid '9928'
> has been forged for service 100.
> May  3 18:22:34 hostname sshguard[9933]: Running 'ps axo pid,ppid'.
> May  3 18:22:34 hostname sshguard[25226]: Process 9931 is not child of 4639.
> 
> There was only one "hit" resulting in a block
> 
> I'm using direct feeding from a fifo:
> 
> # cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -b
> /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f
> 100:/var/run/sshd.pid
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] About the service code .

From: Jing L. <luj...@gm...> - 2010-05-08 07:58:23

I found the service code of sshd is 10 in this page :
http://www.sshguard.net/docs/log-validation/ . But in this page: http://www.
sshguard.net/docs/reference/service-codes/, the service code of sshd is 100
. what result of this difference . and which one is useful .

 

    Thanks！

[Sshguard-users] sshguard - how to start with Log Sucker

From: Karel R. <ry...@za...> - 2010-05-06 21:00:48

Hi, even thought I have read the documentation and FAQ, I did not 
find the most important information: how to make our server to start 
sshguard automatically after reboot? I have seen a script for 
starting older versions, but to be true, I do not understand its 
most important part:

  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS > /dev/null

Please could you write a simple FAQ for this? I guess lots of people 
do want to run sshguard automatically... Or, may be you could add a 
/etc/rc.d/init.d/sshguard into /script directory...

Kind regards,

Karel Rys

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Robert S <rob...@gm...> - 2010-05-03 11:08:58

Unfortunately process authentication isn't working.  I received 953
"Ignore" messages today:

# grep sshguard /var/log/messages
May  3 18:22:26 hostname sshguard[25226]: Ignore attack as pid '9922'
has been forged for service 100.
May  3 18:22:29 hostname sshguard[9927]: Running 'ps axo pid,ppid'.
May  3 18:22:29 hostname sshguard[25226]: Process 9925 is not child of 4639.
May  3 18:22:29 hostname sshguard[25226]: Ignore attack as pid '9925'
has been forged for service 100.
May  3 18:22:31 hostname sshguard[9930]: Running 'ps axo pid,ppid'.
May  3 18:22:31 hostname sshguard[25226]: Process 9928 is not child of 4639.
May  3 18:22:31 hostname sshguard[25226]: Ignore attack as pid '9928'
has been forged for service 100.
May  3 18:22:34 hostname sshguard[9933]: Running 'ps axo pid,ppid'.
May  3 18:22:34 hostname sshguard[25226]: Process 9931 is not child of 4639.

There was only one "hit" resulting in a block

I'm using direct feeding from a fifo:

# cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -b
/usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f
100:/var/run/sshd.pid

[Sshguard-users] startup

From: Robert S <rob...@gm...> - 2010-05-01 22:47:18

Here's what I use on a debian system.  You'd need to modify the
startGuard function if you want to use the log sucker.
#-----8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><-----
#! /bin/sh
### BEGIN INIT INFO
# Provides:          sshguard
# Required-Start:    $syslog
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ssh guard service"
NAME=sshguard
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
WHITELIST=/etc/sshguard.whitelist
LOG=/var/log/auth.log
. /lib/init/vars.sh
. /lib/lsb/init-functions
[ -f /etc/default/$NAME ] && . /etc/default/$NAME

function startGuard {
    [ -e $WHITELIST ] && ARGS="$ARGS -w $WHITELIST"
    sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS > /dev/null
    return $?
    }


do_start()
{
    [ -e $PIDFILE ] && return 1
    iptables -N sshguard
    iptables -I INPUT 1 -p tcp --dport 22 -j sshguard
    ip6tables -N sshguard
    ip6tables -A INPUT -p tcp --dport 22 -j sshguard
    startGuard &
    [ 0 -ne $? ] && return 2 || return 0
}

do_stop()
{
    kill `cat $PIDFILE`
    RETVAL=$?
    sleep 1
    iptables -D INPUT -p tcp --dport 22 -j sshguard
    iptables -F sshguard
    iptables -X sshguard
    ip6tables -D INPUT -p tcp --dport 22 -j sshguard
    ip6tables -F sshguard
    ip6tables -X sshguard
	# Return
	#   0 if daemon has been stopped
	#   1 if daemon was already stopped
	#   2 if daemon could not be stopped
	#   other if a failure occurred
	rm -f $PIDFILE
	return "$RETVAL"
}

case "$1" in
  start)
	log_daemon_msg "Starting $DESC" "$NAME"
	do_start
	case "$?" in
		0|1)	log_end_msg 0 ;;
		2) 	log_end_msg 1 ;;
	esac
	;;
  stop)
	log_daemon_msg "Stopping $DESC" "$NAME"
	do_stop
	case "$?" in
		0|1)	log_end_msg 0 ;;
		2)	log_end_msg 1 ;;
	esac
	;;
  restart|force-reload)
	log_daemon_msg "Restarting $DESC" "$NAME"
	do_stop
	case "$?" in
	  0|1)
		do_start
		case "$?" in
			0) log_end_msg 0 ;;
			1) log_end_msg 1 ;; # Old process is still running
			*) log_end_msg 1 ;; # Failed to start
		esac
		;;
	  *)
	  	# Failed to stop
		log_end_msg 1
		;;
	esac
	;;
  *)
	echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
	exit 3
	;;
esac
#-----8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><-----

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Mij <mi...@ss...> - 2010-04-29 15:55:02

On Apr 29, 2010, at 14:59 , Robert S wrote:

> Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not
> allowed because none of user's groups are listed in AllowGroups
> Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'.
> Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547.
> Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has
> been forged for service 100.

This can legitimately occur if sshguard gets the log message after the
process spawning it exited. In practice, this should happen very rarely
with log sucking, say <5% of the times with this pattern on idle servers
(sshguard adjusts the monitoring frequency to the log traffic), and nearly
never with direct feeding. May you observe different numbers feel free to
write in.

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Robert S <rob...@gm...> - 2010-04-29 12:59:12

Hi.

As suggested the statement below fixed the logging issue.

const int sshguard_log_minloglevel = LOG_INFO;

However, there appears to be a problem with process authentication:

Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not
allowed because none of user's groups are listed in AllowGroups
Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'.
Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547.
Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has
been forged for service 100.

 # ps ax |grep sshguard
 8301 pts/1    Sl+    0:00 /usr/src/local/sshguard/trunk/src/sshguard
-l /var/log/auth.log -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist -f 100:/var/run/sshd.pid

This problem goes away when I omit the "-f 100:/var/run/sshd.pid" option

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Mij <mi...@ss...> - 2010-04-28 22:11:23

On Apr 28, 2010, at 23:14 , Robert S wrote:

>> Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
>> Procauth has been there for long and should be stable. Can you please try to temporary disable
>> the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
>> insight.
>> 
> 
> I'm running sshguard with these options, with the SSHGUARD_DEBUG variable set:
> 
> # sshguard -l /var/log/auth.log -b
> /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist
> 
> I've had it running for 24hr and its still running now.  There have
> been two intruders blocked over this time (there seem to be much fewer
> attempted logins lately!).  I think that's fixed it.
> 
> Unfortunately no sshguard activity appears in my syslog - this feature
> seems to have disappeared in recent versions of the software.  It
> seems to be necessary to set the SSHGUARD_DEBUG variable, which gives
> an extremely verbose debug output.  I think that this has led to my
> not realising that sshguard was not working for many months before
> this problem cropped up.  Is it possible to enable logging to syslog -
> or to another log file?

Activity should appear in your syslog, with AUTH facility. There was a change
in recent versions, namely now only output "> LOG_NOTICE" is issued. Curiously,
this change is fruit of other users' requests.
On the one hand, this should be sufficient for normal use (ie, as soon as
you don't have your bug anymore); on the other hand, it's true it makes possible
problems of this sort less apparent. I'll give it a thought and decide something
before 1.5stable.

If you want to temporarily tweak it to your preference, change

	const int sshguard_log_minloglevel = LOG_NOTICE;

to whichever level you prefer in sshguard_log.c .

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Robert S <rob...@gm...> - 2010-04-28 21:15:02

> Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
> Procauth has been there for long and should be stable. Can you please try to temporary disable
> the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
> insight.
>

I'm running sshguard with these options, with the SSHGUARD_DEBUG variable set:

# sshguard -l /var/log/auth.log -b
/usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist

I've had it running for 24hr and its still running now.  There have
been two intruders blocked over this time (there seem to be much fewer
attempted logins lately!).  I think that's fixed it.

Unfortunately no sshguard activity appears in my syslog - this feature
seems to have disappeared in recent versions of the software.  It
seems to be necessary to set the SSHGUARD_DEBUG variable, which gives
an extremely verbose debug output.  I think that this has led to my
not realising that sshguard was not working for many months before
this problem cropped up.  Is it possible to enable logging to syslog -
or to another log file?

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Mij <mi...@ss...> - 2010-04-28 11:32:49

this should be fixed in r192


On Apr 14, 2010, at 03:51 , Robert S wrote:

> Thanks.
> 
> This seems to be an intermittent problem and can be difficult to
> reproduce.  It usually starts some time after I have invoked the
> sshguard command.
> 
> I am running sshguard in a screen session:
> 
> # export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
> 
> After a while, the logging seems to stop happening:

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

From: Mij <mi...@ss...> - 2010-04-27 15:41:35

Hey robert

Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
Procauth has been there for long and should be stable. Can you please try to temporary disable
the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
insight.

michele


On Apr 14, 2010, at 03:51 , Robert S wrote:

> Thanks.
> 
> This seems to be an intermittent problem and can be difficult to
> reproduce.  It usually starts some time after I have invoked the
> sshguard command.
> 
> I am running sshguard in a screen session:
> 
> # export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
> 
> After a while, the logging seems to stop happening:
> 
> Reading a token: --accepting rule at line 133 (" not allowed because
> none of user's groups are listed in AllowGroups")
> Next token is token SSH_NOTALLOWEDSUFF ()
> Shifting token SSH_NOTALLOWEDSUFF ()
> Entering state 71
> Reducing stack by rule 32 (line 275):
>   $1 = token SSH_NOTALLOWEDPREF ()
>   $2 = nterm addr ()
>   $3 = token SSH_NOTALLOWEDSUFF ()
> -> $$ = nterm ssh_illegaluser ()
> Stack now 0 1
> Entering state 31
> Reducing stack by rule 26 (line 263):
>   $1 = nterm ssh_illegaluser ()
> -> $$ = nterm sshmsg ()
> Stack now 0 1
> Entering state 30
> Reducing stack by rule 11 (line 169):
>   $1 = nterm sshmsg ()
> -> $$ = nterm msg_single ()
> Stack now 0 1
> Entering state 28
> Reducing stack by rule 9 (line 163):
>   $1 = nterm msg_single ()
> -> $$ = nterm logmsg ()
> Stack now 0 1
> Entering state 46
> Reducing stack by rule 5 (line 138):
>   $1 = token SYSLOG_BANNER_PID ()
>   $2 = nterm logmsg ()
> 
> < nothing happens from here on even if I try to log in again using ssh >
> 
> If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
> happens to the log output.
> 
> "top" does not reveal excess use of CPU.
> 
> Here is lsof output
> 
> # lsof |grep sshguard
> sshguard  6376       root  cwd       DIR                3,6      4096
>   735903 /root
> sshguard  6376       root  rtd       DIR                3,6      4096
>        2 /
> sshguard  6376       root  txt       REG                3,6    371826
>   757808 /root/sshguard/sshguard
> sshguard  6376       root  mem       REG                3,6   1399984
>   654712 /lib/libc-2.10.1.so
> sshguard  6376       root  mem       REG                3,6    137284
>   654892 /lib/libpthread-2.10.1.so
> sshguard  6376       root  mem       REG                3,6    123168
>   654880 /lib/ld-2.10.1.so
> sshguard  6376       root    0u      CHR              136,1       0t0
>        4 /dev/pts/1
> sshguard  6376       root    1w     FIFO                0,5       0t0
>    11866 pipe
> sshguard  6376       root    2w     FIFO                0,5       0t0
>    11866 pipe
> sshguard  6376       root    3r      REG                3,8    141517
>    31962 /var/log/auth.log
> sshguard  6376       root    4r     FIFO                0,5       0t0
>    14686 pipe
> sshguard  6376       root    5w     FIFO                0,5       0t0
>    14686 pipe
> tee       6377       root    3w      REG                3,6     37094
>   703149 /tmp/sshguard.log
> 
> Here is the ps and gdb output:
> 
> # ps ax |grep sshguard
> 6376 pts/1    Sl+    0:00 sshguard/sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist
> 6377 pts/1    S+     0:00 tee /tmp/sshguard.log
> 6754 pts/0    R+     0:00 grep --colour=auto sshguard
> 
> # gdb
> warning: Can not parse XML syscalls information; XML support was
> disabled at compile time.
> GNU gdb (Gentoo 7.0 p2) 7.0
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-pc-linux-gnu".
> For bug reporting instructions, please see:
> <http://bugs.gentoo.org/>.
> (gdb) attach 6376
> Attaching to process 6376
> Reading symbols from /root/sshguard/sshguard...done.
> Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
> [Thread debugging using libthread_db enabled]
> [New Thread 0x7f997084d910 (LWP 6380)]
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
> symbols found)...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
> (gdb) break
> Breakpoint 1 at 0x7f9970bb593f
> (gdb) backtrace full
> #0  0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
> No symbol table info available.
> #1  0x0000000000403e56 in procauth_ischildof (service_code=<value
> optimized out>, pid=6453) at sshguard_procauth.c:210
>        retA = <value optimized out>
>        pidA = <value optimized out>
>        ps2grep = {4, 5}
>        pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
>        retB = <value optimized out>
>        pidB = <value optimized out>
> #2  procauth_isauthoritative (service_code=<value optimized out>,
> pid=6453) at sshguard_procauth.c:138
> No locals.
> #3  0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
>        yystate = <value optimized out>
>        yyn = 0
>        yyresult = <value optimized out>
>        yyerrstatus = 0
>        yytoken = 16
>        yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
> 28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
> 32665, 0, -11334, 28811,
>          32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
> 32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
> 28858, 32665, 0, -8081,
>          28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
> 0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
> 0, -2368, 14210, 32767, 0,
>          14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
> -2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
> 0, 24032, 101, 0, 0, 19547,
>          28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
> 28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
> 0, 0, 0, 138, 0, 0, 0, 0,
>          0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
> 32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
> 32767, 0, -23664, 100, 0, 0,
>          25386, 28812, 32665, 0}
>        yyss = 0x7fff3782f600
>        yyssp = 0x7fff3782f604
>        yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
> out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
> bounds>, num = 6453}, {
>            str = 0x638280 " not allowed because none of user's groups
> are listed in AllowGroups", num = 6521472}, {
>            str = 0x638280 " not allowed because none of user's groups
> are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
> num = 1891249760}, {
>            str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
> bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
>            str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
> {str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
>            str = 0x112 <Address 0x112 out of bounds>, num = 274},
> {str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
> "\314c", num = 931328001}, {
>            str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
> {str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
> num = 0}, {
>            str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
> 0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
> out of bounds>,
>            num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
> out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
> 0x70ba2e60 out of bounds>,
>            num = 1891249760}, {str = 0x0, num = 0}, {str =
> 0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
> {str = 0x7fff3782f7ac "",
>            num = 931329964}, {str = 0x7f9970ba2e60 "", num =
> 1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
>            str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
> 0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
> 6544752}, {
>            str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
> "H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
> "\020pf", num = 6540288}, {
>            str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
> 0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
> {
>            str = 0x63f930 "\340of", num = 6551856}, {str =
> 0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
>            str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
> 6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
> {str = 0x0, num = 0}, {
>            str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
> "", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
> {str = 0x63d208 "",
>            num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
> of bounds>, num = -1}, {str = 0x7f99708f6eb0
> "H\203\304\030\303ff.\017\037\204",
>            num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x63d110 "", num = 6541584}, {
>            str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
>            str = 0x7f99709029ac
> "I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
> num = 1888496044}, {
>            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
> ---Type <return> to continue, or q <return> to quit---
>            str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
> 0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
> of bounds>, num = 4784}, {
>            str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
> 0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
> 4}, {str = 0x7fff3782f32c "",
>            num = 931328812}, {str = 0x7fff3782f210 "", num =
> 931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
> 0x7fff3782f300 "", num = 931328768}, {
>            str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
> 931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
> 931329964}, {
>            str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
> 242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
> 0x7fff3782f720 "\b\003",
>            num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
> <Address 0x2 out of bounds>, num = 2}, {
>            str = 0x7f99708a1a8f
> "\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
> {str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
>            num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
> 931329243}, {
>            str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
> 1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
> 931329264}, {
>            str = 0x7fff3782f330 "", num = 931328816}, {str =
> 0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
> 931328752}, {
>            str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
> 0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
> = 931328848}, {
>            str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
> "p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
> = 0x0, num = 0}, {
>            str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
> 0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
> "\340\241d", num = 931316240}, {
>            str = 0x7fff3782c230 "\002", num = 931316272}, {str =
> 0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
> {str = 0x63c440 "\220\324c",
>            num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
> out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
> num = 0}, {
>            str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
> 0x2 <Address 0x2 out of bounds>, num = 2}, {
>            str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
> bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
> 0x0, num = 0}, {
>            str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
> 0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
> 0}, {str = 0x0, num = 0}, {
>            str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
> = 0}, {str = 0x0, num = 0}, {
>            str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
> bounds>, num = 0}, {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276",
>            num = 1893514675}, {str = 0x0, num = 0}, {str =
> 0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
> <Address 0x2 out of bounds>,
>            num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
> 4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
> -1313391531}, {
>            str = 0x7f9970dcc274
> "H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
> num = 1893515892}, {
>            str = 0x7f9970850328
> "U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
> \241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
> ", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
> out of bounds>, num = 21}, {
>            str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
> 46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
>            str = 0x7fff3782f518 "`\200\373p\231\177", num =
> 931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
> 1888477740}, {str = 0x0, num = 0}, {
>            str = 0x7fff3782f4b0 "", num = 931329200}, {str =
> 0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
> 0x7fff3782f470 "`\030\272p\231\177",
>            num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
> 931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
> 931329264}, {
>            str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
> 0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
> = 6742320}, {
>            str = 0x63b350 "\360me", num = 6533968}, {str =
> 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
> = 0x7fff3782c380 "\340\343f",
>            num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
> 931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
> = 0x7fff3782c3b0 "\001",
>            num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
> out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
> 6535264}, {
>            str = 0x400000001 <Address 0x400000001 out of bounds>, num
> = 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
>            str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
> 1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
>            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
> 1891244128}, {
>            str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
> 0x400 <Address 0x400 out of bounds>, num = 1024}, {
>            str = 0x7f99708bd6f5
> "H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
> 1888212725}, {
>            str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
> \373>, num = 1891244128}, {
>            str = 0x7f99708be06f
> "\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
> num = 1888215151}, {
>            str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
> \373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
> = 10}, {str = 0x0, num = 0},
>          {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
> 0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
>            num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
>            str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
> 2090683713}, {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276",
>            num = 1893514675}, {
>            str = 0x7f9970ba7c9c
> "AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
> <return> to continue, or q <return> to quit---
> 254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
> "X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
> of bounds>, num = 1}, {
>            str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
> 0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
>          {str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
> 1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
> 0x4 <Address 0x4 out of bounds>,
>            num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
> bounds>, num = 1038094023}, {
>            str = 0x7f9970dcc274
> "H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
> num = 1893515892}, {
>            str = 0x7f99708501ec
> "\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
> \301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
>            str = 0x7f9900000007 <Address 0x7f9900000007 out of
> bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
> num = 16220219}, {
>            str = 0x7fff3782f570 "", num = 931329392}, {str =
> 0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
> 0x7f9970851c10 "",
>            num = 1887771664}, {str = 0x0, num = 0}, {str =
> 0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
> "", num = 1895684888}, {
>            str = 0x400f08 "realloc", num = 4198152}, {str =
> 0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
> 4197480}, {
>            str = 0x500000000 <Address 0x500000000 out of bounds>, num
> = 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
> 475}, {
>            str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
> 258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
> 1895687000}, {
>            str = 0x7fff3782f700 "d\020\272p\231\177", num =
> 931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
> 931329736}, {
>            str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
> 1038094023}, {
>            str = 0x7f9970911889
> "H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
> = 1888557193}, {str = 0x0, num = 0}, {
>            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
> bounds>, num = 1}}
>        yyvs = 0x7fff3782efc0
>        yyvsp = 0x7fff3782efd0
>        yystacksize = 200
>        yyval = <value optimized out>
>        yylen = 2
> #4  0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
> optimized out>) at attack_parser.y:379
>        ret = <value optimized out>
> #5  0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
>        tid = 140296994478352
>        retv = <value optimized out>
>        source_id = 4100918702
>        buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
> 122.227.43.37 not allowed because none of user's groups are listed in
> AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
> \371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...
> 
> 
> HTH ;-)
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] startup

From: Mikhail L. <sva...@gm...> - 2010-04-22 06:35:38

Hello,

I downloaded and installed sshguard v.1.5.  on Ubuntu 9.10.  It runs fine
when I start it manually e.g.,

sudo sshguard -l /var/log/auth.log

Can you please tell me the best way to start it automatically using Log
Sucker?  An example of an init.d script?

Thank you

Re: [Sshguard-users] Cannot Download SSHguard, FreeBSD Ports

From: Mij <mi...@ss...> - 2010-04-20 16:08:49

I don't know why Freshmeat defaulted to "Debian package" as download resource.
I set it to Tar/BZ2. Thanks for reporting.


On Apr 20, 2010, at 16:49 , Peter Beckman wrote:

> I updated my FreeBSD ports tree this morning only to find that sshguard is
> still sitting at v1.4 there, so I hit the sshguard site to download the
> 1.5rc2.  Took me to freshmeat, where there is a download link, and that
> took me to http://packages.debian.org/lenny/sshguard which said:
> 
>     "Error: Package not available in this suite."
> 
> Well that sucks!  How should I download it?
> 
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> be...@an...                                 http://www.angryox.com/
> ---------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Cannot Download SSHguard, FreeBSD Ports

From: Peter B. <be...@an...> - 2010-04-20 15:04:37

I updated my FreeBSD ports tree this morning only to find that sshguard is
still sitting at v1.4 there, so I hit the sshguard site to download the
1.5rc2.  Took me to freshmeat, where there is a download link, and that
took me to http://packages.debian.org/lenny/sshguard which said:

     "Error: Package not available in this suite."

Well that sucks!  How should I download it?

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------

2 messages has been excluded from this view by a project administrator.

Flat | Threaded

<< < 1 .. 49 50 51 52 53 .. 64 > >> (Page 51 of 64)