sshguard-users — User questions and answers, bugs, and general support

[Sshguard-users] New name, new game?

[Johan B. <bu...@be...>]

Hello,

Since switching to 1.5, sshguard has slowly evolved in my server park from a "ssh blocker" to something completely different. The way I see it, sshguard's strengths are scanning multiple logfiles and acting upon a specific behavior.

Instead of throwing ssh in getting pf out, I would for instance like to shove it failed wordpress attempts and feed them to a nginx config or perhaps a pf tarpit.

With this in mind, a couple of things makes "living" with sshguard a tad more complex:

 - writing recognition patterns is a tedious and compile-time-only process
 - only allows for calls to pf/iptables/whatnot
 - not having a config file (recently raised on list)

Some issues are cured with simple solutions such as letting nginx write custom logs which match a current filter and to wrap calls to pf in shell scripts - but the question remains; In what direction is sshguard heading?

See this more as an open question rather than a feature request since it's more about roadmap than anything else.

Cheers,
Johan

Re: [Sshguard-users] sshguard hostname parsing

[Mij <mi...@ss...>]

Nice to hear this sort of test cases :)
Committed (r202), thanks!


On May 21, 2010, at 10:16 , Johan Bergström wrote:

> Hey,
> 
> While trying to figure out why sshguard never blocked any users I found an issue that perhaps some other users has run into - sshguard seems to disregard log lines with one-letter hostnames (verified in sshguard 1.4, 1.5rc3 and r199). I'm at a Gentoo box if that should matter, with syslog-ng 3.0.4
> 
> I use a fictive hostname in style with a.com, and since syslog-ng defaults to options { use_fqdn(no); } the actual log stamp will be something like:
> May 21 09:06:35 a sshguard[20427]: Run command "iptables -L": exited 0.
> 
> Here's a debug session with the hostname "a":
> 
> May 21 09:23:37 a sshd[24341]: Invalid user asd from 123.123.123.123
> Checking to refresh sources...
> Refreshing sources showed 0 changes.
> Checking to refresh sources...
> Refreshing sources showed 0 changes.
> Read line from '-'.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 206 ("May 21 09:23:37")
> Next token is token TIMESTAMP_SYSLOG ()
> Cleanup: discarding lookahead token TIMESTAMP_SYSLOG ()
> Stack now 0
> 
> 
> 
> Here's a hostname with two characters:
> 
> May 21 09:23:37 ab sshd[24341]: Invalid user asd from 123.123.123.123
> Checking to refresh sources...
> Refreshing sources showed 0 changes.
> Checking to refresh sources...
> Refreshing sources showed 0 changes.
> Read line from '-'.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 113 ("May 21 09:23:37 ab sshd[24341]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 214 (" ")
> --accepting rule at line 132 ("Invalid user asd from ")
> Next token is token SSH_INVALUSERPREF ()
> Shifting token SSH_INVALUSERPREF ()
> Entering state 6
> Reading a token: --accepting rule at line 194 ("123.123.123.123")
> Next token is token IPv4 ()
> Shifting token IPv4 ()
> Entering state 50
> Reducing stack by rule 23 (line 203):
>   $1 = token IPv4 ()
> -> $$ = nterm addr ()
> Stack now 0 1 6
> Entering state 53
> Reducing stack by rule 31 (line 272):
>   $1 = token SSH_INVALUSERPREF ()
>   $2 = nterm addr ()
> -> $$ = nterm ssh_illegaluser ()
> Stack now 0 1
> Entering state 31
> Reducing stack by rule 26 (line 262):
>   $1 = nterm ssh_illegaluser ()
> -> $$ = nterm sshmsg ()
> Stack now 0 1
> Entering state 30
> Reducing stack by rule 11 (line 169):
>   $1 = nterm sshmsg ()
> -> $$ = nterm msg_single ()
> Stack now 0 1
> Entering state 28
> Reducing stack by rule 9 (line 163):
>   $1 = nterm msg_single ()
> -> $$ = nterm logmsg ()
> Stack now 0 1
> Entering state 46
> Reducing stack by rule 5 (line 138):
>   $1 = token SYSLOG_BANNER_PID ()
>   $2 = nterm logmsg ()
> -> $$ = nterm syslogent ()
> Stack now 0
> Entering state 24
> Reducing stack by rule 1 (line 122):
>   $1 = nterm syslogent ()
> -> $$ = nterm text ()
> Stack now 0
> Entering state 23
> Reading a token: --(end of buffer or a NUL)
> --accepting rule at line 214 ("
> ")
> --(end of buffer or a NUL)
> --EOF (start condition 0)
> Now at end of input.
> Shifting token $end ()
> Entering state 70
> Stack now 0 23 70
> Cleanup: popping token $end ()
> Cleanup: popping nterm text ()
> Matched address 123.123.123.123:4 attacking service 100, dangerousness 10.
> Purging stale attackers.
> 
> 
> Not sure if this really is a bug or intentional; but since you can set your hostname to one letter I guess sshguard at least should know about it.
> 
> Cheers,
> Johan
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] fifo stops receiving output

[Mij <mi...@ss...>]

Hmm, this is weird :)

Blind dive: does anything happen with the permissions of the FIFO?
If I recall it right, ubuntu runs syslogd as an unprivileged user.

If you sort it out, please report your answer to the list for the archives.

If you don't, consider using Log Sucking.


On May 17, 2010, at 20:42 , Adam Cohen wrote:

> greetings,
> I'm adding sshguard (r1.5rc2) to a system running Ubuntu (8.1 / intrepid)
> 
> Configure for iptables, looks good
> Built from sources, looks good
> Configure /etc/syslog.conf as below:
> 
> #  /etc/syslog.conf	Configuration file for syslogd.
> auth.info;authpriv.info		|/var/log/sshguard.fifo
> auth,authpriv.*			/var/log/auth.log
> *.*;auth,authpriv.none		-/var/log/syslog
> 
> Restart syslog
> /etc/init.d/sysklogd restart
> 
> Start sshguard
> initctl start sshguard
> 
> sshguard works fine as FIFO receives messages
> 
> But after a while...FIFO stops receiving messages and so sshguard gets no input to scan.  This seems like an Ubuntu issue but could there be something wrong with my syslog.conf?
> 
> thanks
> Adam
> 
> -- 
> Adam Cohen / IT Manager
> Energy Biosciences Institute / UC Berkeley
> 109 Calvin Lab / 510-642-7709
> http://www.energybiosciencesinstitute.org
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

Hi Robert,

I cannot reproduce this problem on any of my machines, but here is the most likely
explanation. Log Validation works as follows:
1. recognize an attack signature
2. extract generating PID from it (logPID)
3. compare logPID with the genuine PID genPID (from the pidfile). Match => ACCEPT

The algorithm ideally stops here, but some daemons (like sshd) delegate connection
processing to children. So the algorithm goes on:
4. ask the system for the parent-child process table
5. check if logPID is child of genPID. Match => ACCEPT
6. REJECT

For daemons delegating client handling to children, what's likely happening on your
machine is that sshguard receives the message when the child has already
died after sending its log message. Sshguard has then no way to tell.

With log sucking this is more likely to happen under non-BSD systems, where the
logic is implemented with proactive non-blocking polls (on BSD it's reactive on kqueue()).
I will consider collapsing this in a single libevent logic in the near future.

michele


On May 14, 2010, at 11:19 , Robert S wrote:

> Hi.
> 
> I have tried this with log sucking and direct feed from a FIFO with
> similar results.  This is certainly a lot better, but there are still
> some false positives:
> 
> May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193'
> has been forged for service 100.
> May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for
>> 630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses
> over 12s).
> May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341'
> has been forged for service 100.
> May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for
>> 630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses
> over 5s).
> May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130
> not allowed because none of user's groups are listed in AllowGroups
> May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376'
> has been forged for service 100.
> May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130
> not allowed because none of user's groups are listed in AllowGroups
> May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130
> not allowed because none of user's groups are listed in AllowGroups
> May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130
> not allowed because none of user's groups are listed in AllowGroups
> May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130
> not allowed because none of user's groups are listed in AllowGroups
> May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4
> for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1
> abuses over 9s).
> May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not
> allowed because none of user's groups are listed in AllowGroups
> May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for
>> 630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses
> over 11s).
> 
> Robert.
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Needed configuration file sshguard.conf for daemon script

[Mij <mi...@ss...>]

I've been considering this. There are some thought holding it back, like
- one parser is already incumbent in the code, combining two parsers is some pain
- parsing has a terrible code/functionality ratio, it's a pity to deploy it for
something as ancillary as configuration files
- having configuration files would finally mark sshguard a "serious" daemon :)
rather than a tool

I've found the "envdir" configuration style (that's "configuration directory"es rather than
files) tremendously lean and convenient from both the user and the programmer; how
would that fit in your daemon script frame?


On Jun 1, 2010, at 06:57 , Julián Moreno Patiño wrote:

> Hi Mij,
> 
> It would be nice to implement a configuration file sshguard.conf to enable options such as log sucker, whitelisting, blacklisting, port service and use them in different services (sshd, sendmail, exim, dovecot, etc), it's more easier and I can create more generic daemon script to Debian Distribution.
> 
> Thank you very much, see you.
>  
> Kind Regards,
> 
> -- 
> Julián Moreno Patiño
> Registered GNU Linux User ID 488513
> PGP KEY ID 6168BF60
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Found a bug in latest svn repository

[Mij <mi...@ss...>]

Thanks for insisting so kindly, you got it committed as r200 (!!) as a prize.


On May 21, 2010, at 22:57 , El Topo wrote:

> Hi,
> 
> I reported this bug before and it was fixed, but there is a leftover, so I am submitting a patch:
> 
> ===begin
> 
> Index: src/fwalls/hosts.c
> ===================================================================
> --- src/fwalls/hosts.c    (revision 199)
> +++ src/fwalls/hosts.c    (working copy)
> @@ -170,7 +170,6 @@
>  
>  int hosts_updatelist() {
>      char buf[HOSTS_MAXCMDLEN];
> -    char tempflname[30];
>      FILE *tmp, *deny;
>  
>      /* open hosts.allow file */
> 
> ===end
> 
> the patch is also attached.
> 
> Thanks,
> 
> cameos
> 
> On Thu, Mar 11, 2010 at 2:13 PM, El Topo <ca...@gm...> wrote:
> Hi,
> 
> I found a bug in 
> src/fwalls/hosts.c
> 
> 1. there is a global variable tempflname, but in fw_init() and hosts_updatelist(), local variables with the same name are also defined, this caused make_temporary_conffile() always fails. Fix: local variables should be deleted;
> 2. the glboal variable tempflname should be initialized as soon as possible in fw_init(), otherwise hosts_clearsshguardblocks() tries to create temp file with invalid name (and fails).
> 
> cameos
> 
> <sshguard.patch>------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard - how to start with Log Sucker

[Mij <mi...@ss...>]

I put some indication on the FAQ.
Yeah, I know.. :) I have word from some maintainers to get nice per-OS/distribution
implementations as soon as 1.5 stable is out


On May 11, 2010, at 13:59 , Karel Rys wrote:

> Hi, even thought I have read the documentation and FAQ, I did not find the most important information: how to make our 
> server to start sshguard automatically after reboot? I have seen a script for starting older versions, but to be true, I do 
> not understand its most important part:  
> 
>  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
> /usr/local/sbin/sshguard $ARGS > /dev/null
> 
> Please could you write a simple FAQ for this? I guess lots of people do want to run sshguard automatically... Or, may be you 
> could add a /etc/rc.d/init.d/sshguard into /script directory...  
> 
> Kind regards,
> 
> Karel Rys
> 
> 
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard not guarding

[Daniel <ne...@ot...>]

Hi,

After using sshguard successfully for a long time with the current setup, I
noticed upon reboot that it was not guarding anymore. I'm using the
sshguard-ipfw version. It doesn't seem to do any detection of the login
failures and so doesn't respond.
It was working as recently as two weeks ago and my version has not changed.
Below is the log. I'm more used to seeing this:

system.log.1:Jun 28 04:40:55 naruto sshguard[785]: Blocking
118.97.232.236:4for >420secs: 4 failures
over 2 seconds.

Now I get:

Successfully resolved 'ec2-12-12-12-12.compute-1.amazonaws.com' -->
4:'12.12.12.12'.



Any input of why it may not be working is appriciated.

whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain ip 127.0.0.1.
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Jun 30 18:24:57 naruto
sshd[2229]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 121 ("error: PAM: authentication error for
daniel from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 7
Reading a token: --accepting rule at line 169
("ec2-12-12-12-12.compute-1.amazonaws.com")
Next token is token HOSTADDR ()
Shifting token HOSTADDR ()
Entering state 40
Reducing stack by rule 18 (line 118):
   $1 = token HOSTADDR ()
Successfully resolved 'ec2-12-12-12-12.compute-1.amazonaws.com' -->
4:'12.12.12.12'.
-> $$ = nterm addr ()
Stack now 0 1 7
Entering state 44
Reducing stack by rule 27 (line 187):
   $1 = token SSH_LOGINERR_PAM ()
   $2 = nterm addr ()
-> $$ = nterm ssh_authfail ()
Stack now 0 1
Entering state 25
Reducing stack by rule 20 (line 172):
   $1 = nterm ssh_authfail ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 23
Reducing stack by rule 9 (line 99):
   $1 = nterm sshmsg ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 35
Reducing stack by rule 5 (line 76):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 19
Reducing stack by rule 1 (line 60):
   $1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 18
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 179 ("via")
Next token is token WORD ()
Error: popping nterm text ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Jun 30 18:24:57 naruto
sshd[2235]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 179 ("in")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
Got exit signal, flushing blocked addresses and exiting...


-- 
"America was founded by men who understood that the threat of domestic
tyranny is as great as any threat from abroad. If we want to be worthy of
their legacy, we must resist the rush toward ever-increasing state control
of our society. Otherwise, our own government will become a greater threat
to our freedoms than any foreign terrorist."
- Ron Paul, Texas Straight Talk, May 31, 2004

[Sshguard-users] Needed configuration file sshguard.conf for daemon script

[Julián M. P. <dar...@gm...>]

Hi Mij,

It would be nice to implement a configuration file sshguard.conf to enable
options such as log sucker, whitelisting, blacklisting, port service and use
them in different services (sshd, sendmail, exim, dovecot, etc), it's more
easier and I can create more generic daemon script to Debian Distribution.

Thank you very much, see you.

Kind Regards,

-- 
Julián Moreno Patiño
Registered GNU Linux User ID 488513
PGP KEY ID 6168BF60

[Sshguard-users] sshguard hostname parsing

[Johan B. <jo...@be...>]

Hey,

While trying to figure out why sshguard never blocked any users I found an issue that perhaps some other users has run into - sshguard seems to disregard log lines with one-letter hostnames (verified in sshguard 1.4, 1.5rc3 and r199). I'm at a Gentoo box if that should matter, with syslog-ng 3.0.4

I use a fictive hostname in style with a.com, and since syslog-ng defaults to options { use_fqdn(no); } the actual log stamp will be something like:
May 21 09:06:35 a sshguard[20427]: Run command "iptables -L": exited 0.

Here's a debug session with the hostname "a":

May 21 09:23:37 a sshd[24341]: Invalid user asd from 123.123.123.123
Checking to refresh sources...
Refreshing sources showed 0 changes.
Checking to refresh sources...
Refreshing sources showed 0 changes.
Read line from '-'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 206 ("May 21 09:23:37")
Next token is token TIMESTAMP_SYSLOG ()
Cleanup: discarding lookahead token TIMESTAMP_SYSLOG ()
Stack now 0



Here's a hostname with two characters:

May 21 09:23:37 ab sshd[24341]: Invalid user asd from 123.123.123.123
Checking to refresh sources...
Refreshing sources showed 0 changes.
Checking to refresh sources...
Refreshing sources showed 0 changes.
Read line from '-'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 113 ("May 21 09:23:37 ab sshd[24341]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 214 (" ")
--accepting rule at line 132 ("Invalid user asd from ")
Next token is token SSH_INVALUSERPREF ()
Shifting token SSH_INVALUSERPREF ()
Entering state 6
Reading a token: --accepting rule at line 194 ("123.123.123.123")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
   $1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 1 6
Entering state 53
Reducing stack by rule 31 (line 272):
   $1 = token SSH_INVALUSERPREF ()
   $2 = nterm addr ()
-> $$ = nterm ssh_illegaluser ()
Stack now 0 1
Entering state 31
Reducing stack by rule 26 (line 262):
   $1 = nterm ssh_illegaluser ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
   $1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
   $1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 24
Reducing stack by rule 1 (line 122):
   $1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 214 ("
")
--(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token $end ()
Entering state 70
Stack now 0 23 70
Cleanup: popping token $end ()
Cleanup: popping nterm text ()
Matched address 123.123.123.123:4 attacking service 100, dangerousness 10.
Purging stale attackers.


Not sure if this really is a bug or intentional; but since you can set your hostname to one letter I guess sshguard at least should know about it.

Cheers,
Johan

[Sshguard-users] fifo stops receiving output

[Adam C. <ada...@be...>]

greetings,
I'm adding sshguard (r1.5rc2) to a system running Ubuntu (8.1 / intrepid)

Configure for iptables, looks good
Built from sources, looks good
Configure /etc/syslog.conf as below:

#  /etc/syslog.conf	Configuration file for syslogd.
auth.info;authpriv.info		|/var/log/sshguard.fifo
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog

Restart syslog
/etc/init.d/sysklogd restart

Start sshguard
initctl start sshguard

sshguard works fine as FIFO receives messages

But after a while...FIFO stops receiving messages and so sshguard gets no input to scan.  This seems like an Ubuntu issue but could there be something wrong with my syslog.conf?

thanks
Adam

-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
http://www.energybiosciencesinstitute.org

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

Hi.

I have tried this with log sucking and direct feed from a FIFO with
similar results.  This is certainly a lot better, but there are still
some false positives:

May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193'
has been forged for service 100.
May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not
allowed because none of user's groups are listed in AllowGroups
May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for
>630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses
over 12s).
May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341'
has been forged for service 100.
May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not
allowed because none of user's groups are listed in AllowGroups
May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for
>630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses
over 5s).
May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376'
has been forged for service 100.
May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130
not allowed because none of user's groups are listed in AllowGroups
May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4
for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1
abuses over 9s).
May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not
allowed because none of user's groups are listed in AllowGroups
May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for
>630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses
over 11s).

Robert.

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

Hey Robert,

thanks for your perseverance. I found a subtle regression there.
Please check out r199 and let me know.


On May 12, 2010, at 11:36 , Robert S wrote:

> Sadly this problem still seems to occur in the latest svn version :(
> 
> May 12 16:49:20 hostname sshd[8739]: Invalid user desktop from 67.218.16.28
> May 12 16:49:20 hostname sshguard[31623]: Ignore attack as pid '8739'
> has been forged for service 100.
> May 12 16:49:22 hostname sshd[8742]: Invalid user workshop from 67.218.16.28
> May 12 16:49:22 hostname sshguard[31623]: Ignore attack as pid '8742'
> has been forged for service 100.
> May 12 16:49:24 hostname sshd[8745]: Invalid user mailnull from 67.218.16.28
> May 12 16:49:24 hostname sshguard[31623]: Ignore attack as pid '8745'
> has been forged for service 100.
> 
> # ps ax |grep sshguard
> 31623 ?        Sl     0:00 /usr/local/sbin/sshguard -l
> /var/log/sshguard.fifo -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist -f 100:/var/run/sshd.pid

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

Sadly this problem still seems to occur in the latest svn version :(

May 12 16:49:20 hostname sshd[8739]: Invalid user desktop from 67.218.16.28
May 12 16:49:20 hostname sshguard[31623]: Ignore attack as pid '8739'
has been forged for service 100.
May 12 16:49:22 hostname sshd[8742]: Invalid user workshop from 67.218.16.28
May 12 16:49:22 hostname sshguard[31623]: Ignore attack as pid '8742'
has been forged for service 100.
May 12 16:49:24 hostname sshd[8745]: Invalid user mailnull from 67.218.16.28
May 12 16:49:24 hostname sshguard[31623]: Ignore attack as pid '8745'
has been forged for service 100.

 # ps ax |grep sshguard
31623 ?        Sl     0:00 /usr/local/sbin/sshguard -l
/var/log/sshguard.fifo -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist -f 100:/var/run/sshd.pid

[Sshguard-users] sshguard - how to start with Log Sucker

[Karel R. <de...@za...>]

Hi, even thought I have read the documentation and FAQ, I did not find the most important information: how to make our 
server to start sshguard automatically after reboot? I have seen a script for starting older versions, but to be true, I do 
not understand its most important part:  

  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS > /dev/null

Please could you write a simple FAQ for this? I guess lots of people do want to run sshguard automatically... Or, may be you 
could add a /etc/rc.d/init.d/sshguard into /script directory...  

Kind regards,

Karel Rys

Re: [Sshguard-users] sshguard - how to start with Log Sucker

[Mij <mi...@ss...>]

Users are increasingly asking for this. The distribution does not include
start-up scripts since they are too system-dependant.

Users who wrote a start up script for their system, please submit it.
We'll consider them for inclusion in the distribution or on the website.


On May 6, 2010, at 22:43 , Karel Rys wrote:

> Hi, even thought I have read the documentation and FAQ, I did not 
> find the most important information: how to make our server to start 
> sshguard automatically after reboot? I have seen a script for 
> starting older versions, but to be true, I do not understand its 
> most important part:
> 
>  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
> /usr/local/sbin/sshguard $ARGS > /dev/null
> 
> Please could you write a simple FAQ for this? I guess lots of people 
> do want to run sshguard automatically... Or, may be you could add a 
> /etc/rc.d/init.d/sshguard into /script directory...
> 
> Kind regards,
> 
> Karel Rys
> 
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] About the service code .

[Mij <mi...@ss...>]

fixed, thanks.
For the archives, the reference/oracle is always the "service-codes" page.


On May 8, 2010, at 09:57 , Jing Lu wrote:

> I found the service code of sshd is 10 in this page : http://www.sshguard.net/docs/log-validation/ . But in this page:http://www.sshguard.net/docs/reference/service-codes/, the service code of sshd is 100 . what result of this difference . and which one is useful .
>  
>     Thanks！
>  
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

A missing fclose() could cause this to occur after a while for descriptor
exhaustion; please try r196. Note that, for a few patterns (currently
"Did not receive identification string") procauth can inherently not succeed
as the log message appears after the emitting process exited.


On May 3, 2010, at 13:08 , Robert S wrote:

> Unfortunately process authentication isn't working.  I received 953
> "Ignore" messages today:
> 
> # grep sshguard /var/log/messages
> May  3 18:22:26 hostname sshguard[25226]: Ignore attack as pid '9922'
> has been forged for service 100.
> May  3 18:22:29 hostname sshguard[9927]: Running 'ps axo pid,ppid'.
> May  3 18:22:29 hostname sshguard[25226]: Process 9925 is not child of 4639.
> May  3 18:22:29 hostname sshguard[25226]: Ignore attack as pid '9925'
> has been forged for service 100.
> May  3 18:22:31 hostname sshguard[9930]: Running 'ps axo pid,ppid'.
> May  3 18:22:31 hostname sshguard[25226]: Process 9928 is not child of 4639.
> May  3 18:22:31 hostname sshguard[25226]: Ignore attack as pid '9928'
> has been forged for service 100.
> May  3 18:22:34 hostname sshguard[9933]: Running 'ps axo pid,ppid'.
> May  3 18:22:34 hostname sshguard[25226]: Process 9931 is not child of 4639.
> 
> There was only one "hit" resulting in a block
> 
> I'm using direct feeding from a fifo:
> 
> # cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -b
> /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f
> 100:/var/run/sshd.pid
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] About the service code .

[Jing L. <luj...@gm...>]

I found the service code of sshd is 10 in this page :
http://www.sshguard.net/docs/log-validation/ . But in this page: http://www.
sshguard.net/docs/reference/service-codes/, the service code of sshd is 100
. what result of this difference . and which one is useful .

 

    Thanks！

 

[Sshguard-users] sshguard - how to start with Log Sucker

[Karel R. <ry...@za...>]

Hi, even thought I have read the documentation and FAQ, I did not 
find the most important information: how to make our server to start 
sshguard automatically after reboot? I have seen a script for 
starting older versions, but to be true, I do not understand its 
most important part:

  sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS > /dev/null

Please could you write a simple FAQ for this? I guess lots of people 
do want to run sshguard automatically... Or, may be you could add a 
/etc/rc.d/init.d/sshguard into /script directory...

Kind regards,

Karel Rys

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

Unfortunately process authentication isn't working.  I received 953
"Ignore" messages today:

# grep sshguard /var/log/messages
May  3 18:22:26 hostname sshguard[25226]: Ignore attack as pid '9922'
has been forged for service 100.
May  3 18:22:29 hostname sshguard[9927]: Running 'ps axo pid,ppid'.
May  3 18:22:29 hostname sshguard[25226]: Process 9925 is not child of 4639.
May  3 18:22:29 hostname sshguard[25226]: Ignore attack as pid '9925'
has been forged for service 100.
May  3 18:22:31 hostname sshguard[9930]: Running 'ps axo pid,ppid'.
May  3 18:22:31 hostname sshguard[25226]: Process 9928 is not child of 4639.
May  3 18:22:31 hostname sshguard[25226]: Ignore attack as pid '9928'
has been forged for service 100.
May  3 18:22:34 hostname sshguard[9933]: Running 'ps axo pid,ppid'.
May  3 18:22:34 hostname sshguard[25226]: Process 9931 is not child of 4639.

There was only one "hit" resulting in a block

I'm using direct feeding from a fifo:

# cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -b
/usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist -f
100:/var/run/sshd.pid

[Sshguard-users] startup

[Robert S <rob...@gm...>]

Here's what I use on a debian system.  You'd need to modify the
startGuard function if you want to use the log sucker.
#-----8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><-----
#! /bin/sh
### BEGIN INIT INFO
# Provides:          sshguard
# Required-Start:    $syslog
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ssh guard service"
NAME=sshguard
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
WHITELIST=/etc/sshguard.whitelist
LOG=/var/log/auth.log
. /lib/init/vars.sh
. /lib/lsb/init-functions
[ -f /etc/default/$NAME ] && . /etc/default/$NAME

function startGuard {
    [ -e $WHITELIST ] && ARGS="$ARGS -w $WHITELIST"
    sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS > /dev/null
    return $?
    }


do_start()
{
    [ -e $PIDFILE ] && return 1
    iptables -N sshguard
    iptables -I INPUT 1 -p tcp --dport 22 -j sshguard
    ip6tables -N sshguard
    ip6tables -A INPUT -p tcp --dport 22 -j sshguard
    startGuard &
    [ 0 -ne $? ] && return 2 || return 0
}

do_stop()
{
    kill `cat $PIDFILE`
    RETVAL=$?
    sleep 1
    iptables -D INPUT -p tcp --dport 22 -j sshguard
    iptables -F sshguard
    iptables -X sshguard
    ip6tables -D INPUT -p tcp --dport 22 -j sshguard
    ip6tables -F sshguard
    ip6tables -X sshguard
	# Return
	#   0 if daemon has been stopped
	#   1 if daemon was already stopped
	#   2 if daemon could not be stopped
	#   other if a failure occurred
	rm -f $PIDFILE
	return "$RETVAL"
}

case "$1" in
  start)
	log_daemon_msg "Starting $DESC" "$NAME"
	do_start
	case "$?" in
		0|1)	log_end_msg 0 ;;
		2) 	log_end_msg 1 ;;
	esac
	;;
  stop)
	log_daemon_msg "Stopping $DESC" "$NAME"
	do_stop
	case "$?" in
		0|1)	log_end_msg 0 ;;
		2)	log_end_msg 1 ;;
	esac
	;;
  restart|force-reload)
	log_daemon_msg "Restarting $DESC" "$NAME"
	do_stop
	case "$?" in
	  0|1)
		do_start
		case "$?" in
			0) log_end_msg 0 ;;
			1) log_end_msg 1 ;; # Old process is still running
			*) log_end_msg 1 ;; # Failed to start
		esac
		;;
	  *)
	  	# Failed to stop
		log_end_msg 1
		;;
	esac
	;;
  *)
	echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
	exit 3
	;;
esac
#-----8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><----------8><-----

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

On Apr 29, 2010, at 14:59 , Robert S wrote:

> Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not
> allowed because none of user's groups are listed in AllowGroups
> Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'.
> Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547.
> Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has
> been forged for service 100.

This can legitimately occur if sshguard gets the log message after the
process spawning it exited. In practice, this should happen very rarely
with log sucking, say <5% of the times with this pattern on idle servers
(sshguard adjusts the monitoring frequency to the log traffic), and nearly
never with direct feeding. May you observe different numbers feel free to
write in.

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

Hi.

As suggested the statement below fixed the logging issue.

const int sshguard_log_minloglevel = LOG_INFO;

However, there appears to be a problem with process authentication:

Apr 29 22:49:29 myhost sshd[8307]: User root from xxx.xxx.xxx.99 not
allowed because none of user's groups are listed in AllowGroups
Apr 29 22:49:29 myhost sshguard[8310]: Running 'ps axo pid,ppid'.
Apr 29 22:49:29 myhost sshguard[8301]: Process 8307 is not child of 4547.
Apr 29 22:49:29 myhost sshguard[8301]: Ignore attack as pid '8307' has
been forged for service 100.

 # ps ax |grep sshguard
 8301 pts/1    Sl+    0:00 /usr/src/local/sshguard/trunk/src/sshguard
-l /var/log/auth.log -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist -f 100:/var/run/sshd.pid

This problem goes away when I omit the "-f 100:/var/run/sshd.pid" option

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

On Apr 28, 2010, at 23:14 , Robert S wrote:

>> Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
>> Procauth has been there for long and should be stable. Can you please try to temporary disable
>> the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
>> insight.
>> 
> 
> I'm running sshguard with these options, with the SSHGUARD_DEBUG variable set:
> 
> # sshguard -l /var/log/auth.log -b
> /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist
> 
> I've had it running for 24hr and its still running now.  There have
> been two intruders blocked over this time (there seem to be much fewer
> attempted logins lately!).  I think that's fixed it.
> 
> Unfortunately no sshguard activity appears in my syslog - this feature
> seems to have disappeared in recent versions of the software.  It
> seems to be necessary to set the SSHGUARD_DEBUG variable, which gives
> an extremely verbose debug output.  I think that this has led to my
> not realising that sshguard was not working for many months before
> this problem cropped up.  Is it possible to enable logging to syslog -
> or to another log file?

Activity should appear in your syslog, with AUTH facility. There was a change
in recent versions, namely now only output "> LOG_NOTICE" is issued. Curiously,
this change is fruit of other users' requests.
On the one hand, this should be sufficient for normal use (ie, as soon as
you don't have your bug anymore); on the other hand, it's true it makes possible
problems of this sort less apparent. I'll give it a thought and decide something
before 1.5stable.

If you want to temporarily tweak it to your preference, change

	const int sshguard_log_minloglevel = LOG_NOTICE;

to whichever level you prefer in sshguard_log.c .