Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Robert S <rob...@gm...> - 2010-04-14 01:51:19
|
Thanks.
This seems to be an intermittent problem and can be difficult to
reproduce. It usually starts some time after I have invoked the
sshguard command.
I am running sshguard in a screen session:
# export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
After a while, the logging seems to stop happening:
Reading a token: --accepting rule at line 133 (" not allowed because
none of user's groups are listed in AllowGroups")
Next token is token SSH_NOTALLOWEDSUFF ()
Shifting token SSH_NOTALLOWEDSUFF ()
Entering state 71
Reducing stack by rule 32 (line 275):
$1 = token SSH_NOTALLOWEDPREF ()
$2 = nterm addr ()
$3 = token SSH_NOTALLOWEDSUFF ()
-> $$ = nterm ssh_illegaluser ()
Stack now 0 1
Entering state 31
Reducing stack by rule 26 (line 263):
$1 = nterm ssh_illegaluser ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
$1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
$1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
$1 = token SYSLOG_BANNER_PID ()
$2 = nterm logmsg ()
< nothing happens from here on even if I try to log in again using ssh >
If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
happens to the log output.
"top" does not reveal excess use of CPU.
Here is lsof output
# lsof |grep sshguard
sshguard 6376 root cwd DIR 3,6 4096
735903 /root
sshguard 6376 root rtd DIR 3,6 4096
2 /
sshguard 6376 root txt REG 3,6 371826
757808 /root/sshguard/sshguard
sshguard 6376 root mem REG 3,6 1399984
654712 /lib/libc-2.10.1.so
sshguard 6376 root mem REG 3,6 137284
654892 /lib/libpthread-2.10.1.so
sshguard 6376 root mem REG 3,6 123168
654880 /lib/ld-2.10.1.so
sshguard 6376 root 0u CHR 136,1 0t0
4 /dev/pts/1
sshguard 6376 root 1w FIFO 0,5 0t0
11866 pipe
sshguard 6376 root 2w FIFO 0,5 0t0
11866 pipe
sshguard 6376 root 3r REG 3,8 141517
31962 /var/log/auth.log
sshguard 6376 root 4r FIFO 0,5 0t0
14686 pipe
sshguard 6376 root 5w FIFO 0,5 0t0
14686 pipe
tee 6377 root 3w REG 3,6 37094
703149 /tmp/sshguard.log
Here is the ps and gdb output:
# ps ax |grep sshguard
6376 pts/1 Sl+ 0:00 sshguard/sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist
6377 pts/1 S+ 0:00 tee /tmp/sshguard.log
6754 pts/0 R+ 0:00 grep --colour=auto sshguard
# gdb
warning: Can not parse XML syscalls information; XML support was
disabled at compile time.
GNU gdb (Gentoo 7.0 p2) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
(gdb) attach 6376
Attaching to process 6376
Reading symbols from /root/sshguard/sshguard...done.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
[New Thread 0x7f997084d910 (LWP 6380)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
(gdb) break
Breakpoint 1 at 0x7f9970bb593f
(gdb) backtrace full
#0 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#1 0x0000000000403e56 in procauth_ischildof (service_code=<value
optimized out>, pid=6453) at sshguard_procauth.c:210
retA = <value optimized out>
pidA = <value optimized out>
ps2grep = {4, 5}
pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
retB = <value optimized out>
pidB = <value optimized out>
#2 procauth_isauthoritative (service_code=<value optimized out>,
pid=6453) at sshguard_procauth.c:138
No locals.
#3 0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
yystate = <value optimized out>
yyn = 0
yyresult = <value optimized out>
yyerrstatus = 0
yytoken = 16
yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
32665, 0, -11334, 28811,
32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
28858, 32665, 0, -8081,
28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
0, -2368, 14210, 32767, 0,
14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
-2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
0, 24032, 101, 0, 0, 19547,
28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
0, 0, 0, 138, 0, 0, 0, 0,
0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
32767, 0, -23664, 100, 0, 0,
25386, 28812, 32665, 0}
yyss = 0x7fff3782f600
yyssp = 0x7fff3782f604
yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
bounds>, num = 6453}, {
str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {
str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
num = 1891249760}, {
str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
{str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
str = 0x112 <Address 0x112 out of bounds>, num = 274},
{str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
"\314c", num = 931328001}, {
str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
{str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
num = 0}, {
str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
out of bounds>,
num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
0x70ba2e60 out of bounds>,
num = 1891249760}, {str = 0x0, num = 0}, {str =
0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
{str = 0x7fff3782f7ac "",
num = 931329964}, {str = 0x7f9970ba2e60 "", num =
1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
6544752}, {
str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
"H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
"\020pf", num = 6540288}, {
str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
{
str = 0x63f930 "\340of", num = 6551856}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
{str = 0x0, num = 0}, {
str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
"", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
{str = 0x63d208 "",
num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
of bounds>, num = -1}, {str = 0x7f99708f6eb0
"H\203\304\030\303ff.\017\037\204",
num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x63d110 "", num = 6541584}, {
str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
str = 0x7f99709029ac
"I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
num = 1888496044}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
---Type <return> to continue, or q <return> to quit---
str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
of bounds>, num = 4784}, {
str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
4}, {str = 0x7fff3782f32c "",
num = 931328812}, {str = 0x7fff3782f210 "", num =
931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x7fff3782f300 "", num = 931328768}, {
str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
931329964}, {
str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
0x7fff3782f720 "\b\003",
num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
<Address 0x2 out of bounds>, num = 2}, {
str = 0x7f99708a1a8f
"\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
{str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
931329243}, {
str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
str = 0x7fff3782f330 "", num = 931328816}, {str =
0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
931328752}, {
str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
= 931328848}, {
str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
"p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
= 0x0, num = 0}, {
str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
"\340\241d", num = 931316240}, {
str = 0x7fff3782c230 "\002", num = 931316272}, {str =
0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
{str = 0x63c440 "\220\324c",
num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
num = 0}, {
str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
0x2 <Address 0x2 out of bounds>, num = 2}, {
str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x0, num = 0}, {
str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
0}, {str = 0x0, num = 0}, {
str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
= 0}, {str = 0x0, num = 0}, {
str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
num = 1893514675}, {str = 0x0, num = 0}, {str =
0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
<Address 0x2 out of bounds>,
num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
-1313391531}, {
str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
str = 0x7f9970850328
"U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
\241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
out of bounds>, num = 21}, {
str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
str = 0x7fff3782f518 "`\200\373p\231\177", num =
931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x0, num = 0}, {
str = 0x7fff3782f4b0 "", num = 931329200}, {str =
0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
0x7fff3782f470 "`\030\272p\231\177",
num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
= 6742320}, {
str = 0x63b350 "\360me", num = 6533968}, {str =
0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
= 0x7fff3782c380 "\340\343f",
num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
= 0x7fff3782c3b0 "\001",
num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
6535264}, {
str = 0x400000001 <Address 0x400000001 out of bounds>, num
= 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
1891244128}, {
str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
0x400 <Address 0x400 out of bounds>, num = 1024}, {
str = 0x7f99708bd6f5
"H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
1888212725}, {
str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {
str = 0x7f99708be06f
"\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
num = 1888215151}, {
str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
= 10}, {str = 0x0, num = 0},
{str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
2090683713}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
num = 1893514675}, {
str = 0x7f9970ba7c9c
"AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
<return> to continue, or q <return> to quit---
254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
"X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
of bounds>, num = 1}, {
str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
{str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
0x4 <Address 0x4 out of bounds>,
num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
bounds>, num = 1038094023}, {
str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
str = 0x7f99708501ec
"\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
\301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
str = 0x7f9900000007 <Address 0x7f9900000007 out of
bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
num = 16220219}, {
str = 0x7fff3782f570 "", num = 931329392}, {str =
0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
0x7f9970851c10 "",
num = 1887771664}, {str = 0x0, num = 0}, {str =
0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
"", num = 1895684888}, {
str = 0x400f08 "realloc", num = 4198152}, {str =
0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
4197480}, {
str = 0x500000000 <Address 0x500000000 out of bounds>, num
= 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
475}, {
str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
1895687000}, {
str = 0x7fff3782f700 "d\020\272p\231\177", num =
931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
931329736}, {
str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
1038094023}, {
str = 0x7f9970911889
"H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
= 1888557193}, {str = 0x0, num = 0}, {
str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
bounds>, num = 1}}
yyvs = 0x7fff3782efc0
yyvsp = 0x7fff3782efd0
yystacksize = 200
yyval = <value optimized out>
yylen = 2
#4 0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
optimized out>) at attack_parser.y:379
ret = <value optimized out>
#5 0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
tid = 140296994478352
retv = <value optimized out>
source_id = 4100918702
buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
122.227.43.37 not allowed because none of user's groups are listed in
AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
\371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...
HTH ;-)
|
|
From: Mij <mi...@ss...> - 2010-04-11 12:08:19
|
All of the messages you report should be recognized by sshguard. It may be a problem in the log sucker, although I'd be surprised not to have similar reports earlier. It's more difficult to investigate the problem here then. Some ways you can proceed, when you notice attacks that aren't been blocked: 1) run a "grep sshguard /var/log/auth.log" (or wherever sshguard logging is sent): - any message besides the Blocking ones? 2) do a "ls -l" on the log files you're making sshguard monitor. Is there any fresh? (just rotated) 3) check with top, ps, and lsof (or equivalent for your OS): - is sshguard taking significant CPU load? (looping) - what is the state reported by ps? - what files are open? 4) any change if you suspend and resume sshguard: killall -TSTP sshguard sleep 2 killall -CONT sshguard if you're up for harder stuff, you can proceed with: 1) changing sshguard_log_minloglevel to LOG_DEBUG in src/sshguard_log.c and recompile 2) compile with debug symbols: ./configure --enable-debug --with-firewall=yours make then, when observing the "downtime", attach to the running process from gdb: ps ax | grep sshguard --> read the PID gdb (gdb) attach PID ... (gdb) break (gdb) backtrace full On Apr 11, 2010, at 10:58 , Robert S wrote: > >> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. > >> > >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: > > >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate > >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. > > >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. > >See > >http://www.sshguard.net/docs/setup/getlogs/log-sucker/ > > I have reinstalled 1.5 and have it running in the background using the log sucker: > > # ps ax |grep sshguard > # 7730 ? Sl 0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist > > At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz: > > Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root > Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz > Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 > Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root > Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz > Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 > Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds. > > Later in the day there was an intrusion attempt: > > Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups > Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups > Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups > <etc> > > .. no attempt by sshguard to block it > > I've also tried logging in from www.xxx.yyy.zzz again: > > Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Thus log sucking (and also the syslog) method seem to work initially, but later stop. > > If I kill the sshguard process then it works again: > > Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups > Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds. > > I can't seem to explain this behaviour. I've tried several versions and nothing before 1.5 seems to work consistently. |
|
From: Robert S <rob...@gm...> - 2010-04-11 08:58:38
|
>> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. >> >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. >See >http://www.sshguard.net/docs/setup/getlogs/log-sucker/ I have reinstalled 1.5 and have it running in the background using the log sucker: # ps ax |grep sshguard # 7730 ? Sl 0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz: Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds. Later in the day there was an intrusion attempt: Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups <etc> .. no attempt by sshguard to block it I've also tried logging in from www.xxx.yyy.zzz again: Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Thus log sucking (and also the syslog) method seem to work initially, but later stop. If I kill the sshguard process then it works again: Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds. I can't seem to explain this behaviour. I've tried several versions and nothing before 1.5 seems to work consistently. |
|
From: Adam C. <ada...@be...> - 2010-04-09 22:07:14
|
daemontools works like a charm thanks! -- Adam Cohen / IT Manager Energy Biosciences Institute / UC Berkeley 109 Calvin Lab / 510-642-7709 http://www.energybiosciencesinstitute.org On Apr 8, 2010, at 2:29 AM, Mij wrote: > > On Apr 8, 2010, at 8:46 , Adam Cohen wrote: > >> occasionally i get a "real" crash and will report that when it happens next >> but the main thing that seems to take it down is when syslogd restarts >> >> im running 1.4rc3 on Redhat with the "fifo" method, here's my startup command: >> cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -a 3 -b 2:/var/db/sshguard/blacklist.db >> >> whenever i see: >> syslogd 1.4.1: restart. >> >> on /var/log/messages, it is immediately followed by: >> sshguard[pid]: Got exit signal, flushing blocked addresses and exiting... >> >> makes sense why this happens, but how to restart? > > Yes, intended/natural behavior. > > I have a similar scenario, where I pass logs from one host to a Jail through a fifo/named pipe. > > Inside the jail, a process (other than sshguard) gets logs from the fifo. I use indeed > daemontools to restart automatically the process when the fifo is closed/reset. "supervise" > avoid loops in case the other end of the fifo is not open as well. > > http://cr.yp.to/daemontools.html > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2010-04-08 09:29:14
|
On Apr 8, 2010, at 8:46 , Adam Cohen wrote: > occasionally i get a "real" crash and will report that when it happens next > but the main thing that seems to take it down is when syslogd restarts > > im running 1.4rc3 on Redhat with the "fifo" method, here's my startup command: > cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -a 3 -b 2:/var/db/sshguard/blacklist.db > > whenever i see: > syslogd 1.4.1: restart. > > on /var/log/messages, it is immediately followed by: > sshguard[pid]: Got exit signal, flushing blocked addresses and exiting... > > makes sense why this happens, but how to restart? Yes, intended/natural behavior. I have a similar scenario, where I pass logs from one host to a Jail through a fifo/named pipe. Inside the jail, a process (other than sshguard) gets logs from the fifo. I use indeed daemontools to restart automatically the process when the fifo is closed/reset. "supervise" avoid loops in case the other end of the fifo is not open as well. http://cr.yp.to/daemontools.html |
|
From: Adam C. <ada...@be...> - 2010-04-08 06:47:05
|
occasionally i get a "real" crash and will report that when it happens next but the main thing that seems to take it down is when syslogd restarts im running 1.4rc3 on Redhat with the "fifo" method, here's my startup command: cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -a 3 -b 2:/var/db/sshguard/blacklist.db whenever i see: syslogd 1.4.1: restart. on /var/log/messages, it is immediately followed by: sshguard[pid]: Got exit signal, flushing blocked addresses and exiting... makes sense why this happens, but how to restart? -- Adam Cohen / IT Manager Energy Biosciences Institute / UC Berkeley 109 Calvin Lab / 510-642-7709 http://www.energybiosciencesinstitute.org On Apr 7, 2010, at 1:06 PM, Mij wrote: > Understand why it goes down beats any monitoring software around :) > - which version do you run? > - do you run it from syslog or standalone? > - any scoop on crashes from the logs? Any core file? > > Besides, the answer you crave is probably djb's daemontools. > > > On 07/apr/2010, at 21.11, Adam Cohen <ada...@be...> wrote: > >> from time to time sshguard will come down, is there a good way to insure that it gets restarted? >> i see one possibility is to use inittab and the respawn option, another would be to add a piece of monitoring software >> any thoughts? >> thanks >> >> -- >> Adam Cohen / IT Manager >> Energy Biosciences Institute / UC Berkeley >> 109 Calvin Lab / 510-642-7709 >> http://www.energybiosciencesinstitute.org >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2010-04-07 20:08:45
|
Understand why it goes down beats any monitoring software around :) - which version do you run? - do you run it from syslog or standalone? - any scoop on crashes from the logs? Any core file? Besides, the answer you crave is probably djb's daemontools. On 07/apr/2010, at 21.11, Adam Cohen <ada...@be...> wrote: > from time to time sshguard will come down, is there a good way to > insure that it gets restarted? > i see one possibility is to use inittab and the respawn option, > another would be to add a piece of monitoring software > any thoughts? > thanks > > -- > Adam Cohen / IT Manager > Energy Biosciences Institute / UC Berkeley > 109 Calvin Lab / 510-642-7709 > http://www.energybiosciencesinstitute.org > > --- > --- > --- > --------------------------------------------------------------------- > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Adam C. <ada...@be...> - 2010-04-07 19:11:53
|
from time to time sshguard will come down, is there a good way to insure that it gets restarted? i see one possibility is to use inittab and the respawn option, another would be to add a piece of monitoring software any thoughts? thanks -- Adam Cohen / IT Manager Energy Biosciences Institute / UC Berkeley 109 Calvin Lab / 510-642-7709 http://www.energybiosciencesinstitute.org |
|
From: Mij <mi...@ss...> - 2010-04-02 22:35:48
|
Your iptables -L output appears partial (don't see the header Chain INPUT), but it seems that you did not hook the sshguard chain into INPUT. See http://www.sshguard.net/docs/setup/firewall/netfilter-iptables/ beware of the notes on default allow/deny. On Apr 2, 2010, at 19:18 , Christopher Campbell wrote: > Hi! I've got sshguard up and running, but it's not really blocking connection attempts > to ssh. > > To test it , I logged into a remote machine, and from that remote machine, using bogus passwords, tried logging into > my machine which is running sshguard. From auth.log, I can see that sshguard logged the attacks and "said" that > the attacking ip was being blocked. However after multiple failed login attempts, I was still able to login. > Below, from the output of iptables -L, it seems that the ip address is being dropped, and thus, should be blocked. > > One caveat, I was using my username, which is the only username allowed in sshd_config. I don't know if this will override > sshguard's blocking. > > >> From auth.log << > > Apr 1 22:44:18 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:20 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:22 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:24 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:24 sherpa sshguard[4058]: Looking for address '121.138.219.132:4'... > Apr 1 22:44:24 sherpa sshguard[4058]: Found! > Apr 1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for >0secs: 4 failures over 6 seconds. > Apr 1 22:44:24 sherpa sshguard[4058]: Setting environment: SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Apr 1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in 4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > >> From iptables -L << > > DROP icmp -- anywhere anywhere icmp echo-request > LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' > DROP all -- anywhere anywhere > > Chain LSO (0 references) > target prot opt source destination > LOG_FILTER all -- anywhere anywhere > LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' > REJECT all -- anywhere anywhere reject-with icmp-port-unreachable > > Chain OUTBOUND (1 references) > target prot opt source destination > ACCEPT icmp -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > > Chain sshguard (2 references) > target prot opt source destination > > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > [root@sherpa log]# > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Christopher C. <chr...@gm...> - 2010-04-02 17:19:23
|
Hi! I've got sshguard up and running, but it's not really blocking connection attempts to ssh. To test it , I logged into a remote machine, and from that remote machine, using bogus passwords, tried logging into my machine which is running sshguard. From auth.log, I can see that sshguard logged the attacks and "said" that the attacking ip was being blocked. However after multiple failed login attempts, I was still able to login. Below, from the output of iptables -L, it seems that the ip address is being dropped, and thus, should be blocked. One caveat, I was using my username, which is the only username allowed in sshd_config. I don't know if this will override sshguard's blocking. >> From auth.log << Apr 1 22:44:18 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:20 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:22 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:24 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:24 sherpa sshguard[4058]: Looking for address '121.138.219.132:4'... Apr 1 22:44:24 sherpa sshguard[4058]: Found! Apr 1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for >0secs: 4 failures over 6 seconds. Apr 1 22:44:24 sherpa sshguard[4058]: Setting environment: SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Apr 1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in 4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> From iptables -L << DROP icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' DROP all -- anywhere anywhere Chain LSO (0 references) target prot opt source destination LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTBOUND (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain sshguard (2 references) target prot opt source destination DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere [root@sherpa log]# |
|
From: Bruno D. <bru...@op...> - 2010-04-01 21:40:01
|
There was a compile problem of -lsocket -lnsl missing which caused this problem. So far, the build works with the changes you suggest and the addition of -lsocket -lnsl. Perhaps you can incorporate it as well. Built on SunOS sun 5.10 Generic_142900-06 sun4u sparc SUNW,Sun-Blade-2500 [bdelbono@sun ~/sshguard] 14$ gcc -v Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs Configured with: /sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure --prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++ --enable-shared Thread model: posix gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath) gcc -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -o sshguard sshguard.o sshguard_whitelist.o sshguard_log.o sshguard_procauth.o sshguard_blacklist.o sshguard_options.o sshguard_logsuck.o simclist.o hash_32a.o parser/libparser.a fwalls/libfwall.a -lpthread Undefined first referenced symbol in file __xnet_getaddrinfo sshguard_whitelist.o freeaddrinfo sshguard_whitelist.o inet_pton sshguard_whitelist.o inet_ntop sshguard_whitelist.o gai_strerror sshguard_whitelist.o ld: fatal: Symbol referencing errors. No output written to sshguard collect2: ld returned 1 exit status gmake[3]: *** [sshguard] Error 1 gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' gmake: *** [all-recursive] Error 1 On Thu, Apr 1, 2010 at 4:59 PM, Mij <mi...@ss...> wrote: > Hi Bruno, > > in order to avoid to commit a myriad of revisions under the umbrella > "address Solaris compile problems", let's do it interactively -- I'll > commit > one transaction once it works entirely. > > For this one, please try: > > 1) edit fnv.h > 2) before "#include <sys/types.h>" (line 79), add: > #include <stdint.h> > > 3) change "typedef u_int32_t Fnv32_t;" into > typedef uint32_t Fnv32_t; > > let me know if there are further problems. > michele > > > On Apr 1, 2010, at 21:42 , Bruno Delbono wrote: > > > > > > > On Thu, Apr 1, 2010 at 4:27 AM, Mij <mi...@ss...> wrote: > > ok, r187 should generalize the change, please give it a try > > > > Cool. Now we're at: > > > > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g > -O2 -MT sshguard_logsuck.o -MD -MP -MF .deps/sshguard_logsuck.Tpo -c -o > sshguard_logsuck.o sshguard_logsuck.c > > In file included from sshguard_logsuck.c:34: > > fnv.h:87: error: syntax error before "Fnv32_t" > > fnv.h:87: warning: type defaults to `int' in declaration of `Fnv32_t' > > fnv.h:87: warning: data definition has no type or storage class > > fnv.h:124: error: syntax error before "fnv_32a_str" > > fnv.h:124: error: syntax error before "Fnv32_t" > > fnv.h:124: warning: type defaults to `int' in declaration of > `fnv_32a_str' > > fnv.h:124: warning: data definition has no type or storage class > > gmake[3]: *** [sshguard_logsuck.o] Error 1 > > gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' > > gmake[2]: *** [all-recursive] Error 1 > > gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' > > gmake[1]: *** [all] Error 2 > > gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' > > gmake: *** [all-recursive] Error 1 > > > > -- > > Bruno Delbono > > Open-Systems Group > > http://www.open-systems.org > > http://www.mail.ac > > > ------------------------------------------------------------------------------ > > Download Intel® Parallel Studio Eval > > Try the new software tools for yourself. Speed compiling, find bugs > > proactively, and fine-tune applications for parallel performance. > > See why Intel Parallel Studio got high marks during beta. > > > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > -- Bruno Delbono Open-Systems Group http://www.open-systems.org http://www.mail.ac |
|
From: Bruno D. <bru...@op...> - 2010-04-01 19:42:58
|
On Thu, Apr 1, 2010 at 4:27 AM, Mij <mi...@ss...> wrote: > ok, r187 should generalize the change, please give it a try > Cool. Now we're at: gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_logsuck.o -MD -MP -MF .deps/sshguard_logsuck.Tpo -c -o sshguard_logsuck.o sshguard_logsuck.c In file included from sshguard_logsuck.c:34: fnv.h:87: error: syntax error before "Fnv32_t" fnv.h:87: warning: type defaults to `int' in declaration of `Fnv32_t' fnv.h:87: warning: data definition has no type or storage class fnv.h:124: error: syntax error before "fnv_32a_str" fnv.h:124: error: syntax error before "Fnv32_t" fnv.h:124: warning: type defaults to `int' in declaration of `fnv_32a_str' fnv.h:124: warning: data definition has no type or storage class gmake[3]: *** [sshguard_logsuck.o] Error 1 gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/src' gmake: *** [all-recursive] Error 1 -- Bruno Delbono Open-Systems Group http://www.open-systems.org http://www.mail.ac |
|
From: Mij <mi...@ss...> - 2010-04-01 15:37:45
|
On Apr 1, 2010, at 11:18 , Johan Bergström wrote:
> Hey,
>
> On 31 mar 2010, at 17.10, Mij wrote:
>
>> Hi Johan,
>>
>> Since that function's signature is sane, and that error doesn't occur in other versions
>> of gcc, I infer that is a compiler snap.
>>
>> If you can't change compiler (as I guess, on your hardware), you can try to:
>
> Regarding my setup: Flashrd/flashdist is bascially stock OpenBSD 4.6 but helps you with sticking with a read only system. I can of course add an additional compiler trough ports if needed.
you're probably better off compiling from another box then
> What compiler does sshguard recoment for OpenBSD? Perhaps this should be added as a configure check?
>
> Afaik, GCC 2.95 and 3.3.5 are shipped with OpenBSD 4.6. OpenBSD 4.7 (soon released) also seems to ship these - which should imply that sshguard 1.5 won't run on OpenBSD.
I usually keep myself from telling people what compiler to choose; especially under
BSD, where it's so tied to the system, and especially in OpenBSD, where GCC is
usually significantly patched/extended.
What I can say is that 4.x had vast (binary) performance boosts, and much better C99
support.
>> 1) change the definition on that line in sshguard_fw.h (88) and command.c (62) with
>>
>> int fw_block_list(const char (*restrict addresses)[], int addrkind, const int service_codes[]) {
>> or
>> int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
>>
>> 2) remove the "restrict" qualifier from the same locations, and recompile the entire package
>> (ie, make clean all)
>
> I tried both of these alternatives as well as some dwelling into both but no luck. I don't think the code as is will work with OpenBSD's current compilers.
it can't be that 2) doesn't work :)
To go the radical, you can add
"-Drestrict="
(nothing after =) to gcc's cflags.
I will consider whether to remove the restrict qualifier for future versions. I'm adverse
to patch code up to compiler quirks, but for "restrict" one can be malleable.
|
|
From: Johan B. <jo...@be...> - 2010-04-01 09:18:48
|
Hey,
On 31 mar 2010, at 17.10, Mij wrote:
> Hi Johan,
>
> Since that function's signature is sane, and that error doesn't occur in other versions
> of gcc, I infer that is a compiler snap.
>
> If you can't change compiler (as I guess, on your hardware), you can try to:
Regarding my setup: Flashrd/flashdist is bascially stock OpenBSD 4.6 but helps you with sticking with a read only system. I can of course add an additional compiler trough ports if needed.
What compiler does sshguard recoment for OpenBSD? Perhaps this should be added as a configure check?
Afaik, GCC 2.95 and 3.3.5 are shipped with OpenBSD 4.6. OpenBSD 4.7 (soon released) also seems to ship these - which should imply that sshguard 1.5 won't run on OpenBSD.
>
> 1) change the definition on that line in sshguard_fw.h (88) and command.c (62) with
>
> int fw_block_list(const char (*restrict addresses)[], int addrkind, const int service_codes[]) {
> or
> int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
>
> 2) remove the "restrict" qualifier from the same locations, and recompile the entire package
> (ie, make clean all)
I tried both of these alternatives as well as some dwelling into both but no luck. I don't think the code as is will work with OpenBSD's current compilers.
Cheers,
Johan
>
>
> On Mar 30, 2010, at 16:12 , Johan Bergström wrote:
>
>> Hey,
>>
>> It looks like sshguard 1.5 beta 1 trough rc1 fails to build on one of my soekris boxes. Output from configure and forward (as well as uname/gcc info) below.
>>
>> 1.4 is currently running on this box with the same configure options.
>>
>> I did some minor research and found this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11942 , feels very unlikely - but it's better to get it out there..
>>
>> Cheers,
>> Johan Bergström
>>
>>
>> [..]
>> Making all in fwalls
>> gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
>> In file included from command.c:35:
>> ../sshguard_fw.h:88: error: invalid use of `restrict'
>> command.c:62: error: invalid use of `restrict'
>> *** Error code 1
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Mij <mi...@ss...> - 2010-04-01 08:27:56
|
ok, r187 should generalize the change, please give it a try On Apr 1, 2010, at 24:50 , Bruno Delbono wrote: > Hi Mij, > > On Wed, Mar 31, 2010 at 11:17 AM, Mij <mi...@ss...> wrote: > thanks for reporting. Apparently Solaris doesn't expose that definition. > It's fixed in r186 on the SVN; you'll get it in 1.5 stable, or see > http://www.sshguard.net/download/repository/ > > Check'd out r186. It now, fails further down with sshguard_blacklist.c > > [...] > gmake[3]: Entering directory `/data/homedirs/bdelbono/sshguard/trunk/src' > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard.o -MD -MP -MF .deps/sshguard.Tpo -c -o sshguard.o sshguard.c > mv -f .deps/sshguard.Tpo .deps/sshguard.Po > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_whitelist.o -MD -MP -MF .deps/sshguard_whitelist.Tpo -c -o sshguard_whitelist.o sshguard_whitelist.c > mv -f .deps/sshguard_whitelist.Tpo .deps/sshguard_whitelist.Po > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_log.o -MD -MP -MF .deps/sshguard_log.Tpo -c -o sshguard_log.o sshguard_log.c > mv -f .deps/sshguard_log.Tpo .deps/sshguard_log.Po > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_procauth.o -MD -MP -MF .deps/sshguard_procauth.Tpo -c -o sshguard_procauth.o sshguard_procauth.c > sshguard_procauth.c: In function `procauth_getprocpid': > sshguard_procauth.c:162: warning: int format, pid_t arg (arg 3) > sshguard_procauth.c: In function `procauth_ischildof': > sshguard_procauth.c:177: warning: int format, pid_t arg (arg 3) > sshguard_procauth.c:177: warning: int format, pid_t arg (arg 4) > mv -f .deps/sshguard_procauth.Tpo .deps/sshguard_procauth.Po > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_blacklist.o -MD -MP -MF .deps/sshguard_blacklist.Tpo -c -o sshguard_blacklist.o sshguard_blacklist.c > sshguard_blacklist.c: In function `attacker_serializer': > sshguard_blacklist.c:79: error: `INET_ADDRSTRLEN' undeclared (first use in this function) > sshguard_blacklist.c:79: error: (Each undeclared identifier is reported only once > sshguard_blacklist.c:79: error: for each function it appears in.) > sshguard_blacklist.c:90: warning: implicit declaration of function `htonl' > sshguard_blacklist.c: In function `attacker_unserializer': > sshguard_blacklist.c:129: warning: implicit declaration of function `ntohl' > gmake[3]: *** [sshguard_blacklist.o] Error 1 > gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src' > gmake[2]: *** [all-recursive] Error 1 > gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src' > gmake[1]: *** [all] Error 2 > gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src' > gmake: *** [all-recursive] Error 1 > > Warm regards, > > -- > Bruno Delbono > Open-Systems Group > http://www.open-systems.org > http://www.mail.ac |
|
From: Bruno D. <Bru...@Ma...> - 2010-03-31 23:43:25
|
Hi Mij, On Wed, Mar 31, 2010 at 11:17 AM, Mij <mi...@ss...> wrote: > thanks for reporting. Apparently Solaris doesn't expose that definition. > It's fixed in r186 on the SVN; you'll get it in 1.5 stable, or see > http://www.sshguard.net/download/repository/ Check'd out r186. It now, fails further down with sshguard_blacklist.c [...] gmake[3]: Entering directory `/data/homedirs/bdelbono/sshguard/trunk/src' gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard.o -MD -MP -MF .deps/sshguard.Tpo -c -o sshguard.o sshguard.c mv -f .deps/sshguard.Tpo .deps/sshguard.Po gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_whitelist.o -MD -MP -MF .deps/sshguard_whitelist.Tpo -c -o sshguard_whitelist.o sshguard_whitelist.c mv -f .deps/sshguard_whitelist.Tpo .deps/sshguard_whitelist.Po gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_log.o -MD -MP -MF .deps/sshguard_log.Tpo -c -o sshguard_log.o sshguard_log.c mv -f .deps/sshguard_log.Tpo .deps/sshguard_log.Po gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_procauth.o -MD -MP -MF .deps/sshguard_procauth.Tpo -c -o sshguard_procauth.o sshguard_procauth.c sshguard_procauth.c: In function `procauth_getprocpid': sshguard_procauth.c:162: warning: int format, pid_t arg (arg 3) sshguard_procauth.c: In function `procauth_ischildof': sshguard_procauth.c:177: warning: int format, pid_t arg (arg 3) sshguard_procauth.c:177: warning: int format, pid_t arg (arg 4) mv -f .deps/sshguard_procauth.Tpo .deps/sshguard_procauth.Po gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -MT sshguard_blacklist.o -MD -MP -MF .deps/sshguard_blacklist.Tpo -c -o sshguard_blacklist.o sshguard_blacklist.c sshguard_blacklist.c: In function `attacker_serializer': sshguard_blacklist.c:79: error: `INET_ADDRSTRLEN' undeclared (first use in this function) sshguard_blacklist.c:79: error: (Each undeclared identifier is reported only once sshguard_blacklist.c:79: error: for each function it appears in.) sshguard_blacklist.c:90: warning: implicit declaration of function `htonl' sshguard_blacklist.c: In function `attacker_unserializer': sshguard_blacklist.c:129: warning: implicit declaration of function `ntohl' gmake[3]: *** [sshguard_blacklist.o] Error 1 gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src' gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src' gmake: *** [all-recursive] Error 1 Warm regards, -- Bruno Delbono Open-Systems Group http://www.open-systems.org http://www.mail.ac |
|
From: Mij <mi...@ss...> - 2010-03-31 15:18:09
|
thanks for reporting. Apparently Solaris doesn't expose that definition. It's fixed in r186 on the SVN; you'll get it in 1.5 stable, or see http://www.sshguard.net/download/repository/ On Mar 31, 2010, at 5:42 , Bruno Delbono wrote: > Hi folks, > > I've been trying to get /sshguard-1.5rc1 working on my system running Solaris 10 > > 69$ gmake > Making all in src > gmake[1]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src' > gmake all-recursive > gmake[2]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src' > Making all in parser > gmake[3]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser' > gmake all-am > gmake[4]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser' > gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT attack_parser.o -MD -MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c > In file included from ../sshguard.h:24, > from attack_parser.y:42: > ../sshguard_addresskind.h:34: error: `INET6_ADDRSTRLEN' undeclared here (not in a function) > gmake[4]: *** [attack_parser.o] Error 1 > gmake[4]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser' > gmake[3]: *** [all] Error 2 > gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser' > gmake[2]: *** [all-recursive] Error 1 > gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src' > gmake[1]: *** [all] Error 2 > gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src' > gmake: *** [all-recursive] Error 1 > > Warm regards, > > > -- > Bruno Delbono > Open-Systems Group > http://www.open-systems.org > http://www.mail.ac > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2010-03-31 15:10:48
|
Hi Johan,
Since that function's signature is sane, and that error doesn't occur in other versions
of gcc, I infer that is a compiler snap.
If you can't change compiler (as I guess, on your hardware), you can try to:
1) change the definition on that line in sshguard_fw.h (88) and command.c (62) with
int fw_block_list(const char (*restrict addresses)[], int addrkind, const int service_codes[]) {
or
int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
2) remove the "restrict" qualifier from the same locations, and recompile the entire package
(ie, make clean all)
On Mar 30, 2010, at 16:12 , Johan Bergström wrote:
> Hey,
>
> It looks like sshguard 1.5 beta 1 trough rc1 fails to build on one of my soekris boxes. Output from configure and forward (as well as uname/gcc info) below.
>
> 1.4 is currently running on this box with the same configure options.
>
> I did some minor research and found this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11942 , feels very unlikely - but it's better to get it out there..
>
> Cheers,
> Johan Bergström
>
>
> [..]
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> In file included from command.c:35:
> ../sshguard_fw.h:88: error: invalid use of `restrict'
> command.c:62: error: invalid use of `restrict'
> *** Error code 1
|
|
From: Bruno D. <Bru...@Ma...> - 2010-03-31 04:12:02
|
Hi folks,
I've been trying to get /sshguard-1.5rc1 working on my system running
Solaris 10
69$ gmake
Making all in src
gmake[1]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
gmake all-recursive
gmake[2]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
Making all in parser
gmake[3]: Entering directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gmake all-am
gmake[4]: Entering directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99
-D_POSIX_C_SOURCE=200112L -g -O2 -MT attack_parser.o -MD -MP -MF
.deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
In file included from ../sshguard.h:24,
from attack_parser.y:42:
../sshguard_addresskind.h:34: error: `INET6_ADDRSTRLEN' undeclared here (not
in a function)
gmake[4]: *** [attack_parser.o] Error 1
gmake[4]: Leaving directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gmake[3]: *** [all] Error 2
gmake[3]: Leaving directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gmake[2]: *** [all-recursive] Error 1
gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
gmake[1]: *** [all] Error 2
gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
gmake: *** [all-recursive] Error 1
Warm regards,
--
Bruno Delbono
Open-Systems Group
http://www.open-systems.org
http://www.mail.ac
|
|
From: Johan B. <bu...@be...> - 2010-03-30 14:32:54
|
Hey, It looks like sshguard 1.5 beta 1 trough rc1 fails to build on one of my soekris boxes. Output from configure and forward (as well as uname/gcc info) below. 1.4 is currently running on this box with the same configure options. I did some minor research and found this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11942 , feels very unlikely - but it's better to get it out there.. Cheers, Johan Bergström # ./configure --with-firewall=pf checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... ./install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for ranlib... ranlib checking for bison... no checking for byacc... no checking for flex... flex checking lex output file root... lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes checking for pthread_create in -lpthread... yes checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ANSI C header files... yes checking for sys/wait.h that is POSIX.1 compatible... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking arpa/inet.h usability... yes checking arpa/inet.h presence... yes checking for arpa/inet.h... yes checking malloc.h usability... yes checking malloc.h presence... yes checking for malloc.h... yes checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for unistd.h... (cached) yes checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for an ANSI C-conforming const... yes checking for inline... inline checking for off_t... yes checking for pid_t... yes checking for size_t... yes checking vfork.h usability... no checking vfork.h presence... no checking for vfork.h... no checking for fork... yes checking for vfork... yes checking for working fork... yes checking for working vfork... (cached) yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking return type of signal handlers... void checking for gethostbyname... yes checking for inet_ntoa... yes checking for strerror... yes checking for strstr... yes checking for strtol... yes checking for pfctl... /sbin configure: Using /sbin as location for pfctl configure: creating ./config.status config.status: creating Makefile config.status: creating man/Makefile config.status: creating src/Makefile config.status: creating src/parser/Makefile config.status: creating src/fwalls/Makefile config.status: creating src/config.h config.status: executing depfiles commands # uname -a OpenBSD left 4.6 FLASHRD#0 i386 # gcc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd4.6/3.3.5/specs Configured with: Thread model: single gcc version 3.3.5 (propolice) # make Making all in src make all-recursive Making all in parser make all-am gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT attack_parser.o -MD -MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT attack_scanner.o -MD -MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o attack_scanner.c attack_scanner.c:10502: warning: `yyunput' defined but not used mv -f .deps/attack_scanner.Tpo .deps/attack_scanner.Po rm -f libparser.a ar cru libparser.a attack_parser.o attack_scanner.o ranlib libparser.a Making all in fwalls gcc -DHAVE_CONFIG_H -I. -I../../src -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c In file included from command.c:35: ../sshguard_fw.h:88: error: invalid use of `restrict' command.c:62: error: invalid use of `restrict' *** Error code 1 Stop in /tmp/sshguard-1.5rc1/src/fwalls (line 92 of /usr/share/mk/sys.mk). *** Error code 1 Stop in /tmp/sshguard-1.5rc1/src (line 363 of Makefile). *** Error code 1 Stop in /tmp/sshguard-1.5rc1/src (line 212 of Makefile). *** Error code 1 Stop in /tmp/sshguard-1.5rc1 (line 268 of Makefile). |
|
From: Mij <mi...@ss...> - 2010-03-28 13:55:16
|
On Mar 27, 2010, at 20:15 , H wrote: > Hi all, > > I'm running sshguard for some time now and like to extend its use to > apache access and error logs. The amount of php hack attempts gets annoying. > > Can this be done with sshguard too ? It needs to tail multiple log > files, and parse 40x etc. from apache logs. The short answer is: easy to do and of interest for the team; some general rules to describe attacks must be collected. The long answer is: Version 1.5 introduces two things that make this simple: - the Log Sucker allows monitoring of multiple log files, and native detection of log rotation - the engine now gauges how dangerous attacks are, so that many "disturbance hits" or one "punch hit" are treated differently. with these, defending Apache or any other web server with Common Log Format is just matter of adding appropriate rules to the parser. Since alternative web servers like nginx/lighttpd/cherokee are on the rise, but solutions like mod_security and mod_evasive are limited to Apache for arguable design choices, sshguard could easily fill the gap serving as an easy-to-deploy, portable, standalone IPS solution. The only step here is to collect meaningful rules (or call them patterns) that identify attacks from log entries, and how "dangerous" they are. Possibilities are to start from OWASP databases, or match part of the open Core Rule Set from ModSecurity, or simply rely on users with http://www.sshguard.net/support/attacks/submit/ , since this feature is getting increasing response among users. |
|
From: <ha...@la...> - 2010-03-27 19:15:17
|
Hi all, I'm running sshguard for some time now and like to extend its use to apache access and error logs. The amount of php hack attempts gets annoying. Can this be done with sshguard too ? It needs to tail multiple log files, and parse 40x etc. from apache logs. -- Hans |
|
From: Mij <mi...@ss...> - 2010-03-18 22:04:39
|
On Mar 17, 2010, at 21:58 , Robert S wrote: > Thanks. > > I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. > > I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. See http://www.sshguard.net/docs/setup/getlogs/log-sucker/ > > Mar 18 07:48:23 hostname syslog-ng[30304]: Configuration reload request received, reloading configuration; > Mar 18 07:48:23 hostname sshguard[27966]: authenticating service 100 with process ID from /var/run/sshd.pid > Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add block: 192.168.2.0 with mask 24. > Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add '127.0.0.1' as plain IPv4. > Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add plain ip 127.0.0.1. > Mar 18 07:48:23 hostname sshguard[27966]: Run command "iptables -L": exited 0. > Mar 18 07:48:23 hostname sshguard[27966]: Blacklist loaded, 0 addresses. > Mar 18 07:48:23 hostname sshguard[27966]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Robert S <rob...@gm...> - 2010-03-17 20:58:15
|
Thanks. I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: Mar 18 07:48:23 hostname syslog-ng[30304]: Configuration reload request received, reloading configuration; Mar 18 07:48:23 hostname sshguard[27966]: authenticating service 100 with process ID from /var/run/sshd.pid Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add block: 192.168.2.0 with mask 24. Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add '127.0.0.1' as plain IPv4. Mar 18 07:48:23 hostname sshguard[27966]: whitelist: add plain ip 127.0.0.1. Mar 18 07:48:23 hostname sshguard[27966]: Run command "iptables -L": exited 0. Mar 18 07:48:23 hostname sshguard[27966]: Blacklist loaded, 0 addresses. Mar 18 07:48:23 hostname sshguard[27966]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. |
|
From: Mij <mi...@ss...> - 2010-03-17 18:44:25
|
On Mar 17, 2010, at 8:18 , Robert S wrote:
> After a bit of fiddling around it appears that this pattern is being recognised, but there is no evidence of this in my system log. It appears that there are no ssghard messages appearing in my log. For example:
>
> hostname robert # killall -HUP syslog-ng
> hostname robert # tail /var/log/messages
> Mar 17 18:00:32 hostname syslog-ng[30304]: Configuration reload request received, reloading configuration;
> [ .. other system log messages ]
> hostname robert # ps ax |grep sshguard
> 21209 ? Sl 0:00 /usr/sbin/sshguard -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist
>
> I am using syslog-ng 3.0.4 on gentoo. Here is the relevant bit out of my syslog-ng config:
>
> # pass only entries with auth+authpriv facilities from programs other than sshguard
> filter f_sshguard { facility(auth, authpriv) and not program("sshguard"); };
> # pass entries built with this format
> destination sshguard {
> program("/usr/sbin/sshguard -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist"
> template("$DATE $FULLHOST $MSGHDR$MESSAGE\n")
> );
> };
> log { source(src); filter(f_sshguard); destination(sshguard); };
Some of the syslog-ng guys can probably help you better here, but this conf snippet is
for sending log entries *to* sshguard only, not for gathering message *from* it.
sshguard logs its activity with AUTH facility. Where these messages go depends on
how you configured this facility (destination and level) -- I'm not familiar with gentoo's
default configuration. Try a "grep -r sshguard /var/log" if you have no clue.
> I've used the log sucker and SSHGUARD_DEBUG, but this is rather cumbersome and really only useful for debugging.
Yes, DEBUG is meant for debug, not regular use.
|
2 messages has been excluded from this view by a project administrator.
