sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] how to configure sshguard for proftpd?

[Art S. <art...@gm...>]

Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine scanning
sshd. I've recently installed proftpd 1.3.2a and would like to configure
sshguard to scan for proftpd log entries.

I have proftpd set to default syslog. Here are my configurations.

/etc/syslog-ng/syslog-ng.conf
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
#filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
destination sshguardproc {
program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
$MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
log { source(src); filter(f_proftpd); destination(sshguardproc); };

The log format shows up as
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21

If pasted into a debug session of sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59 srvtwc
proftpd[9682]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 162 ("server.ip")
Next token is token IPv4 ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token IPv4 ()
Stack now 0


Any advice on what I'm doing wrong?

Thanks!


     *Re: [Sshguard-users] how to configure sshguard for
proftpd?<http://sourceforge.net/mailarchive/message.php?msg_name=1ADA3E05-1ABC-4847-808F-DD8F68A46BC3%40sshguard.net>
*
From: Mij <mij@ss...> - 2009-09-27 11:45
 > As I see it, the corresponding rule in the parser is made for
> hostnames instead of raw addresses.
> Some of us will modify it to catch raw addresses in the next days,
> keep an eye on the SVN if you care.
>
> Btw, out of curiosity: is that raw ip resulting from a missing PTR
> (see "dig +short -x <client.ip>") or
> you can configure ProFTP to not reverse look-up client addresses? In
> the latter case, is that the default
> on OpenSusy?

> thanks for reporting The raw ip is resulting from the use of the option
UseReverseDNS set to OFF in proftpd.conf.  It is not the default in
OpenSuSE, I just happened to turn it off.

I resolved my issue by doing some testing in debug and taking a look at the
attack_scanner.l.  It didn't like the hostname srvtwc, I found that
/etc/hosts had been misconfigured and then set it with FQDN
(srvtwc.xxx.xxx), after which scanning was working properly.  Both with
UseReverseDNS on and off, everything works fine.  When the ban occurs with
UseReverseDNS set to off, it still adds the host to iptables instead of the
raw ip, but like you said you guys are working on that part.

Regards,
Art

Re: [Sshguard-users] how to configure sshguard for proftpd?

[Mij <mi...@ss...>]

As I see it, the corresponding rule in the parser is made for  
hostnames instead of raw addresses.
Some of us will modify it to catch raw addresses in the next days,  
keep an eye on the SVN if you care.

Btw, out of curiosity: is that raw ip resulting from a missing PTR  
(see "dig +short -x <client.ip>") or
you can configure ProFTP to not reverse look-up client addresses? In  
the latter case, is that the default
on OpenSusy?

thanks for reporting


On Sep 24, 2009, at 10:19 , Art Salihu wrote:

> Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine  
> scanning sshd.  I've recently installed proftpd 1.3.2a and would  
> like to configure sshguard to scan for proftpd log entries.
>
> I have proftpd set to default syslog.  Here are my configurations.
>
> /etc/syslog-ng/syslog-ng.conf
> filter sshlogs { facility(auth, authpriv) and match("sshd"); };
> #filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
> destination sshguardproc {
>        program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST  
> $MESSAGE\n"));
> };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
> log { source(src); filter(f_proftpd); destination(sshguardproc); };
>
> The log format shows up as
> Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip 
> [client.ip]) - USER asdfasdfasf: no such user found from client.ip  
> [client.ip] to server.ip:21
>
> If pasted into a debug session of sshguard
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip 
> [client.ip]) - USER asdfasdfasf: no such user found from client.ip  
> [client.ip] to server.ip:21
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59  
> srvtwc proftpd[9682]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 180 (" ")
> --accepting rule at line 162 ("server.ip")
> Next token is token IPv4 ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token IPv4 ()
> Stack now 0
>
>
> Any advice on what I'm doing wrong?
>
> Thanks!

[Sshguard-users] how to configure sshguard for proftpd?

[Art S. <art...@gm...>]

Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine scanning
sshd.  I've recently installed proftpd 1.3.2a and would like to configure
sshguard to scan for proftpd log entries.

I have proftpd set to default syslog.  Here are my configurations.

/etc/syslog-ng/syslog-ng.conf
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
#filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
destination sshguardproc {
       program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
$MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
log { source(src); filter(f_proftpd); destination(sshguardproc); };

The log format shows up as
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21

If pasted into a debug session of sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59 srvtwc
proftpd[9682]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 162 ("server.ip")
Next token is token IPv4 ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token IPv4 ()
Stack now 0


Any advice on what I'm doing wrong?

Thanks!

Re: [Sshguard-users] SSHGuard not working

[David H. <dho...@gm...>]

On Wed, Sep 23, 2009 at 9:10 AM, Emmanuel Alves <man...@gm...> wrote:
> Hi Mmj,
>
> There is my -list output
>
> 00010 allow ip from any to any via lo0
> 00020 deny ip from any to 127.0.0.0/8
> 00030 deny ip from 127.0.0.0/8 to any
> 00040 deny tcp from any to any frag
> 00050 check-state
> 00060 allow tcp from any to any established
> 00070 allow ip from any to any out keep-state
> 00080 allow icmp from any to any
> 00110 allow tcp from any to any dst-port 21 in
> 00120 allow tcp from any to any dst-port 21 out
> 00130 allow tcp from any to any dst-port 22 in

There is a rule ordering issue here. sshguard with ipfw by default
uses rules 55000-55050, so any allow rules for ports sshguard is
protecting need to be AFTER 55050

This line (130) will allow anyone in to your ssh port regardless off
what sshguard detects, as ipfw only matches the first allow/deny line,
then stops processing.  You need to change this line as follows:

ipfw delete 130
ipfw add 56000 allow tcp from any to any dst-port 22 in

man ipfw
for all the gory details

You can also change the portrange that sshguard uses by using a
./configure script parameter:

--with-ipfw-rules-range=MIN-MAX
                          Specify the IDs range in which sshguard can
put its block rules
                               (Default: "55000-55050")

> 00140 allow tcp from any to any dst-port 22 out
> 00150 allow tcp from any to any dst-port 25 in
> 00160 allow tcp from any to any dst-port 25 out
> 00170 allow udp from any to any dst-port 53 in
> 00175 allow tcp from any to any dst-port 53 in
> 00180 allow udp from any to any dst-port 53 out
> 00185 allow tcp from any to any dst-port 53 out
> 00200 allow tcp from any to any dst-port 80 in
> 00210 allow tcp from any to any dst-port 80 out
> 00220 allow tcp from any to any dst-port 110 in
> 00230 allow tcp from any to any dst-port 110 out
> 00240 allow udp from any to any dst-port 123 in
> 00250 allow udp from any to any dst-port 123 out
> 00260 allow tcp from any to any dst-port 443 in
> 00270 allow tcp from any to any dst-port 443 out
> 00500 deny log logamount 100 ip from any to any
>
> Before, my last entry was
>
> 65000 deny log logamount 100 ip from any to any
>
> Then, i changed to "00500" this morning and now i have a lot of blocks of
> the sabe ip.

No, leave the deny ip from any to any line at 65000.  That is where is belongs.

>
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55048 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
>
> ...
>
> 65535 allow ip from any to any
>
> The firewall is blocking?

No, I do not believe ipfw is blocking for you, as your deny rule is
after your allow rule.  If you do a 'ipfw show' you can see rule
matching and packet matching counts as well as the list of rules to be
sure.  If you see 0 0 as your counts, then you know the rule has never
matched anything.

Good Luck.

--Dave

>
> []s
>
> Emmanuel Alves
> man...@gm...
>
> ---------------------------------------------------------------------
> Twitter: http://www.twitter.com/emartsnet
> Linked In: http://www.linkedin.com/in/emartsnet
>
>
> On Wed, Sep 23, 2009 at 9:30 AM, Mij <mi...@ss...> wrote:
>>
>> Hi Emmanuel,
>>
>> I don't quite get from your email: do you see the blocking rules in
>> the IPFW chain?
>> I.e. what does "ipfw list" output after one blocking? You can perform
>> further in-depth
>> tracing by running
>>
>> sshguard -d
>>
>> and pasting in its console multiple times (until you get the blocking)
>> a line such as
>>
>> Invalid user wolff from 192.168.1.66
>>
>>
>> On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote:
>>
>> > Hello,
>> >
>> > i´m using the sshguard to protect my server against force brute
>> > atacks, i configurated the firewall (ipfw) to block all ports
>> > (unlike the default ports - apache, ftp...). But, i think that my
>> > sshguard doesnt blocking IP address that try to force access to SSH.
>> >
>> > This is my log from /var/log/security
>> >
>> > Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4
>> > failures over 8 seconds.
>> > Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from
>> > 83.234.231.11
>> > Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error
>> > for illegal user accounts from 83.234.231.11
>> > Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam
>> > for invalid user accounts from 83.234.231.11 port 49912 ssh2
>> > Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from
>> > 83.234.231.11
>> > Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error
>> > for illegal user aaron from 83.234.231.11
>> > Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam
>> > for invalid user aaron from 83.234.231.11 port 33210 ssh2
>> > Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4
>> > failures over 4 seconds.
>> >
>> > The same ip is blocking, but it can to access after.
>> >
>> > There is any configuration in my sshguard to especify the time of
>> > one ip address will stay blocked?
>> >
>> > Thanks.
>> >
>> > []s
>> >
>> > Emmanuel Alves
>> > man...@gm...
>> >
>> > ---------------------------------------------------------------------
>> > Twitter: http://www.twitter.com/emartsnet
>> > Linked In: http://www.linkedin.com/in/emartsnet
>> >
>> > ------------------------------------------------------------------------------
>> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> > is the only developer event you need to attend this year. Jumpstart
>> > your
>> > developing skills, take BlackBerry mobile applications to market and
>> > stay
>> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> > now&#33;
>> >
>> > http://p.sf.net/sfu/devconf_______________________________________________
>> > Sshguard-users mailing list
>> > Ssh...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>

Re: [Sshguard-users] SSHGuard not working

[Emmanuel A. <man...@gm...>]

Hi Mmj,

There is my -list output

00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00110 allow tcp from any to any dst-port 21 in
00120 allow tcp from any to any dst-port 21 out
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 25 in
00160 allow tcp from any to any dst-port 25 out
00170 allow udp from any to any dst-port 53 in
00175 allow tcp from any to any dst-port 53 in
00180 allow udp from any to any dst-port 53 out
00185 allow tcp from any to any dst-port 53 out
00200 allow tcp from any to any dst-port 80 in
00210 allow tcp from any to any dst-port 80 out
00220 allow tcp from any to any dst-port 110 in
00230 allow tcp from any to any dst-port 110 out
00240 allow udp from any to any dst-port 123 in
00250 allow udp from any to any dst-port 123 out
00260 allow tcp from any to any dst-port 443 in
00270 allow tcp from any to any dst-port 443 out
00500 deny log logamount 100 ip from any to any

Before, my last entry was

65000 deny log logamount 100 ip from any to any

Then, i changed to "00500" this morning and now i have a lot of blocks of
the sabe ip.

55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55000 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55001 deny ip from 60.217.229.220 to me
55048 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me
55049 deny ip from 60.217.229.220 to me

...

65535 allow ip from any to any

The firewall is blocking?

[]s

Emmanuel Alves
man...@gm...

---------------------------------------------------------------------
Twitter: http://www.twitter.com/emartsnet
Linked In: http://www.linkedin.com/in/emartsnet


On Wed, Sep 23, 2009 at 9:30 AM, Mij <mi...@ss...> wrote:

> Hi Emmanuel,
>
> I don't quite get from your email: do you see the blocking rules in
> the IPFW chain?
> I.e. what does "ipfw list" output after one blocking? You can perform
> further in-depth
> tracing by running
>
> sshguard -d
>
> and pasting in its console multiple times (until you get the blocking)
> a line such as
>
> Invalid user wolff from 192.168.1.66
>
>
> On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote:
>
> > Hello,
> >
> > i´m using the sshguard to protect my server against force brute
> > atacks, i configurated the firewall (ipfw) to block all ports
> > (unlike the default ports - apache, ftp...). But, i think that my
> > sshguard doesnt blocking IP address that try to force access to SSH.
> >
> > This is my log from /var/log/security
> >
> > Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4
> > failures over 8 seconds.
> > Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from
> > 83.234.231.11
> > Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error
> > for illegal user accounts from 83.234.231.11
> > Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam
> > for invalid user accounts from 83.234.231.11 port 49912 ssh2
> > Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from
> > 83.234.231.11
> > Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error
> > for illegal user aaron from 83.234.231.11
> > Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam
> > for invalid user aaron from 83.234.231.11 port 33210 ssh2
> > Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4
> > failures over 4 seconds.
> >
> > The same ip is blocking, but it can to access after.
> >
> > There is any configuration in my sshguard to especify the time of
> > one ip address will stay blocked?
> >
> > Thanks.
> >
> > []s
> >
> > Emmanuel Alves
> > man...@gm...
> >
> > ---------------------------------------------------------------------
> > Twitter: http://www.twitter.com/emartsnet
> > Linked In: http://www.linkedin.com/in/emartsnet
> >
> ------------------------------------------------------------------------------
> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart
> > your
> > developing skills, take BlackBerry mobile applications to market and
> > stay
> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
> > now&#33;
> >
> http://p.sf.net/sfu/devconf_______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

Re: [Sshguard-users] SSHGuard not working

[Mij <mi...@ss...>]

Hi Emmanuel,

I don't quite get from your email: do you see the blocking rules in  
the IPFW chain?
I.e. what does "ipfw list" output after one blocking? You can perform  
further in-depth
tracing by running

sshguard -d

and pasting in its console multiple times (until you get the blocking)  
a line such as

Invalid user wolff from 192.168.1.66


On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote:

> Hello,
>
> i´m using the sshguard to protect my server against force brute  
> atacks, i configurated the firewall (ipfw) to block all ports  
> (unlike the default ports - apache, ftp...). But, i think that my  
> sshguard doesnt blocking IP address that try to force access to SSH.
>
> This is my log from /var/log/security
>
> Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4  
> failures over 8 seconds.
> Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from  
> 83.234.231.11
> Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error  
> for illegal user accounts from 83.234.231.11
> Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam  
> for invalid user accounts from 83.234.231.11 port 49912 ssh2
> Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from  
> 83.234.231.11
> Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error  
> for illegal user aaron from 83.234.231.11
> Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam  
> for invalid user aaron from 83.234.231.11 port 33210 ssh2
> Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4  
> failures over 4 seconds.
>
> The same ip is blocking, but it can to access after.
>
> There is any configuration in my sshguard to especify the time of  
> one ip address will stay blocked?
>
> Thanks.
>
> []s
>
> Emmanuel Alves
> man...@gm...
>
> ---------------------------------------------------------------------
> Twitter: http://www.twitter.com/emartsnet
> Linked In: http://www.linkedin.com/in/emartsnet
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart  
> your
> developing skills, take BlackBerry mobile applications to market and  
> stay
> ahead of the curve. Join us from November 9-12, 2009. Register  
> now!
> http://p.sf.net/sfu/devconf_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] SSHGuard not working

[Emmanuel A. <man...@gm...>]

Hello,

i´m using the sshguard to protect my server against force brute atacks, i
configurated the firewall (ipfw) to block all ports (unlike the default
ports - apache, ftp...). But, i think that my sshguard doesnt blocking IP
address that try to force access to SSH.

This is my log from /var/log/security

Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4 failures
over 8 seconds.
Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from 83.234.231.11
Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error for
illegal user accounts from 83.234.231.11
Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam for
invalid user accounts from 83.234.231.11 port 49912 ssh2
Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from 83.234.231.11
Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error for
illegal user aaron from 83.234.231.11
Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam for
invalid user aaron from 83.234.231.11 port 33210 ssh2
Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4 failures
over 4 seconds.

The same ip is blocking, but it can to access after.

There is any configuration in my sshguard to especify the time of one ip
address will stay blocked?

Thanks.

[]s

Emmanuel Alves
man...@gm...

---------------------------------------------------------------------
Twitter: http://www.twitter.com/emartsnet
Linked In: http://www.linkedin.com/in/emartsnet

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Mij <mi...@bi...>]

Hello,

Please check out HEAD, this was fixed somewhere not long ago.
In this specific case, however, all you are risking is some log  
pollution.


On Aug 12, 2009, at 22:08 , Mr. Mystify wrote:

> Hi,
>
> when testing if command injection is possible with that failure
> (something like 'ssh "<USER>; touch 0wned"@<SERVER>') using sshguard  
> 1.1
> I recognized that including the ',' symbol into username breaks proper
> detection of failed logins.
>
> ##################
> # Test command
> ##################
> root@router-bl:~# ssh "test; touch 0wned"@server
> test; touch 0w...@sr...'s password:
> Permission denied, please try again.
> test; touch 0w...@sr...'s password:
> Permission denied, please try again.
> test; touch 0w...@sr...'s password:
> Permission denied (publickey,password).
> root@router-bl:~#
>
>
> ##################
> # /var/log/messages
> ##################
> Aug 12 21:56:31 srv01 sshd[14820]: Invalid user test; touch 0wned  
> from 91.49.124.232
> Aug 12 21:56:31 srv01 sshd[14820]: Failed none for invalid user  
> test; touch 0wned from 91.49.124.232 port 2100 ssh2
> Aug 12 21:56:32 srv01 sshd[14820]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2100 ssh2
> Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2100 ssh2
> Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2100 ssh2
> Aug 12 21:56:43 srv01 sshd[14822]: Invalid user test; touch 0wned  
> from 91.49.124.232
> Aug 12 21:56:43 srv01 sshd[14822]: Failed none for invalid user  
> test; touch 0wned from 91.49.124.232 port 2101 ssh2
> Aug 12 21:56:44 srv01 sshd[14822]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2101 ssh2
> Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2101 ssh2
> Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2101 ssh2
> Aug 12 21:56:54 srv01 sshd[14824]: Invalid user test; touch 0wned  
> from 91.49.124.232
> Aug 12 21:56:54 srv01 sshd[14824]: Failed none for invalid user  
> test; touch 0wned from 91.49.124.232 port 2102 ssh2
> Aug 12 21:57:15 srv01 sshd[14824]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2102 ssh2
> Aug 12 21:57:16 srv01 sshd[14824]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2102 ssh2
> Aug 12 21:57:17 srv01 sshd[14824]: Failed password for invalid user  
> test; touch 0wned from 91.49.124.232 port 2102 ssh2
>
>
> But iptables sshguard chain remains empty:
> ##################
> # iptables chain
> ##################/var/log$ sudo iptables -L sshguard -nv
> Chain sshguard (1 references)
> pkts bytes target     prot opt in     out     source                
> destination

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Mr. M. <che...@gm...>]

Hi,

when testing if command injection is possible with that failure
(something like 'ssh "<USER>; touch 0wned"@<SERVER>') using sshguard 1.1
I recognized that including the ',' symbol into username breaks proper
detection of failed logins.

##################
# Test command
##################
root@router-bl:~# ssh "test; touch 0wned"@server
test; touch 0w...@sr...'s password: 
Permission denied, please try again.
test; touch 0w...@sr...'s password: 
Permission denied, please try again.
test; touch 0w...@sr...'s password: 
Permission denied (publickey,password).
root@router-bl:~# 


##################
# /var/log/messages
##################
Aug 12 21:56:31 srv01 sshd[14820]: Invalid user test; touch 0wned from 91.49.124.232                                                     
Aug 12 21:56:31 srv01 sshd[14820]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2                      
Aug 12 21:56:32 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2                  
Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2                  
Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2                  
Aug 12 21:56:43 srv01 sshd[14822]: Invalid user test; touch 0wned from 91.49.124.232                                                     
Aug 12 21:56:43 srv01 sshd[14822]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2                      
Aug 12 21:56:44 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2                  
Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2                  
Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2                  
Aug 12 21:56:54 srv01 sshd[14824]: Invalid user test; touch 0wned from 91.49.124.232                                                     
Aug 12 21:56:54 srv01 sshd[14824]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2                      
Aug 12 21:57:15 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2                  
Aug 12 21:57:16 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2                  
Aug 12 21:57:17 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2                  

 
But iptables sshguard chain remains empty:
##################
# iptables chain
##################/var/log$ sudo iptables -L sshguard -nv                                                                                     
Chain sshguard (1 references)                                                                                                            
 pkts bytes target     prot opt in     out     source               destination                                                          


Regards,
Mystify


On Tue, 2009-08-04 at 16:17 +0200, Mij wrote:
> Hello Jochem,
> 
> what SSHGuard version are you using?
> 
> 
> On Aug 2, 2009, at 22:06 , Jochem Oosterveen wrote:
> 
> > Hi there,
> >
> > I would like to submit a bug report.
> >
> > jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl
> > Password:
> > Password:
> > Password:
> > Permission denied (publickey,keyboard-interactive).
> > jochem@office:~$
> >
> > Aug  2 21:57:59 melon sshd[11103]: Invalid user test from
> > 123.123.123.123 from 217.149.194.146
> > Aug  2 21:57:59 melon sshd[11103]: error: PAM: authentication error
> > for illegal user test from 123.123.123.123 from office.aivd.net
> > Aug  2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for
> > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367
> > ssh2
> > Aug  2 21:58:00 melon sshd[11103]: error: PAM: authentication error
> > for illegal user test from 123.123.123.123 from office.aivd.net
> > Aug  2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for
> > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367
> > ssh2
> > Aug  2 21:58:00 melon sshd[11103]: error: PAM: authentication error
> > for illegal user test from 123.123.123.123 from office.aivd.net
> > Aug  2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for
> > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367
> > ssh2
> > Aug  2 21:58:01 melon sshd[11108]: Invalid user test from
> > 123.123.123.123 from 217.149.194.146
> > Aug  2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4
> > failures over 8 seconds.
> >
> > melon# pfctl -t sshguard -T show
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> >  123.123.123.123
> > melon#
> >
> > Obviously, sshguard is blocking the wrong IP.
> >
> > Kind regards,
> > Jochem Oosterveen
> >
> > ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> > 30-Day
> > trial. Simplify your report design, integration and deployment - and  
> > focus on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
> trial. Simplify your report design, integration and deployment - and focus on 
> what you do best, core application coding. Discover what's new with 
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Mij <mi...@bi...>]

On Aug 4, 2009, at 21:08 , Peter Beckman wrote:

> 1.4rc5 is out.  I didn't build an sshguard-devel port, but maybe I  
> should
> and submit it to Mij.

You're welcome to submit your work directly to the FreeBSD project.
Maintaining a well-made FreeBSD port is a pain in the a55 which I prefer
not to extend any further on my side.

Ideally the -devel port should reflect the master, that is, you should  
break
it down as sshguard + the three port variants for the different firewall
backends. Consider copying as much as possible from the current ports
for stable.


> /usr/ports/security/sshguard-devel --> cat distinfo
> MD5 (sshguard-1.4rc5.tar.bz2) = ff57d62bb8891fe06748bc7c3968ff37
> SHA256 (sshguard-1.4rc5.tar.bz2) =  
> d12565cb7344113ada38a21abf7875c24aa073e0fe728f1d7d3e61b1f041567b
> SIZE (sshguard-1.4rc5.tar.bz2) = 153697
>
> /usr/ports/security --> diff -u sshguard/Makefile sshguard-devel/ 
> Makefile
> --- sshguard/Makefile   Sat Oct  4 18:36:11 2008
> +++ sshguard-devel/Makefile     Tue Jul 21 19:05:36 2009
> @@ -6,14 +6,15 @@
>  #
>
>  PORTNAME=      sshguard
> -PORTVERSION=   1.3
> +UNIQUENAME=  sshguard-devel
> +PORTVERSION=   1.4rc5
>  CATEGORIES=    security
>  MASTER_SITES=  SF
>
>  MAINTAINER=    mi...@bi...
>  COMMENT?=      Protect hosts from brute force attacks against ssh  
> and other services
>
> -CONFLICTS?=    sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard- 
> pf-1.*
> +CONFLICTS?=    sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard- 
> pf-1.* sshguard-devel-1.* sshguard-devel-pf-1.*
>
>  PLIST_FILES=   sbin/sshguard
>
> It still installs incorrectly as sshguard-1.4rc5 because I didn't  
> take the
> time to figure out how to make it install as sshguard-devel-1.4rc5,  
> but
> these two modifications make the sshguard port install 1.4rc5 nicely.
>
> Beckman
>
> On Tue, 4 Aug 2009, Jochem Oosterveen wrote:
>
>> Hi Mij,
>>
>> On Aug 4, 2009, at 4:17 PM, Mij wrote:
>>> what SSHGuard version are you using?
>>
>> The one currently in the FreeBSD ports tree:
>>
>> [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo
>> MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c
>> SHA256 (sshguard-1.3.tar.bz2) =
>> 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac
>> SIZE (sshguard-1.3.tar.bz2) = 140745
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports  
>> 2008 30-Day
>> trial. Simplify your report design, integration and deployment -  
>> and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
> ---------------------------------------------------------------------------
> Peter Beckman                                                   
> Internet Guy
> be...@an...                                 http://www.angryox.com/
> ---------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Jochem O. <jo...@ai...>]

On Aug 6, 2009, at 3:21 PM, Mij wrote:

> This was a mistake in the flex rule for the "Invalid user pattern",
> now fixed in HEAD.
> As we decided to wait for Federico to finish up the new website before
> releasing
> 1.4 stable, we'll probably wrap up the recent changes in a further
> 1.4rc6 in few
> days. Thanks for reporting.

Cool, thanks for fixing. :)

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Mij <mi...@bi...>]

This was a mistake in the flex rule for the "Invalid user pattern",  
now fixed in HEAD.
As we decided to wait for Federico to finish up the new website before  
releasing
1.4 stable, we'll probably wrap up the recent changes in a further  
1.4rc6 in few
days. Thanks for reporting.


On Aug 4, 2009, at 16:30 , Jochem Oosterveen wrote:

> Hi Mij,
>
> On Aug 4, 2009, at 4:17 PM, Mij wrote:
>> what SSHGuard version are you using?
>
> The one currently in the FreeBSD ports tree:
>
> [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo
> MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c
> SHA256 (sshguard-1.3.tar.bz2) =
> 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac
> SIZE (sshguard-1.3.tar.bz2) = 140745
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Peter B. <be...@an...>]

1.4rc5 is out.  I didn't build an sshguard-devel port, but maybe I should
and submit it to Mij.

/usr/ports/security/sshguard-devel --> cat distinfo 
MD5 (sshguard-1.4rc5.tar.bz2) = ff57d62bb8891fe06748bc7c3968ff37
SHA256 (sshguard-1.4rc5.tar.bz2) = d12565cb7344113ada38a21abf7875c24aa073e0fe728f1d7d3e61b1f041567b
SIZE (sshguard-1.4rc5.tar.bz2) = 153697

/usr/ports/security --> diff -u sshguard/Makefile sshguard-devel/Makefile
--- sshguard/Makefile   Sat Oct  4 18:36:11 2008
+++ sshguard-devel/Makefile     Tue Jul 21 19:05:36 2009
@@ -6,14 +6,15 @@
  #

  PORTNAME=      sshguard
-PORTVERSION=   1.3
+UNIQUENAME=  sshguard-devel
+PORTVERSION=   1.4rc5
  CATEGORIES=    security
  MASTER_SITES=  SF

  MAINTAINER=    mi...@bi...
  COMMENT?=      Protect hosts from brute force attacks against ssh and other services

-CONFLICTS?=    sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.*
+CONFLICTS?=    sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.* sshguard-devel-1.* sshguard-devel-pf-1.*

  PLIST_FILES=   sbin/sshguard

It still installs incorrectly as sshguard-1.4rc5 because I didn't take the
time to figure out how to make it install as sshguard-devel-1.4rc5, but
these two modifications make the sshguard port install 1.4rc5 nicely.

Beckman

On Tue, 4 Aug 2009, Jochem Oosterveen wrote:

> Hi Mij,
>
> On Aug 4, 2009, at 4:17 PM, Mij wrote:
>> what SSHGuard version are you using?
>
> The one currently in the FreeBSD ports tree:
>
> [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo
> MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c
> SHA256 (sshguard-1.3.tar.bz2) =
> 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac
> SIZE (sshguard-1.3.tar.bz2) = 140745
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Jochem O. <jo...@ai...>]

Hi Mij,

On Aug 4, 2009, at 4:17 PM, Mij wrote:
> what SSHGuard version are you using?

The one currently in the FreeBSD ports tree:

[jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo
MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c
SHA256 (sshguard-1.3.tar.bz2) =  
1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac
SIZE (sshguard-1.3.tar.bz2) = 140745

Re: [Sshguard-users] [bug] sshguard vulnerable to log injection

[Mij <mi...@bi...>]

Hello Jochem,

what SSHGuard version are you using?


On Aug 2, 2009, at 22:06 , Jochem Oosterveen wrote:

> Hi there,
>
> I would like to submit a bug report.
>
> jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl
> Password:
> Password:
> Password:
> Permission denied (publickey,keyboard-interactive).
> jochem@office:~$
>
> Aug  2 21:57:59 melon sshd[11103]: Invalid user test from
> 123.123.123.123 from 217.149.194.146
> Aug  2 21:57:59 melon sshd[11103]: error: PAM: authentication error
> for illegal user test from 123.123.123.123 from office.aivd.net
> Aug  2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for
> invalid user test from 123.123.123.123 from 217.149.194.146 port 38367
> ssh2
> Aug  2 21:58:00 melon sshd[11103]: error: PAM: authentication error
> for illegal user test from 123.123.123.123 from office.aivd.net
> Aug  2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for
> invalid user test from 123.123.123.123 from 217.149.194.146 port 38367
> ssh2
> Aug  2 21:58:00 melon sshd[11103]: error: PAM: authentication error
> for illegal user test from 123.123.123.123 from office.aivd.net
> Aug  2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for
> invalid user test from 123.123.123.123 from 217.149.194.146 port 38367
> ssh2
> Aug  2 21:58:01 melon sshd[11108]: Invalid user test from
> 123.123.123.123 from 217.149.194.146
> Aug  2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4
> failures over 8 seconds.
>
> melon# pfctl -t sshguard -T show
> No ALTQ support in kernel
> ALTQ related functions disabled
>  123.123.123.123
> melon#
>
> Obviously, sshguard is blocking the wrong IP.
>
> Kind regards,
> Jochem Oosterveen
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] [bug] sshguard vulnerable to log injection

[Jochem O. <jo...@ai...>]

Hi there,

I would like to submit a bug report.

jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
jochem@office:~$

Aug  2 21:57:59 melon sshd[11103]: Invalid user test from  
123.123.123.123 from 217.149.194.146
Aug  2 21:57:59 melon sshd[11103]: error: PAM: authentication error  
for illegal user test from 123.123.123.123 from office.aivd.net
Aug  2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for  
invalid user test from 123.123.123.123 from 217.149.194.146 port 38367  
ssh2
Aug  2 21:58:00 melon sshd[11103]: error: PAM: authentication error  
for illegal user test from 123.123.123.123 from office.aivd.net
Aug  2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for  
invalid user test from 123.123.123.123 from 217.149.194.146 port 38367  
ssh2
Aug  2 21:58:00 melon sshd[11103]: error: PAM: authentication error  
for illegal user test from 123.123.123.123 from office.aivd.net
Aug  2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for  
invalid user test from 123.123.123.123 from 217.149.194.146 port 38367  
ssh2
Aug  2 21:58:01 melon sshd[11108]: Invalid user test from  
123.123.123.123 from 217.149.194.146
Aug  2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4  
failures over 8 seconds.

melon# pfctl -t sshguard -T show
No ALTQ support in kernel
ALTQ related functions disabled
   123.123.123.123
melon#

Obviously, sshguard is blocking the wrong IP.

Kind regards,
Jochem Oosterveen

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Mij <mi...@bi...>]

On Jul 31, 2009, at 12:53 , Tobias Lott wrote:

>>> Jul 31 02:48:05 hostname sshguard[71965]: Offender
>>> '::ffff:CC.CC.CC.CC:6' seen 2 times.
>>>
>>> # pfctl -t sshguard -T show
>>> ::ffff:CC.CC.CC.CC
>>
>> looks good, what's wrong?
>
> The Problem is that ::ffff:CC.CC.CC.CC is not a Valid IP Address for  
> PF.
> Somehow Proftpd just puts ::ffff: in front of the real IPv4 Address so
> thats gotta be stripped off. Think I should dig up why proftpd is  
> doing
> that.

It is a valid IPv6 address (IPv4 transitional), you read it as
::ffff:cccc:cccc

I bet PF does not insert an address into a table without validating it.
If you don't see blocking applied, try checking the rule itself.

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Tobias L. <tl...@ga...>]

On Fri, 31 Jul 2009 10:47:26 +0200
Mij <mi...@bi...> wrote:

> 
> On Jul 31, 2009, at 02:57 , Tobias Lott wrote:
> 
> > Dovecot looks fine:
> > Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth
> > failed, 1 attempts): user=<lala@lala>, method=PLAIN,
> > rip=CC.CC.CC.CC, lip=SS.SS.SS.SS
> > Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for
> >> 300secs: 1 failures over 0 seconds.
> >
> > # pfctl -t sshguard -T show
> >  CC.CC.CC.CC
> >
> >
> > Proftpd doesn't look that fine:
> > Jul 31 02:47:49 hostname proftpd[72114]: hostname
> > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login
> > failed): Limit access denies login
> > Jul 31 02:47:49 hostname sshguard[71965]:
> > Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0
> > seconds.
> > Jul 31 02:47:49 hostname proftpd[72114]: hostname
> > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed.
> > Jul 31 02:48:05 hostname proftpd[72148]: hostname
> > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened.
> > Jul 31 02:48:05 hostname proftpd[72148]: hostname
> > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login
> > failed): Limit access denies login
> > Jul 31 02:48:05 hostname sshguard[71965]:
> > Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0
> > seconds.
> > Jul 31 02:48:05 hostname sshguard[71965]: Offender
> > '::ffff:CC.CC.CC.CC:6' seen 2 times.
> >
> > # pfctl -t sshguard -T show
> >  ::ffff:CC.CC.CC.CC
> 
> looks good, what's wrong?
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day trial. Simplify your report design, integration and deployment
> - and focus on what you do best, core application coding. Discover
> what's new with Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

The Problem is that ::ffff:CC.CC.CC.CC is not a Valid IP Address for PF.
Somehow Proftpd just puts ::ffff: in front of the real IPv4 Address so
thats gotta be stripped off. Think I should dig up why proftpd is doing
that.


-- 
Tobias Lott

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Mij <mi...@bi...>]

On Jul 31, 2009, at 02:57 , Tobias Lott wrote:

> Dovecot looks fine:
> Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth
> failed, 1 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC,
> lip=SS.SS.SS.SS
> Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for
>> 300secs: 1 failures over 0 seconds.
>
> # pfctl -t sshguard -T show
>  CC.CC.CC.CC
>
>
> Proftpd doesn't look that fine:
> Jul 31 02:47:49 hostname proftpd[72114]: hostname
> (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login
> failed): Limit access denies login
> Jul 31 02:47:49 hostname sshguard[71965]:
> Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0
> seconds.
> Jul 31 02:47:49 hostname proftpd[72114]: hostname
> (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed.
> Jul 31 02:48:05 hostname proftpd[72148]: hostname
> (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened.
> Jul 31 02:48:05 hostname proftpd[72148]: hostname
> (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login
> failed): Limit access denies login
> Jul 31 02:48:05 hostname sshguard[71965]:
> Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0
> seconds.
> Jul 31 02:48:05 hostname sshguard[71965]: Offender
> '::ffff:CC.CC.CC.CC:6' seen 2 times.
>
> # pfctl -t sshguard -T show
>  ::ffff:CC.CC.CC.CC

looks good, what's wrong?

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Tobias L. <tl...@ga...>]

Dovecot looks fine:
Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC,
lip=SS.SS.SS.SS
Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for
>300secs: 1 failures over 0 seconds.

# pfctl -t sshguard -T show
   CC.CC.CC.CC


Proftpd doesn't look that fine:
Jul 31 02:47:49 hostname proftpd[72114]: hostname
(clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login
failed): Limit access denies login
Jul 31 02:47:49 hostname sshguard[71965]:
Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0
seconds.
Jul 31 02:47:49 hostname proftpd[72114]: hostname
(clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed.
Jul 31 02:48:05 hostname proftpd[72148]: hostname
(clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened.
Jul 31 02:48:05 hostname proftpd[72148]: hostname
(clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login
failed): Limit access denies login
Jul 31 02:48:05 hostname sshguard[71965]:
Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0
seconds.
Jul 31 02:48:05 hostname sshguard[71965]: Offender
'::ffff:CC.CC.CC.CC:6' seen 2 times.

# pfctl -t sshguard -T show
   ::ffff:CC.CC.CC.CC



On Thu, 30 Jul 2009 23:18:51 +0200
Mij <mi...@bi...> wrote:

> Hi Tobi
> 
> please have a look at the current head.
> 
> 
> On Jul 29, 2009, at 14:00 , Tobias Lott wrote:
> 
> > Thanks for looking into it, I've submitted both like suggested.
> >
> > Hope it really got submitted, since I only got a blank site
> > response, maybe a lil response like "Input submitted" would help to
> > be sure that you guys really got the needed Informations.
> >
> > On Fri, 24 Jul 2009 11:00:01 +0200
> > Mij <mi...@bi...> wrote:
> >
> >> This is an exemplar post -- precise description of the problem,
> >> validation wrt
> >> the SVN version, and supply of the necessary data.
> >>
> >> Yes, please submit to
> >> http://sshguard.sourceforge.net/newattackpatt.php
> >>
> >> We periodically use that for new inclusions and fixes or updates of
> >> the patterns. Posting to the ml may give some more highlight, but
> >> the reference source for us is that one.
> >>
> >> We'll have a look before releasing 1.4.
> >>
> >>
> >> On Jul 23, 2009, at 01:33 , Tobias Lott wrote:
> >>
> >>> Hi
> >>>
> >>> I'm using sshguard for more then a year now, worked without a
> >>> problem. But lately I've noticed alot of proftpd and dovecot
> >>> bruteforces not getting blocked.
> >>>
> >>> I've checked if sshguard gets the correct log informations with
> >>> tee, tried FreeBSD Port (1.3
> >>> http://www.freshports.org/security/sshguard-pf/) and latest svn
> >>> (revision 121) both with the same result.
> >>>
> >>>
> >>> dovecot log:
> >>> Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login
> >>> (auth
> >>> failed, 2 attempts): user=<lala@lala>, method=PLAIN,
> >>> rip=CC.CC.CC.CC, lip=SS.SS.SS.SS
> >>>
> >>>
> >>> proftpd log:
> >>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
> >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
> >>> such user found from client_hostname [::ffff:XX.XX.XX.XX]
> >>> to ::ffff:XX.XX.XX.XX:21
> >>>
> >>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
> >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
> >>> failed): Limit access denies login
> >>>
> >>>
> >>> syslog.conf:
> >>> auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee
> >>> -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300
> >>>
> >>> Debug Output:
> >>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> >>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
> >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
> >>> such user found from client_hostname [::ffff:XX.XX.XX.XX]
> >>> to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a
> >>> token: --accepting rule at line 97 ("Jul 23 00:38:26
> >>> server_hostname proftpd[67341]:") Next token is token
> >>> SYSLOG_BANNER_PID () Shifting token SYSLOG_BANNER_PID () Entering
> >>> state 1 Reading a token: --accepting rule at line 173 (" ")
> >>> --accepting rule at line 144 ("server_hostname
> >>> (client_hostname[") Next token is token
> >>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
> >>> Entering state 15
> >>> Reading a token: --accepting rule at line 159 ("::ffff:XX")
> >>> Next token is token IPv6 ()
> >>> Shifting token IPv6 ()
> >>> Entering state 39
> >>> Reducing stack by rule 17 (line 111):
> >>> $1 = token IPv6 ()
> >>> -> $$ = nterm addr ()
> >>> Stack now 0 1 15
> >>> Entering state 52
> >>> Reading a token: --accepting rule at line 176 (".")
> >>> Next token is token $undefined ()
> >>> Error: popping nterm addr ()
> >>> Stack now 0 1 15
> >>> Error: popping token PROFTPD_LOGINERR_PREF ()
> >>> Stack now 0 1
> >>> Error: popping token SYSLOG_BANNER_PID ()
> >>> Stack now 0
> >>> Cleanup: discarding lookahead token $undefined ()
> >>> Stack now 0
> >>>
> >>>
> >>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
> >>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
> >>> failed): Limit access denies login Starting parse Entering state 0
> >>> Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37
> >>> server_hostname proftpd[69967]:") Next token is token
> >>> SYSLOG_BANNER_PID
> >>> () Shifting token SYSLOG_BANNER_PID ()
> >>> Entering state 1
> >>> Reading a token: --accepting rule at line 173 (" ")
> >>> --accepting rule at line 144 ("server_hostname
> >>> (client_hostname[") Next token is token
> >>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
> >>> Entering state 15
> >>> Reading a token: --accepting rule at line 159 ("::ffff:XX")
> >>> Next token is token IPv6 ()
> >>> Shifting token IPv6 ()
> >>> Entering state 39
> >>> Reducing stack by rule 17 (line 111):
> >>> $1 = token IPv6 ()
> >>> -> $$ = nterm addr ()
> >>> Stack now 0 1 15
> >>> Entering state 52
> >>> Reading a token: --accepting rule at line 176 (".")
> >>> Next token is token $undefined ()
> >>> Error: popping nterm addr ()
> >>> Stack now 0 1 15
> >>> Error: popping token PROFTPD_LOGINERR_PREF ()
> >>> Stack now 0 1
> >>> Error: popping token SYSLOG_BANNER_PID ()
> >>> Stack now 0
> >>> Cleanup: discarding lookahead token $undefined ()
> >>> Stack now 0
> >>> </proftpd>
> >>>
> >>> <dovecot>
> >>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> >>> Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth
> >>> failed,
> >>> 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190,
> >>> lip=87.230.101.86 Starting parse Entering state 0
> >>> Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51
> >>> spirit dovecot:") Next token is token SYSLOG_BANNER ()
> >>> Shifting token SYSLOG_BANNER ()
> >>> Entering state 2
> >>> Reading a token: --accepting rule at line 173 (" ")
> >>> --accepting rule at line 129 ("imap-login: Aborted login (auth
> >>> failed, 2 attempts): user=<lala@lala>, method=PLAIN,
> >>> rip=87.154.167.190, lip=")
> >>> Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token
> >>> DOVECOT_IMAP_LOGINERR_PREF () Entering state 11
> >>> Reading a token: --(end of buffer or a NUL)
> >>> --accepting rule at line 157 ("87.230.101.86")
> >>> Next token is token IPv4 ()
> >>> Shifting token IPv4 ()
> >>> Entering state 38
> >>> Reducing stack by rule 16 (line 107):
> >>> $1 = token IPv4 ()
> >>> -> $$ = nterm addr ()
> >>> Stack now 0 2 11
> >>> Entering state 48
> >>> Reading a token: --(end of buffer or a NUL)
> >>> --accepting rule at line 173 ("
> >>> ")
> >>> --(end of buffer or a NUL)
> >>> --EOF (start condition 4)
> >>> Now at end of input.
> >>> Error: popping nterm addr ()
> >>> Stack now 0 2 11
> >>> Error: popping token DOVECOT_IMAP_LOGINERR_PREF ()
> >>> Stack now 0 2
> >>> Error: popping token SYSLOG_BANNER ()
> >>> Stack now 0
> >>> Stack now 0
> >>>
> >>>
> >>> Should I post the syslog messages via newattackpatt?
> >>> Or is this another Problem?
> >>>
> >>> Greetings
> >>>
> >>> -- Tobias Lott
> >>>
> >>> ------------------------------------------------------------------------------
> >>> _______________________________________________
> >>> Sshguard-users mailing list
> >>> Ssh...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> Sshguard-users mailing list
> >> Ssh...@li...
> >> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> >
> >
> > -- Tobias Lott
> >
> > ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports
> > 2008 30-Day
> > trial. Simplify your report design, integration and deployment -
> > and focus on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day trial. Simplify your report design, integration and deployment
> - and focus on what you do best, core application coding. Discover
> what's new with Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users


-- 
Tobias Lott

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Mij <mi...@bi...>]

Hi Tobi

please have a look at the current head.


On Jul 29, 2009, at 14:00 , Tobias Lott wrote:

> Thanks for looking into it, I've submitted both like suggested.
>
> Hope it really got submitted, since I only got a blank site response,
> maybe a lil response like "Input submitted" would help to be sure that
> you guys really got the needed Informations.
>
> On Fri, 24 Jul 2009 11:00:01 +0200
> Mij <mi...@bi...> wrote:
>
>> This is an exemplar post -- precise description of the problem,
>> validation wrt
>> the SVN version, and supply of the necessary data.
>>
>> Yes, please submit to
>> http://sshguard.sourceforge.net/newattackpatt.php
>>
>> We periodically use that for new inclusions and fixes or updates of
>> the patterns. Posting to the ml may give some more highlight, but the
>> reference source for us is that one.
>>
>> We'll have a look before releasing 1.4.
>>
>>
>> On Jul 23, 2009, at 01:33 , Tobias Lott wrote:
>>
>>> Hi
>>>
>>> I'm using sshguard for more then a year now, worked without a
>>> problem. But lately I've noticed alot of proftpd and dovecot
>>> bruteforces not getting blocked.
>>>
>>> I've checked if sshguard gets the correct log informations with tee,
>>> tried FreeBSD Port (1.3
>>> http://www.freshports.org/security/sshguard-pf/) and latest svn
>>> (revision 121) both with the same result.
>>>
>>>
>>> dovecot log:
>>> Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login
>>> (auth
>>> failed, 2 attempts): user=<lala@lala>, method=PLAIN,
>>> rip=CC.CC.CC.CC, lip=SS.SS.SS.SS
>>>
>>>
>>> proftpd log:
>>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
>>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
>>> such user found from client_hostname [::ffff:XX.XX.XX.XX]
>>> to ::ffff:XX.XX.XX.XX:21
>>>
>>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
>>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
>>> failed): Limit access denies login
>>>
>>>
>>> syslog.conf:
>>> auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee
>>> -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300
>>>
>>> Debug Output:
>>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
>>> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
>>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
>>> such user found from client_hostname [::ffff:XX.XX.XX.XX]
>>> to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a
>>> token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname
>>> proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting
>>> token SYSLOG_BANNER_PID () Entering state 1
>>> Reading a token: --accepting rule at line 173 (" ")
>>> --accepting rule at line 144 ("server_hostname
>>> (client_hostname[") Next token is token
>>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
>>> Entering state 15
>>> Reading a token: --accepting rule at line 159 ("::ffff:XX")
>>> Next token is token IPv6 ()
>>> Shifting token IPv6 ()
>>> Entering state 39
>>> Reducing stack by rule 17 (line 111):
>>> $1 = token IPv6 ()
>>> -> $$ = nterm addr ()
>>> Stack now 0 1 15
>>> Entering state 52
>>> Reading a token: --accepting rule at line 176 (".")
>>> Next token is token $undefined ()
>>> Error: popping nterm addr ()
>>> Stack now 0 1 15
>>> Error: popping token PROFTPD_LOGINERR_PREF ()
>>> Stack now 0 1
>>> Error: popping token SYSLOG_BANNER_PID ()
>>> Stack now 0
>>> Cleanup: discarding lookahead token $undefined ()
>>> Stack now 0
>>>
>>>
>>> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
>>> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
>>> failed): Limit access denies login Starting parse Entering state 0
>>> Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37
>>> server_hostname proftpd[69967]:") Next token is token
>>> SYSLOG_BANNER_PID
>>> () Shifting token SYSLOG_BANNER_PID ()
>>> Entering state 1
>>> Reading a token: --accepting rule at line 173 (" ")
>>> --accepting rule at line 144 ("server_hostname
>>> (client_hostname[") Next token is token
>>> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
>>> Entering state 15
>>> Reading a token: --accepting rule at line 159 ("::ffff:XX")
>>> Next token is token IPv6 ()
>>> Shifting token IPv6 ()
>>> Entering state 39
>>> Reducing stack by rule 17 (line 111):
>>> $1 = token IPv6 ()
>>> -> $$ = nterm addr ()
>>> Stack now 0 1 15
>>> Entering state 52
>>> Reading a token: --accepting rule at line 176 (".")
>>> Next token is token $undefined ()
>>> Error: popping nterm addr ()
>>> Stack now 0 1 15
>>> Error: popping token PROFTPD_LOGINERR_PREF ()
>>> Stack now 0 1
>>> Error: popping token SYSLOG_BANNER_PID ()
>>> Stack now 0
>>> Cleanup: discarding lookahead token $undefined ()
>>> Stack now 0
>>> </proftpd>
>>>
>>> <dovecot>
>>> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
>>> Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth
>>> failed,
>>> 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190,
>>> lip=87.230.101.86 Starting parse Entering state 0
>>> Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51
>>> spirit dovecot:") Next token is token SYSLOG_BANNER ()
>>> Shifting token SYSLOG_BANNER ()
>>> Entering state 2
>>> Reading a token: --accepting rule at line 173 (" ")
>>> --accepting rule at line 129 ("imap-login: Aborted login (auth
>>> failed, 2 attempts): user=<lala@lala>, method=PLAIN,
>>> rip=87.154.167.190, lip=")
>>> Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token
>>> DOVECOT_IMAP_LOGINERR_PREF () Entering state 11
>>> Reading a token: --(end of buffer or a NUL)
>>> --accepting rule at line 157 ("87.230.101.86")
>>> Next token is token IPv4 ()
>>> Shifting token IPv4 ()
>>> Entering state 38
>>> Reducing stack by rule 16 (line 107):
>>> $1 = token IPv4 ()
>>> -> $$ = nterm addr ()
>>> Stack now 0 2 11
>>> Entering state 48
>>> Reading a token: --(end of buffer or a NUL)
>>> --accepting rule at line 173 ("
>>> ")
>>> --(end of buffer or a NUL)
>>> --EOF (start condition 4)
>>> Now at end of input.
>>> Error: popping nterm addr ()
>>> Stack now 0 2 11
>>> Error: popping token DOVECOT_IMAP_LOGINERR_PREF ()
>>> Stack now 0 2
>>> Error: popping token SYSLOG_BANNER ()
>>> Stack now 0
>>> Stack now 0
>>>
>>>
>>> Should I post the syslog messages via newattackpatt?
>>> Or is this another Problem?
>>>
>>> Greetings
>>>
>>> -- Tobias Lott
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -- Tobias Lott
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Tobias L. <tl...@ga...>]

Thanks for looking into it, I've submitted both like suggested.

Hope it really got submitted, since I only got a blank site response,
maybe a lil response like "Input submitted" would help to be sure that
you guys really got the needed Informations.

On Fri, 24 Jul 2009 11:00:01 +0200
Mij <mi...@bi...> wrote:

> This is an exemplar post -- precise description of the problem,  
> validation wrt
> the SVN version, and supply of the necessary data.
> 
> Yes, please submit to
> http://sshguard.sourceforge.net/newattackpatt.php
> 
> We periodically use that for new inclusions and fixes or updates of
> the patterns. Posting to the ml may give some more highlight, but the
> reference source for us is that one.
> 
> We'll have a look before releasing 1.4.
> 
> 
> On Jul 23, 2009, at 01:33 , Tobias Lott wrote:
> 
> > Hi
> >
> > I'm using sshguard for more then a year now, worked without a
> > problem. But lately I've noticed alot of proftpd and dovecot
> > bruteforces not getting blocked.
> >
> > I've checked if sshguard gets the correct log informations with tee,
> > tried FreeBSD Port (1.3
> > http://www.freshports.org/security/sshguard-pf/) and latest svn
> > (revision 121) both with the same result.
> >
> >
> > dovecot log:
> > Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login  
> > (auth
> > failed, 2 attempts): user=<lala@lala>, method=PLAIN,
> > rip=CC.CC.CC.CC, lip=SS.SS.SS.SS
> >
> >
> > proftpd log:
> > Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
> > (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
> > such user found from client_hostname [::ffff:XX.XX.XX.XX]
> > to ::ffff:XX.XX.XX.XX:21
> >
> > Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
> > (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
> > failed): Limit access denies login
> >
> >
> > syslog.conf:
> > auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee
> > -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300
> >
> > Debug Output:
> > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> > Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
> > (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
> > such user found from client_hostname [::ffff:XX.XX.XX.XX]
> > to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a
> > token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname
> > proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting
> > token SYSLOG_BANNER_PID () Entering state 1
> > Reading a token: --accepting rule at line 173 (" ")
> > --accepting rule at line 144 ("server_hostname
> > (client_hostname[") Next token is token
> > PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
> > Entering state 15
> > Reading a token: --accepting rule at line 159 ("::ffff:XX")
> > Next token is token IPv6 ()
> > Shifting token IPv6 ()
> > Entering state 39
> > Reducing stack by rule 17 (line 111):
> >   $1 = token IPv6 ()
> > -> $$ = nterm addr ()
> > Stack now 0 1 15
> > Entering state 52
> > Reading a token: --accepting rule at line 176 (".")
> > Next token is token $undefined ()
> > Error: popping nterm addr ()
> > Stack now 0 1 15
> > Error: popping token PROFTPD_LOGINERR_PREF ()
> > Stack now 0 1
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token $undefined ()
> > Stack now 0
> >
> >
> > Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
> > (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
> > failed): Limit access denies login Starting parse Entering state 0
> > Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37
> > server_hostname proftpd[69967]:") Next token is token  
> > SYSLOG_BANNER_PID
> > () Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 173 (" ")
> > --accepting rule at line 144 ("server_hostname
> > (client_hostname[") Next token is token
> > PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
> > Entering state 15
> > Reading a token: --accepting rule at line 159 ("::ffff:XX")
> > Next token is token IPv6 ()
> > Shifting token IPv6 ()
> > Entering state 39
> > Reducing stack by rule 17 (line 111):
> >   $1 = token IPv6 ()
> > -> $$ = nterm addr ()
> > Stack now 0 1 15
> > Entering state 52
> > Reading a token: --accepting rule at line 176 (".")
> > Next token is token $undefined ()
> > Error: popping nterm addr ()
> > Stack now 0 1 15
> > Error: popping token PROFTPD_LOGINERR_PREF ()
> > Stack now 0 1
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token $undefined ()
> > Stack now 0
> > </proftpd>
> >
> > <dovecot>
> > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> > Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth  
> > failed,
> > 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190,
> > lip=87.230.101.86 Starting parse Entering state 0
> > Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51
> > spirit dovecot:") Next token is token SYSLOG_BANNER ()
> > Shifting token SYSLOG_BANNER ()
> > Entering state 2
> > Reading a token: --accepting rule at line 173 (" ")
> > --accepting rule at line 129 ("imap-login: Aborted login (auth
> > failed, 2 attempts): user=<lala@lala>, method=PLAIN,
> > rip=87.154.167.190, lip=")
> > Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token
> > DOVECOT_IMAP_LOGINERR_PREF () Entering state 11
> > Reading a token: --(end of buffer or a NUL)
> > --accepting rule at line 157 ("87.230.101.86")
> > Next token is token IPv4 ()
> > Shifting token IPv4 ()
> > Entering state 38
> > Reducing stack by rule 16 (line 107):
> >   $1 = token IPv4 ()
> > -> $$ = nterm addr ()
> > Stack now 0 2 11
> > Entering state 48
> > Reading a token: --(end of buffer or a NUL)
> > --accepting rule at line 173 ("
> > ")
> > --(end of buffer or a NUL)
> > --EOF (start condition 4)
> > Now at end of input.
> > Error: popping nterm addr ()
> > Stack now 0 2 11
> > Error: popping token DOVECOT_IMAP_LOGINERR_PREF ()
> > Stack now 0 2
> > Error: popping token SYSLOG_BANNER ()
> > Stack now 0
> > Stack now 0
> >
> >
> > Should I post the syslog messages via newattackpatt?
> > Or is this another Problem?
> >
> > Greetings
> >
> > -- 
> > Tobias Lott
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users


-- 
Tobias Lott

Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Mij <mi...@bi...>]

This is an exemplar post -- precise description of the problem,  
validation wrt
the SVN version, and supply of the necessary data.

Yes, please submit to http://sshguard.sourceforge.net/newattackpatt.php

We periodically use that for new inclusions and fixes or updates of
the patterns. Posting to the ml may give some more highlight, but the
reference source for us is that one.

We'll have a look before releasing 1.4.


On Jul 23, 2009, at 01:33 , Tobias Lott wrote:

> Hi
>
> I'm using sshguard for more then a year now, worked without a
> problem. But lately I've noticed alot of proftpd and dovecot
> bruteforces not getting blocked.
>
> I've checked if sshguard gets the correct log informations with tee,
> tried FreeBSD Port (1.3 http://www.freshports.org/security/sshguard-pf/)
> and latest svn (revision 121) both with the same result.
>
>
> dovecot log:
> Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login  
> (auth
> failed, 2 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC,
> lip=SS.SS.SS.SS
>
>
> proftpd log:
> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
> such user found from client_hostname [::ffff:XX.XX.XX.XX]
> to ::ffff:XX.XX.XX.XX:21
>
> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
> failed): Limit access denies login
>
>
> syslog.conf:
> auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee
> -a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300
>
> Debug Output:
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
> (client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
> such user found from client_hostname [::ffff:XX.XX.XX.XX]
> to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a
> token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname
> proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting
> token SYSLOG_BANNER_PID () Entering state 1
> Reading a token: --accepting rule at line 173 (" ")
> --accepting rule at line 144 ("server_hostname
> (client_hostname[") Next token is token
> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
> Entering state 15
> Reading a token: --accepting rule at line 159 ("::ffff:XX")
> Next token is token IPv6 ()
> Shifting token IPv6 ()
> Entering state 39
> Reducing stack by rule 17 (line 111):
>   $1 = token IPv6 ()
> -> $$ = nterm addr ()
> Stack now 0 1 15
> Entering state 52
> Reading a token: --accepting rule at line 176 (".")
> Next token is token $undefined ()
> Error: popping nterm addr ()
> Stack now 0 1 15
> Error: popping token PROFTPD_LOGINERR_PREF ()
> Stack now 0 1
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token $undefined ()
> Stack now 0
>
>
> Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
> (client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
> failed): Limit access denies login Starting parse Entering state 0
> Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37
> server_hostname proftpd[69967]:") Next token is token  
> SYSLOG_BANNER_PID
> () Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 173 (" ")
> --accepting rule at line 144 ("server_hostname
> (client_hostname[") Next token is token
> PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
> Entering state 15
> Reading a token: --accepting rule at line 159 ("::ffff:XX")
> Next token is token IPv6 ()
> Shifting token IPv6 ()
> Entering state 39
> Reducing stack by rule 17 (line 111):
>   $1 = token IPv6 ()
> -> $$ = nterm addr ()
> Stack now 0 1 15
> Entering state 52
> Reading a token: --accepting rule at line 176 (".")
> Next token is token $undefined ()
> Error: popping nterm addr ()
> Stack now 0 1 15
> Error: popping token PROFTPD_LOGINERR_PREF ()
> Stack now 0 1
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token $undefined ()
> Stack now 0
> </proftpd>
>
> <dovecot>
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth  
> failed,
> 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190,
> lip=87.230.101.86 Starting parse Entering state 0
> Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 spirit
> dovecot:") Next token is token SYSLOG_BANNER ()
> Shifting token SYSLOG_BANNER ()
> Entering state 2
> Reading a token: --accepting rule at line 173 (" ")
> --accepting rule at line 129 ("imap-login: Aborted login (auth failed,
> 2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190,  
> lip=")
> Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token
> DOVECOT_IMAP_LOGINERR_PREF () Entering state 11
> Reading a token: --(end of buffer or a NUL)
> --accepting rule at line 157 ("87.230.101.86")
> Next token is token IPv4 ()
> Shifting token IPv4 ()
> Entering state 38
> Reducing stack by rule 16 (line 107):
>   $1 = token IPv4 ()
> -> $$ = nterm addr ()
> Stack now 0 2 11
> Entering state 48
> Reading a token: --(end of buffer or a NUL)
> --accepting rule at line 173 ("
> ")
> --(end of buffer or a NUL)
> --EOF (start condition 4)
> Now at end of input.
> Error: popping nterm addr ()
> Stack now 0 2 11
> Error: popping token DOVECOT_IMAP_LOGINERR_PREF ()
> Stack now 0 2
> Error: popping token SYSLOG_BANNER ()
> Stack now 0
> Stack now 0
>
>
> Should I post the syslog messages via newattackpatt?
> Or is this another Problem?
>
> Greetings
>
> -- 
> Tobias Lott
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces

[Tobias L. <tl...@ga...>]

Hi

I'm using sshguard for more then a year now, worked without a
problem. But lately I've noticed alot of proftpd and dovecot
bruteforces not getting blocked.

I've checked if sshguard gets the correct log informations with tee,
tried FreeBSD Port (1.3 http://www.freshports.org/security/sshguard-pf/)
and latest svn (revision 121) both with the same result.


dovecot log:
Jul 23 01:22:51 server_hostname dovecot: imap-login: Aborted login (auth
failed, 2 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC,
lip=SS.SS.SS.SS


proftpd log:
Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
(client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
such user found from client_hostname [::ffff:XX.XX.XX.XX]
to ::ffff:XX.XX.XX.XX:21

Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
(client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
failed): Limit access denies login


syslog.conf:
auth.info;authpriv.info;local0.info;daemon.info;mail.info |tee
-a /tmp/mylogsniff | /path/to/trunk-sshguard -a 1 -p 300

Debug Output:
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Jul 23 00:38:26 server_hostname proftpd[67341]: server_hostname
(client_hostname[::ffff:XX.XX.XX.XX]) - USER nouser: no
such user found from client_hostname [::ffff:XX.XX.XX.XX]
to ::ffff:XX.XX.XX.XX:21 Starting parse Entering state 0 Reading a
token: --accepting rule at line 97 ("Jul 23 00:38:26 server_hostname
proftpd[67341]:") Next token is token SYSLOG_BANNER_PID () Shifting
token SYSLOG_BANNER_PID () Entering state 1
Reading a token: --accepting rule at line 173 (" ")
--accepting rule at line 144 ("server_hostname
(client_hostname[") Next token is token
PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
Entering state 15
Reading a token: --accepting rule at line 159 ("::ffff:XX")
Next token is token IPv6 ()
Shifting token IPv6 ()
Entering state 39
Reducing stack by rule 17 (line 111):
   $1 = token IPv6 ()
-> $$ = nterm addr ()
Stack now 0 1 15
Entering state 52
Reading a token: --accepting rule at line 176 (".")
Next token is token $undefined ()
Error: popping nterm addr ()
Stack now 0 1 15
Error: popping token PROFTPD_LOGINERR_PREF ()
Stack now 0 1
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token $undefined ()
Stack now 0


Jul 23 00:39:37 server_hostname proftpd[69967]: server_hostname
(client_hostname[::ffff:XX.XX.XX.XX]) - USER mysql (Login
failed): Limit access denies login Starting parse Entering state 0
Reading a token: --accepting rule at line 97 ("Jul 23 00:39:37
server_hostname proftpd[69967]:") Next token is token SYSLOG_BANNER_PID
() Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 173 (" ")
--accepting rule at line 144 ("server_hostname
(client_hostname[") Next token is token
PROFTPD_LOGINERR_PREF () Shifting token PROFTPD_LOGINERR_PREF ()
Entering state 15
Reading a token: --accepting rule at line 159 ("::ffff:XX")
Next token is token IPv6 ()
Shifting token IPv6 ()
Entering state 39
Reducing stack by rule 17 (line 111):
   $1 = token IPv6 ()
-> $$ = nterm addr ()
Stack now 0 1 15
Entering state 52
Reading a token: --accepting rule at line 176 (".")
Next token is token $undefined ()
Error: popping nterm addr ()
Stack now 0 1 15
Error: popping token PROFTPD_LOGINERR_PREF ()
Stack now 0 1
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token $undefined ()
Stack now 0
</proftpd>

<dovecot>
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Jul 23 01:22:51 spirit dovecot: imap-login: Aborted login (auth failed,
2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190,
lip=87.230.101.86 Starting parse Entering state 0
Reading a token: --accepting rule at line 103 ("Jul 23 01:22:51 spirit
dovecot:") Next token is token SYSLOG_BANNER ()
Shifting token SYSLOG_BANNER ()
Entering state 2
Reading a token: --accepting rule at line 173 (" ")
--accepting rule at line 129 ("imap-login: Aborted login (auth failed,
2 attempts): user=<lala@lala>, method=PLAIN, rip=87.154.167.190, lip=")
Next token is token DOVECOT_IMAP_LOGINERR_PREF () Shifting token
DOVECOT_IMAP_LOGINERR_PREF () Entering state 11
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 157 ("87.230.101.86")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 38
Reducing stack by rule 16 (line 107):
   $1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 2 11
Entering state 48
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 173 ("
")
--(end of buffer or a NUL)
--EOF (start condition 4)
Now at end of input.
Error: popping nterm addr ()
Stack now 0 2 11
Error: popping token DOVECOT_IMAP_LOGINERR_PREF ()
Stack now 0 2
Error: popping token SYSLOG_BANNER ()
Stack now 0
Stack now 0


Should I post the syslog messages via newattackpatt?
Or is this another Problem?

Greetings

-- 
Tobias Lott

Re: [Sshguard-users] sshguard working but not blocking, functioning in debug mode

[Mij <mi...@bi...>]

On Jul 22, 2009, at 04:02 , Peter Beckman wrote:

> On Tue, 21 Jul 2009, Mij wrote:
>
>>
>> On Jul 21, 2009, at 21:17 , Peter Beckman wrote:
>>
>>> On Tue, 21 Jul 2009, Mij wrote:
>>>
>>>> Naturally the same machinery is used for blocking with or without -
>>>> d, so
>>>> if in the latter case it works, is sshguard run as root from the
>>>> syslog
>>>> instance?
>>>
>>> syslogd is running as root, and since I've tested it in the past and
>>> it
>>> has worked, and I haven't updated anything, I was surprised to see  
>>> the
>>> failure.
>>
>> 2 things:
>> 1) you show that with -d the address is visible in the PF table after
>> blocking.
>> What about the normal run?
>
> Wasn't around at the time of the attack, I only get notified at the  
> end of
> the day when I get emailed the log.
>
> I upgraded to 1.4rc5 and tested manually, and it blocked successfully.
> Hopefully the bot-net tries again soon, and I'll see if the issue was
> resolved by upgrading.

On that front rc5 should not behave any different to prior versions.


> PS -- If you were bored, you could always create a few new FreeBSD  
> Ports:
>
>    sshguard-devel
>    sshguard-devel-pf (or modify the sshguard-pf to have a flag to use
>    sshguard-devel)
>
> I built a pseudo-hack port, but didn't spend enough time to figure  
> out how
> to install it as sshguard-devel-1.4rc5 without figuring out how to  
> tell it
> to download sshguard-1.4rc5.tar.gz from SourceForge.  Probably could  
> with
> some time and effort, the former of which I have none of!

The current port I will update just before releasing 1.4stable. Some  
users submitted
some modifications to its "automation scripts". Hopefully I'll find  
time to get hold of
those too.

You're welcome to submit a "sshguard-devel" port. As we take so long  
before
declaring stables (1.3 was 10 months ago?) a -devel port may make sense.