Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
(6) |
Oct
|
Nov
|
Dec
|
|
From: Emmanuel A. <man...@gm...> - 2009-10-05 12:59:21
|
Hum, I will change my ssh port number to try solve this problem. Thank you so much Mij. []s Emmanuel Alves man...@gm... --------------------------------------------------------------------- Twitter: http://www.twitter.com/emartsnet Linked In: http://www.linkedin.com/in/emartsnet On Mon, Oct 5, 2009 at 9:53 AM, Mij <mi...@ss...> wrote: > Nothing is wrong, but the fact you're not being attacked by one > insisting host, but by > many in distributed fashion. There is no simple way to detect these: > imagine you're > running a shell server with many accesses, how would you spot this is > a distributed > attack rather than a "funnily many users got the password wrong in a > short period of > time" ? And similarly, even once you detect this, what do you do then? > > Detecting these is hard, but we have that in a TODO idle loop. > > > On Oct 2, 2009, at 13:00 , Emmanuel Alves wrote: > > > Hi, > > > > My SSHGUARD was working perfectly, but since 2 days ago, my security > > log has a lot of blocked IPs, but i cant find any failures to access > > my ssh... here is part of my log: > > > > Oct 1 09:15:41 brain sshguard[77308]: Blocking 200.11.197.122: 4 > > failures over 2 seconds. > > Oct 1 09:16:24 brain sshguard[77308]: Blocking 147.52.242.30: 4 > > failures over 0 seconds. > > Oct 1 09:17:27 brain sshguard[77308]: Blocking 217.15.119.130: 4 > > failures over 0 seconds. > > Oct 1 09:17:54 brain sshguard[77308]: Blocking 77.95.0.100: 4 > > failures over 0 seconds. > > Oct 1 09:18:45 brain sshguard[77308]: Blocking 118.98.171.107: 4 > > failures over 4 seconds. > > Oct 1 09:19:27 brain sshguard[77308]: Blocking 83.142.126.50: 4 > > failures over 1 seconds. > > Oct 1 09:20:25 brain sshguard[77308]: Release command failed. > > Exited: -1 > > Oct 1 09:20:55 brain sshguard[77308]: Blocking 69.213.134.19: 4 > > failures over 7 seconds. > > Oct 1 09:21:31 brain sshguard[77308]: Blocking 203.198.161.20: 4 > > failures over 0 seconds. > > Oct 1 09:22:18 brain sshguard[77308]: Blocking 217.111.114.216: 4 > > failures over 0 seconds. > > Oct 1 09:22:55 brain sshguard[77308]: Blocking 88.84.142.50: 4 > > failures over 0 seconds. > > Oct 1 09:23:32 brain sshguard[77308]: Release command failed. > > Exited: -1 > > Oct 1 09:23:32 brain sshguard[77308]: Release command failed. > > Exited: -1 > > Oct 1 09:24:30 brain sshguard[77308]: Blocking 60.28.10.26: 4 > > failures over 139 seconds. > > Oct 1 09:25:16 brain sshguard[77308]: Blocking 82.98.78.31: 4 > > failures over 0 seconds. > > Oct 1 09:25:55 brain sshguard[77308]: Blocking 202.78.239.203: 4 > > failures over 1 seconds. > > Oct 1 09:26:43 brain sshguard[77308]: Blocking 69.129.125.162: 4 > > failures over 3 seconds. > > Oct 1 09:27:28 brain sshguard[77308]: Blocking 61.183.0.35: 4 > > failures over 0 seconds. > > Oct 1 09:28:12 brain sshguard[77308]: Blocking 83.132.104.248: 4 > > failures over 0 seconds. > > Oct 1 09:28:52 brain sshguard[77308]: Blocking 61.172.200.198: 4 > > failures over 1 seconds. > > Oct 1 09:29:57 brain sshguard[77308]: Blocking 83.142.126.51: 4 > > failures over 1 seconds. > > Oct 1 09:30:31 brain sshguard[77308]: Blocking 211.137.70.137: 4 > > failures over 3 seconds. > > Oct 1 09:31:04 brain sshguard[77308]: Blocking 202.107.85.254: 4 > > failures over 710 seconds. > > Oct 1 09:31:52 brain sshguard[77308]: Blocking 58.185.182.212: 4 > > failures over 0 seconds. > > Oct 1 09:32:37 brain sshguard[77308]: Blocking 61.131.208.44: 4 > > failures over 1 seconds. > > Oct 1 09:32:59 brain sshguard[77308]: Release command failed. > > Exited: -1 > > Oct 1 09:32:59 brain sshguard[77308]: Release command failed. > > Exited: -1 > > Oct 1 09:33:22 brain sshguard[77308]: Blocking 147.52.242.39: 4 > > failures over 0 seconds. > > Oct 1 09:34:00 brain sshguard[77308]: Blocking 80.219.210.151: 4 > > failures over 0 seconds. > > Oct 1 09:34:56 brain sshguard[77308]: Blocking 79.29.174.11: 4 > > failures over 3 seconds. > > Oct 1 09:35:33 brain sshguard[77308]: Blocking 212.235.9.44: 4 > > failures over 0 seconds. > > Oct 1 09:36:19 brain sshguard[77308]: Blocking 196.201.228.186: 4 > > failures over 0 seconds. > > Oct 1 09:37:45 brain sshguard[77308]: Blocking 189.56.92.42: 4 > > failures over 1 seconds. > > > > I´m wrong? > > > > []s > > > > Emmanuel Alves > > man...@gm... > > > > --------------------------------------------------------------------- > > Twitter: http://www.twitter.com/emartsnet > > Linked In: http://www.linkedin.com/in/emartsnet > > > ------------------------------------------------------------------------------ > > Come build with us! The BlackBerry® Developer Conference in SF, CA > > is the only developer event you need to attend this year. Jumpstart > > your > > developing skills, take BlackBerry mobile applications to market and > > stay > > ahead of the curve. Join us from November 9-12, 2009. Register > > now! > > > http://p.sf.net/sfu/devconf_______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Mij <mi...@ss...> - 2009-10-05 12:55:17
|
all "protection" comes out of the box. You just make sure that sshguard receives the log messages produced by proftpd. On Sep 28, 2009, at 21:41 , Paul Bliss wrote: > Hello all, > I've got sshguard running and protecting my SSH logins just fine, > but I'm > confused as to how to add ProFTPD protection as well. The > documentation > seems to assume that I'm smarter than I actually am. > > Thanks! > -Mechno > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9-12, 2009. Register > now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@ss...> - 2009-10-05 12:54:06
|
Nothing is wrong, but the fact you're not being attacked by one insisting host, but by many in distributed fashion. There is no simple way to detect these: imagine you're running a shell server with many accesses, how would you spot this is a distributed attack rather than a "funnily many users got the password wrong in a short period of time" ? And similarly, even once you detect this, what do you do then? Detecting these is hard, but we have that in a TODO idle loop. On Oct 2, 2009, at 13:00 , Emmanuel Alves wrote: > Hi, > > My SSHGUARD was working perfectly, but since 2 days ago, my security > log has a lot of blocked IPs, but i cant find any failures to access > my ssh... here is part of my log: > > Oct 1 09:15:41 brain sshguard[77308]: Blocking 200.11.197.122: 4 > failures over 2 seconds. > Oct 1 09:16:24 brain sshguard[77308]: Blocking 147.52.242.30: 4 > failures over 0 seconds. > Oct 1 09:17:27 brain sshguard[77308]: Blocking 217.15.119.130: 4 > failures over 0 seconds. > Oct 1 09:17:54 brain sshguard[77308]: Blocking 77.95.0.100: 4 > failures over 0 seconds. > Oct 1 09:18:45 brain sshguard[77308]: Blocking 118.98.171.107: 4 > failures over 4 seconds. > Oct 1 09:19:27 brain sshguard[77308]: Blocking 83.142.126.50: 4 > failures over 1 seconds. > Oct 1 09:20:25 brain sshguard[77308]: Release command failed. > Exited: -1 > Oct 1 09:20:55 brain sshguard[77308]: Blocking 69.213.134.19: 4 > failures over 7 seconds. > Oct 1 09:21:31 brain sshguard[77308]: Blocking 203.198.161.20: 4 > failures over 0 seconds. > Oct 1 09:22:18 brain sshguard[77308]: Blocking 217.111.114.216: 4 > failures over 0 seconds. > Oct 1 09:22:55 brain sshguard[77308]: Blocking 88.84.142.50: 4 > failures over 0 seconds. > Oct 1 09:23:32 brain sshguard[77308]: Release command failed. > Exited: -1 > Oct 1 09:23:32 brain sshguard[77308]: Release command failed. > Exited: -1 > Oct 1 09:24:30 brain sshguard[77308]: Blocking 60.28.10.26: 4 > failures over 139 seconds. > Oct 1 09:25:16 brain sshguard[77308]: Blocking 82.98.78.31: 4 > failures over 0 seconds. > Oct 1 09:25:55 brain sshguard[77308]: Blocking 202.78.239.203: 4 > failures over 1 seconds. > Oct 1 09:26:43 brain sshguard[77308]: Blocking 69.129.125.162: 4 > failures over 3 seconds. > Oct 1 09:27:28 brain sshguard[77308]: Blocking 61.183.0.35: 4 > failures over 0 seconds. > Oct 1 09:28:12 brain sshguard[77308]: Blocking 83.132.104.248: 4 > failures over 0 seconds. > Oct 1 09:28:52 brain sshguard[77308]: Blocking 61.172.200.198: 4 > failures over 1 seconds. > Oct 1 09:29:57 brain sshguard[77308]: Blocking 83.142.126.51: 4 > failures over 1 seconds. > Oct 1 09:30:31 brain sshguard[77308]: Blocking 211.137.70.137: 4 > failures over 3 seconds. > Oct 1 09:31:04 brain sshguard[77308]: Blocking 202.107.85.254: 4 > failures over 710 seconds. > Oct 1 09:31:52 brain sshguard[77308]: Blocking 58.185.182.212: 4 > failures over 0 seconds. > Oct 1 09:32:37 brain sshguard[77308]: Blocking 61.131.208.44: 4 > failures over 1 seconds. > Oct 1 09:32:59 brain sshguard[77308]: Release command failed. > Exited: -1 > Oct 1 09:32:59 brain sshguard[77308]: Release command failed. > Exited: -1 > Oct 1 09:33:22 brain sshguard[77308]: Blocking 147.52.242.39: 4 > failures over 0 seconds. > Oct 1 09:34:00 brain sshguard[77308]: Blocking 80.219.210.151: 4 > failures over 0 seconds. > Oct 1 09:34:56 brain sshguard[77308]: Blocking 79.29.174.11: 4 > failures over 3 seconds. > Oct 1 09:35:33 brain sshguard[77308]: Blocking 212.235.9.44: 4 > failures over 0 seconds. > Oct 1 09:36:19 brain sshguard[77308]: Blocking 196.201.228.186: 4 > failures over 0 seconds. > Oct 1 09:37:45 brain sshguard[77308]: Blocking 189.56.92.42: 4 > failures over 1 seconds. > > I´m wrong? > > []s > > Emmanuel Alves > man...@gm... > > --------------------------------------------------------------------- > Twitter: http://www.twitter.com/emartsnet > Linked In: http://www.linkedin.com/in/emartsnet > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9-12, 2009. Register > now! > http://p.sf.net/sfu/devconf_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Art S. <art...@gm...> - 2009-10-02 18:51:02
|
Is there a away to setup certain types of log messages to be banned on first attempt, and the rest at the default of 4? The reason why I ask is because I like the idea of the default of 4, since users can make mistakes when trying to log in, and that gives them a little room for error, but there are certain log entries that I feel should be banned on first attempt, example. Oct 2 13:26:27 srvtwc sshd[7642]: User root from mx.referent.ru not allowed because not listed in AllowUsers Oct 2 13:26:27 srvtwc sshguard[30833]: Successfully resolved ' mx.referent.ru' --> 4:'86.111.5.38'. Oct 2 13:26:27 srvtwc sshguard[30833]: Matched address 86.111.5.38:4attacking service 100 Oct 2 13:26:28 srvtwc sshd[7642]: error: PAM: Authentication failure for illegal user root from mx.referent.ru Oct 2 13:26:28 srvtwc sshd[7642]: Failed keyboard-interactive/pam for invalid user root from 86.111.5.38 port 33046 ssh2 Oct 2 13:26:28 srvtwc sshguard[30833]: Matched address 86.111.5.38:4attacking service 100 Oct 2 13:27:43 srvtwc sshd[7645]: User root from 119-210-96-87.cust.blixtvik.se not allowed because not listed in AllowUsers Oct 2 13:27:43 srvtwc sshguard[30833]: Successfully resolved ' 119-210-96-87.cust.blixtvik.se' --> 4:'87.96.210.119'. Oct 2 13:27:43 srvtwc sshguard[30833]: Matched address 87.96.210.119:4attacking service 100 Oct 2 13:27:43 srvtwc sshd[7645]: error: PAM: Authentication failure for illegal user root from 119-210-96-87.cust.blixtvik.se Oct 2 13:27:43 srvtwc sshd[7645]: Failed keyboard-interactive/pam for invalid user root from 87.96.210.119 port 41754 ssh2 Oct 2 13:27:43 srvtwc sshguard[30833]: Matched address 87.96.210.119:4attacking service 100 Oct 2 13:28:49 srvtwc sshd[7649]: User root from static-87-79-66-203.netcologne.de not allowed because not listed in AllowUsers Oct 2 13:28:49 srvtwc sshguard[30833]: Successfully resolved ' static-87-79-66-203.netcologne.de' --> 4:'87.79.66.203'. Oct 2 13:28:49 srvtwc sshguard[30833]: Matched address 87.79.66.203:4attacking service 100 Oct 2 13:28:50 srvtwc sshd[7649]: error: PAM: Authentication failure for illegal user root from static-87-79-66-203.netcologne.de Oct 2 13:28:50 srvtwc sshd[7649]: Failed keyboard-interactive/pam for invalid user root from 87.79.66.203 port 51639 ssh2 Oct 2 13:28:50 srvtwc sshguard[30833]: Matched address 87.79.66.203:4attacking service 100 I've noticed in my logs recently since I've started to use sshguard, that the attackers scripts are smart enough to know, or remember, that your server is running sshguard or a service similar, and will attempt brute force attacks from a rotating set of ip's as to which they will never get banned by doing this so long as they have enough ip's to come in from. The logs show that sshguard is picking it up as an attack properly, but by the time they cycle through their list of remote ip's and use one that sshguard has seen already, it's been over the time period where it would count it as a second attack. Anything that shows up as "not lised in AllowUsers" or "failure for illegal user xxx" should be banned on first attempt. That would be a great addition to your already awesome app. |
|
From: Emmanuel A. <man...@gm...> - 2009-10-02 11:00:24
|
Hi, My SSHGUARD was working perfectly, but since 2 days ago, my security log has a lot of blocked IPs, but i cant find any failures to access my ssh... here is part of my log: Oct 1 09:15:41 brain sshguard[77308]: Blocking 200.11.197.122: 4 failures > over 2 seconds. > Oct 1 09:16:24 brain sshguard[77308]: Blocking 147.52.242.30: 4 failures > over 0 seconds. > Oct 1 09:17:27 brain sshguard[77308]: Blocking 217.15.119.130: 4 failures > over 0 seconds. > Oct 1 09:17:54 brain sshguard[77308]: Blocking 77.95.0.100: 4 failures > over 0 seconds. > Oct 1 09:18:45 brain sshguard[77308]: Blocking 118.98.171.107: 4 failures > over 4 seconds. > Oct 1 09:19:27 brain sshguard[77308]: Blocking 83.142.126.50: 4 failures > over 1 seconds. > Oct 1 09:20:25 brain sshguard[77308]: Release command failed. Exited: -1 > Oct 1 09:20:55 brain sshguard[77308]: Blocking 69.213.134.19: 4 failures > over 7 seconds. > Oct 1 09:21:31 brain sshguard[77308]: Blocking 203.198.161.20: 4 failures > over 0 seconds. > Oct 1 09:22:18 brain sshguard[77308]: Blocking 217.111.114.216: 4 > failures over 0 seconds. > Oct 1 09:22:55 brain sshguard[77308]: Blocking 88.84.142.50: 4 failures > over 0 seconds. > Oct 1 09:23:32 brain sshguard[77308]: Release command failed. Exited: -1 > Oct 1 09:23:32 brain sshguard[77308]: Release command failed. Exited: -1 > Oct 1 09:24:30 brain sshguard[77308]: Blocking 60.28.10.26: 4 failures > over 139 seconds. > Oct 1 09:25:16 brain sshguard[77308]: Blocking 82.98.78.31: 4 failures > over 0 seconds. > Oct 1 09:25:55 brain sshguard[77308]: Blocking 202.78.239.203: 4 failures > over 1 seconds. > Oct 1 09:26:43 brain sshguard[77308]: Blocking 69.129.125.162: 4 failures > over 3 seconds. > Oct 1 09:27:28 brain sshguard[77308]: Blocking 61.183.0.35: 4 failures > over 0 seconds. > Oct 1 09:28:12 brain sshguard[77308]: Blocking 83.132.104.248: 4 failures > over 0 seconds. > Oct 1 09:28:52 brain sshguard[77308]: Blocking 61.172.200.198: 4 failures > over 1 seconds. > Oct 1 09:29:57 brain sshguard[77308]: Blocking 83.142.126.51: 4 failures > over 1 seconds. > Oct 1 09:30:31 brain sshguard[77308]: Blocking 211.137.70.137: 4 failures > over 3 seconds. > Oct 1 09:31:04 brain sshguard[77308]: Blocking 202.107.85.254: 4 failures > over 710 seconds. > Oct 1 09:31:52 brain sshguard[77308]: Blocking 58.185.182.212: 4 failures > over 0 seconds. > Oct 1 09:32:37 brain sshguard[77308]: Blocking 61.131.208.44: 4 failures > over 1 seconds. > Oct 1 09:32:59 brain sshguard[77308]: Release command failed. Exited: -1 > Oct 1 09:32:59 brain sshguard[77308]: Release command failed. Exited: -1 > Oct 1 09:33:22 brain sshguard[77308]: Blocking 147.52.242.39: 4 failures > over 0 seconds. > Oct 1 09:34:00 brain sshguard[77308]: Blocking 80.219.210.151: 4 failures > over 0 seconds. > Oct 1 09:34:56 brain sshguard[77308]: Blocking 79.29.174.11: 4 failures > over 3 seconds. > Oct 1 09:35:33 brain sshguard[77308]: Blocking 212.235.9.44: 4 failures > over 0 seconds. > Oct 1 09:36:19 brain sshguard[77308]: Blocking 196.201.228.186: 4 > failures over 0 seconds. > Oct 1 09:37:45 brain sshguard[77308]: Blocking 189.56.92.42: 4 failures > over 1 seconds. > I´m wrong? []s Emmanuel Alves man...@gm... --------------------------------------------------------------------- Twitter: http://www.twitter.com/emartsnet Linked In: http://www.linkedin.com/in/emartsnet |
|
From: Paul B. <pb...@me...> - 2009-09-28 20:04:32
|
Hello all, I've got sshguard running and protecting my SSH logins just fine, but I'm confused as to how to add ProFTPD protection as well. The documentation seems to assume that I'm smarter than I actually am. Thanks! -Mechno |
|
From: Art S. <art...@gm...> - 2009-09-27 22:58:26
|
Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine scanning
sshd. I've recently installed proftpd 1.3.2a and would like to configure
sshguard to scan for proftpd log entries.
I have proftpd set to default syslog. Here are my configurations.
/etc/syslog-ng/syslog-ng.conf
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
#filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
destination sshguardproc {
program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
$MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
log { source(src); filter(f_proftpd); destination(sshguardproc); };
The log format shows up as
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
If pasted into a debug session of sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59 srvtwc
proftpd[9682]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 162 ("server.ip")
Next token is token IPv4 ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token IPv4 ()
Stack now 0
Any advice on what I'm doing wrong?
Thanks!
*Re: [Sshguard-users] how to configure sshguard for
proftpd?<http://sourceforge.net/mailarchive/message.php?msg_name=1ADA3E05-1ABC-4847-808F-DD8F68A46BC3%40sshguard.net>
*
From: Mij <mij@ss...> - 2009-09-27 11:45
> As I see it, the corresponding rule in the parser is made for
> hostnames instead of raw addresses.
> Some of us will modify it to catch raw addresses in the next days,
> keep an eye on the SVN if you care.
>
> Btw, out of curiosity: is that raw ip resulting from a missing PTR
> (see "dig +short -x <client.ip>") or
> you can configure ProFTP to not reverse look-up client addresses? In
> the latter case, is that the default
> on OpenSusy?
> thanks for reporting The raw ip is resulting from the use of the option
UseReverseDNS set to OFF in proftpd.conf. It is not the default in
OpenSuSE, I just happened to turn it off.
I resolved my issue by doing some testing in debug and taking a look at the
attack_scanner.l. It didn't like the hostname srvtwc, I found that
/etc/hosts had been misconfigured and then set it with FQDN
(srvtwc.xxx.xxx), after which scanning was working properly. Both with
UseReverseDNS on and off, everything works fine. When the ban occurs with
UseReverseDNS set to off, it still adds the host to iptables instead of the
raw ip, but like you said you guys are working on that part.
Regards,
Art
|
|
From: Mij <mi...@ss...> - 2009-09-27 11:45:13
|
As I see it, the corresponding rule in the parser is made for
hostnames instead of raw addresses.
Some of us will modify it to catch raw addresses in the next days,
keep an eye on the SVN if you care.
Btw, out of curiosity: is that raw ip resulting from a missing PTR
(see "dig +short -x <client.ip>") or
you can configure ProFTP to not reverse look-up client addresses? In
the latter case, is that the default
on OpenSusy?
thanks for reporting
On Sep 24, 2009, at 10:19 , Art Salihu wrote:
> Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine
> scanning sshd. I've recently installed proftpd 1.3.2a and would
> like to configure sshguard to scan for proftpd log entries.
>
> I have proftpd set to default syslog. Here are my configurations.
>
> /etc/syslog-ng/syslog-ng.conf
> filter sshlogs { facility(auth, authpriv) and match("sshd"); };
> #filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
> destination sshguardproc {
> program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
> $MESSAGE\n"));
> };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
> log { source(src); filter(f_proftpd); destination(sshguardproc); };
>
> The log format shows up as
> Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip
> [client.ip]) - USER asdfasdfasf: no such user found from client.ip
> [client.ip] to server.ip:21
>
> If pasted into a debug session of sshguard
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip
> [client.ip]) - USER asdfasdfasf: no such user found from client.ip
> [client.ip] to server.ip:21
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59
> srvtwc proftpd[9682]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 180 (" ")
> --accepting rule at line 162 ("server.ip")
> Next token is token IPv4 ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token IPv4 ()
> Stack now 0
>
>
> Any advice on what I'm doing wrong?
>
> Thanks!
|
|
From: Art S. <art...@gm...> - 2009-09-24 08:19:29
|
Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine scanning
sshd. I've recently installed proftpd 1.3.2a and would like to configure
sshguard to scan for proftpd log entries.
I have proftpd set to default syslog. Here are my configurations.
/etc/syslog-ng/syslog-ng.conf
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
#filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
destination sshguardproc {
program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
$MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
log { source(src); filter(f_proftpd); destination(sshguardproc); };
The log format shows up as
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
If pasted into a debug session of sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59 srvtwc
proftpd[9682]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 162 ("server.ip")
Next token is token IPv4 ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token IPv4 ()
Stack now 0
Any advice on what I'm doing wrong?
Thanks!
|
|
From: David H. <dho...@gm...> - 2009-09-23 15:18:01
|
On Wed, Sep 23, 2009 at 9:10 AM, Emmanuel Alves <man...@gm...> wrote:
> Hi Mmj,
>
> There is my -list output
>
> 00010 allow ip from any to any via lo0
> 00020 deny ip from any to 127.0.0.0/8
> 00030 deny ip from 127.0.0.0/8 to any
> 00040 deny tcp from any to any frag
> 00050 check-state
> 00060 allow tcp from any to any established
> 00070 allow ip from any to any out keep-state
> 00080 allow icmp from any to any
> 00110 allow tcp from any to any dst-port 21 in
> 00120 allow tcp from any to any dst-port 21 out
> 00130 allow tcp from any to any dst-port 22 in
There is a rule ordering issue here. sshguard with ipfw by default
uses rules 55000-55050, so any allow rules for ports sshguard is
protecting need to be AFTER 55050
This line (130) will allow anyone in to your ssh port regardless off
what sshguard detects, as ipfw only matches the first allow/deny line,
then stops processing. You need to change this line as follows:
ipfw delete 130
ipfw add 56000 allow tcp from any to any dst-port 22 in
man ipfw
for all the gory details
You can also change the portrange that sshguard uses by using a
./configure script parameter:
--with-ipfw-rules-range=MIN-MAX
Specify the IDs range in which sshguard can
put its block rules
(Default: "55000-55050")
> 00140 allow tcp from any to any dst-port 22 out
> 00150 allow tcp from any to any dst-port 25 in
> 00160 allow tcp from any to any dst-port 25 out
> 00170 allow udp from any to any dst-port 53 in
> 00175 allow tcp from any to any dst-port 53 in
> 00180 allow udp from any to any dst-port 53 out
> 00185 allow tcp from any to any dst-port 53 out
> 00200 allow tcp from any to any dst-port 80 in
> 00210 allow tcp from any to any dst-port 80 out
> 00220 allow tcp from any to any dst-port 110 in
> 00230 allow tcp from any to any dst-port 110 out
> 00240 allow udp from any to any dst-port 123 in
> 00250 allow udp from any to any dst-port 123 out
> 00260 allow tcp from any to any dst-port 443 in
> 00270 allow tcp from any to any dst-port 443 out
> 00500 deny log logamount 100 ip from any to any
>
> Before, my last entry was
>
> 65000 deny log logamount 100 ip from any to any
>
> Then, i changed to "00500" this morning and now i have a lot of blocks of
> the sabe ip.
No, leave the deny ip from any to any line at 65000. That is where is belongs.
>
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55048 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
>
> ...
>
> 65535 allow ip from any to any
>
> The firewall is blocking?
No, I do not believe ipfw is blocking for you, as your deny rule is
after your allow rule. If you do a 'ipfw show' you can see rule
matching and packet matching counts as well as the list of rules to be
sure. If you see 0 0 as your counts, then you know the rule has never
matched anything.
Good Luck.
--Dave
>
> []s
>
> Emmanuel Alves
> man...@gm...
>
> ---------------------------------------------------------------------
> Twitter: http://www.twitter.com/emartsnet
> Linked In: http://www.linkedin.com/in/emartsnet
>
>
> On Wed, Sep 23, 2009 at 9:30 AM, Mij <mi...@ss...> wrote:
>>
>> Hi Emmanuel,
>>
>> I don't quite get from your email: do you see the blocking rules in
>> the IPFW chain?
>> I.e. what does "ipfw list" output after one blocking? You can perform
>> further in-depth
>> tracing by running
>>
>> sshguard -d
>>
>> and pasting in its console multiple times (until you get the blocking)
>> a line such as
>>
>> Invalid user wolff from 192.168.1.66
>>
>>
>> On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote:
>>
>> > Hello,
>> >
>> > i´m using the sshguard to protect my server against force brute
>> > atacks, i configurated the firewall (ipfw) to block all ports
>> > (unlike the default ports - apache, ftp...). But, i think that my
>> > sshguard doesnt blocking IP address that try to force access to SSH.
>> >
>> > This is my log from /var/log/security
>> >
>> > Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4
>> > failures over 8 seconds.
>> > Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from
>> > 83.234.231.11
>> > Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error
>> > for illegal user accounts from 83.234.231.11
>> > Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam
>> > for invalid user accounts from 83.234.231.11 port 49912 ssh2
>> > Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from
>> > 83.234.231.11
>> > Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error
>> > for illegal user aaron from 83.234.231.11
>> > Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam
>> > for invalid user aaron from 83.234.231.11 port 33210 ssh2
>> > Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4
>> > failures over 4 seconds.
>> >
>> > The same ip is blocking, but it can to access after.
>> >
>> > There is any configuration in my sshguard to especify the time of
>> > one ip address will stay blocked?
>> >
>> > Thanks.
>> >
>> > []s
>> >
>> > Emmanuel Alves
>> > man...@gm...
>> >
>> > ---------------------------------------------------------------------
>> > Twitter: http://www.twitter.com/emartsnet
>> > Linked In: http://www.linkedin.com/in/emartsnet
>> >
>> > ------------------------------------------------------------------------------
>> > Come build with us! The BlackBerry® Developer Conference in SF, CA
>> > is the only developer event you need to attend this year. Jumpstart
>> > your
>> > developing skills, take BlackBerry mobile applications to market and
>> > stay
>> > ahead of the curve. Join us from November 9-12, 2009. Register
>> > now!
>> >
>> > http://p.sf.net/sfu/devconf_______________________________________________
>> > Sshguard-users mailing list
>> > Ssh...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9-12, 2009. Register
>> now!
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
|
|
From: Emmanuel A. <man...@gm...> - 2009-09-23 13:10:19
|
Hi Mmj, There is my -list output 00010 allow ip from any to any via lo0 00020 deny ip from any to 127.0.0.0/8 00030 deny ip from 127.0.0.0/8 to any 00040 deny tcp from any to any frag 00050 check-state 00060 allow tcp from any to any established 00070 allow ip from any to any out keep-state 00080 allow icmp from any to any 00110 allow tcp from any to any dst-port 21 in 00120 allow tcp from any to any dst-port 21 out 00130 allow tcp from any to any dst-port 22 in 00140 allow tcp from any to any dst-port 22 out 00150 allow tcp from any to any dst-port 25 in 00160 allow tcp from any to any dst-port 25 out 00170 allow udp from any to any dst-port 53 in 00175 allow tcp from any to any dst-port 53 in 00180 allow udp from any to any dst-port 53 out 00185 allow tcp from any to any dst-port 53 out 00200 allow tcp from any to any dst-port 80 in 00210 allow tcp from any to any dst-port 80 out 00220 allow tcp from any to any dst-port 110 in 00230 allow tcp from any to any dst-port 110 out 00240 allow udp from any to any dst-port 123 in 00250 allow udp from any to any dst-port 123 out 00260 allow tcp from any to any dst-port 443 in 00270 allow tcp from any to any dst-port 443 out 00500 deny log logamount 100 ip from any to any Before, my last entry was 65000 deny log logamount 100 ip from any to any Then, i changed to "00500" this morning and now i have a lot of blocks of the sabe ip. 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55000 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55001 deny ip from 60.217.229.220 to me 55048 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me 55049 deny ip from 60.217.229.220 to me ... 65535 allow ip from any to any The firewall is blocking? []s Emmanuel Alves man...@gm... --------------------------------------------------------------------- Twitter: http://www.twitter.com/emartsnet Linked In: http://www.linkedin.com/in/emartsnet On Wed, Sep 23, 2009 at 9:30 AM, Mij <mi...@ss...> wrote: > Hi Emmanuel, > > I don't quite get from your email: do you see the blocking rules in > the IPFW chain? > I.e. what does "ipfw list" output after one blocking? You can perform > further in-depth > tracing by running > > sshguard -d > > and pasting in its console multiple times (until you get the blocking) > a line such as > > Invalid user wolff from 192.168.1.66 > > > On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote: > > > Hello, > > > > i´m using the sshguard to protect my server against force brute > > atacks, i configurated the firewall (ipfw) to block all ports > > (unlike the default ports - apache, ftp...). But, i think that my > > sshguard doesnt blocking IP address that try to force access to SSH. > > > > This is my log from /var/log/security > > > > Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4 > > failures over 8 seconds. > > Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from > > 83.234.231.11 > > Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error > > for illegal user accounts from 83.234.231.11 > > Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam > > for invalid user accounts from 83.234.231.11 port 49912 ssh2 > > Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from > > 83.234.231.11 > > Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error > > for illegal user aaron from 83.234.231.11 > > Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam > > for invalid user aaron from 83.234.231.11 port 33210 ssh2 > > Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4 > > failures over 4 seconds. > > > > The same ip is blocking, but it can to access after. > > > > There is any configuration in my sshguard to especify the time of > > one ip address will stay blocked? > > > > Thanks. > > > > []s > > > > Emmanuel Alves > > man...@gm... > > > > --------------------------------------------------------------------- > > Twitter: http://www.twitter.com/emartsnet > > Linked In: http://www.linkedin.com/in/emartsnet > > > ------------------------------------------------------------------------------ > > Come build with us! The BlackBerry® Developer Conference in SF, CA > > is the only developer event you need to attend this year. Jumpstart > > your > > developing skills, take BlackBerry mobile applications to market and > > stay > > ahead of the curve. Join us from November 9-12, 2009. Register > > now! > > > http://p.sf.net/sfu/devconf_______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Mij <mi...@ss...> - 2009-09-23 12:57:31
|
Hi Emmanuel, I don't quite get from your email: do you see the blocking rules in the IPFW chain? I.e. what does "ipfw list" output after one blocking? You can perform further in-depth tracing by running sshguard -d and pasting in its console multiple times (until you get the blocking) a line such as Invalid user wolff from 192.168.1.66 On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote: > Hello, > > i´m using the sshguard to protect my server against force brute > atacks, i configurated the firewall (ipfw) to block all ports > (unlike the default ports - apache, ftp...). But, i think that my > sshguard doesnt blocking IP address that try to force access to SSH. > > This is my log from /var/log/security > > Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4 > failures over 8 seconds. > Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from > 83.234.231.11 > Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error > for illegal user accounts from 83.234.231.11 > Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam > for invalid user accounts from 83.234.231.11 port 49912 ssh2 > Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from > 83.234.231.11 > Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error > for illegal user aaron from 83.234.231.11 > Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam > for invalid user aaron from 83.234.231.11 port 33210 ssh2 > Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4 > failures over 4 seconds. > > The same ip is blocking, but it can to access after. > > There is any configuration in my sshguard to especify the time of > one ip address will stay blocked? > > Thanks. > > []s > > Emmanuel Alves > man...@gm... > > --------------------------------------------------------------------- > Twitter: http://www.twitter.com/emartsnet > Linked In: http://www.linkedin.com/in/emartsnet > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9-12, 2009. Register > now! > http://p.sf.net/sfu/devconf_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Emmanuel A. <man...@gm...> - 2009-09-23 11:57:12
|
Hello, i´m using the sshguard to protect my server against force brute atacks, i configurated the firewall (ipfw) to block all ports (unlike the default ports - apache, ftp...). But, i think that my sshguard doesnt blocking IP address that try to force access to SSH. This is my log from /var/log/security Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4 failures over 8 seconds. Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from 83.234.231.11 Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error for illegal user accounts from 83.234.231.11 Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam for invalid user accounts from 83.234.231.11 port 49912 ssh2 Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from 83.234.231.11 Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error for illegal user aaron from 83.234.231.11 Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam for invalid user aaron from 83.234.231.11 port 33210 ssh2 Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4 failures over 4 seconds. The same ip is blocking, but it can to access after. There is any configuration in my sshguard to especify the time of one ip address will stay blocked? Thanks. []s Emmanuel Alves man...@gm... --------------------------------------------------------------------- Twitter: http://www.twitter.com/emartsnet Linked In: http://www.linkedin.com/in/emartsnet |
|
From: Mij <mi...@bi...> - 2009-08-18 08:48:23
|
Hello, Please check out HEAD, this was fixed somewhere not long ago. In this specific case, however, all you are risking is some log pollution. On Aug 12, 2009, at 22:08 , Mr. Mystify wrote: > Hi, > > when testing if command injection is possible with that failure > (something like 'ssh "<USER>; touch 0wned"@<SERVER>') using sshguard > 1.1 > I recognized that including the ',' symbol into username breaks proper > detection of failed logins. > > ################## > # Test command > ################## > root@router-bl:~# ssh "test; touch 0wned"@server > test; touch 0w...@sr...'s password: > Permission denied, please try again. > test; touch 0w...@sr...'s password: > Permission denied, please try again. > test; touch 0w...@sr...'s password: > Permission denied (publickey,password). > root@router-bl:~# > > > ################## > # /var/log/messages > ################## > Aug 12 21:56:31 srv01 sshd[14820]: Invalid user test; touch 0wned > from 91.49.124.232 > Aug 12 21:56:31 srv01 sshd[14820]: Failed none for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:32 srv01 sshd[14820]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2100 ssh2 > Aug 12 21:56:43 srv01 sshd[14822]: Invalid user test; touch 0wned > from 91.49.124.232 > Aug 12 21:56:43 srv01 sshd[14822]: Failed none for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:44 srv01 sshd[14822]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2101 ssh2 > Aug 12 21:56:54 srv01 sshd[14824]: Invalid user test; touch 0wned > from 91.49.124.232 > Aug 12 21:56:54 srv01 sshd[14824]: Failed none for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > Aug 12 21:57:15 srv01 sshd[14824]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > Aug 12 21:57:16 srv01 sshd[14824]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > Aug 12 21:57:17 srv01 sshd[14824]: Failed password for invalid user > test; touch 0wned from 91.49.124.232 port 2102 ssh2 > > > But iptables sshguard chain remains empty: > ################## > # iptables chain > ##################/var/log$ sudo iptables -L sshguard -nv > Chain sshguard (1 references) > pkts bytes target prot opt in out source > destination |
|
From: Mr. M. <che...@gm...> - 2009-08-12 20:09:15
|
Hi, when testing if command injection is possible with that failure (something like 'ssh "<USER>; touch 0wned"@<SERVER>') using sshguard 1.1 I recognized that including the ',' symbol into username breaks proper detection of failed logins. ################## # Test command ################## root@router-bl:~# ssh "test; touch 0wned"@server test; touch 0w...@sr...'s password: Permission denied, please try again. test; touch 0w...@sr...'s password: Permission denied, please try again. test; touch 0w...@sr...'s password: Permission denied (publickey,password). root@router-bl:~# ################## # /var/log/messages ################## Aug 12 21:56:31 srv01 sshd[14820]: Invalid user test; touch 0wned from 91.49.124.232 Aug 12 21:56:31 srv01 sshd[14820]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:32 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:33 srv01 sshd[14820]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2100 ssh2 Aug 12 21:56:43 srv01 sshd[14822]: Invalid user test; touch 0wned from 91.49.124.232 Aug 12 21:56:43 srv01 sshd[14822]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:44 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:45 srv01 sshd[14822]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2101 ssh2 Aug 12 21:56:54 srv01 sshd[14824]: Invalid user test; touch 0wned from 91.49.124.232 Aug 12 21:56:54 srv01 sshd[14824]: Failed none for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 Aug 12 21:57:15 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 Aug 12 21:57:16 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 Aug 12 21:57:17 srv01 sshd[14824]: Failed password for invalid user test; touch 0wned from 91.49.124.232 port 2102 ssh2 But iptables sshguard chain remains empty: ################## # iptables chain ##################/var/log$ sudo iptables -L sshguard -nv Chain sshguard (1 references) pkts bytes target prot opt in out source destination Regards, Mystify On Tue, 2009-08-04 at 16:17 +0200, Mij wrote: > Hello Jochem, > > what SSHGuard version are you using? > > > On Aug 2, 2009, at 22:06 , Jochem Oosterveen wrote: > > > Hi there, > > > > I would like to submit a bug report. > > > > jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl > > Password: > > Password: > > Password: > > Permission denied (publickey,keyboard-interactive). > > jochem@office:~$ > > > > Aug 2 21:57:59 melon sshd[11103]: Invalid user test from > > 123.123.123.123 from 217.149.194.146 > > Aug 2 21:57:59 melon sshd[11103]: error: PAM: authentication error > > for illegal user test from 123.123.123.123 from office.aivd.net > > Aug 2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for > > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > > ssh2 > > Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error > > for illegal user test from 123.123.123.123 from office.aivd.net > > Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for > > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > > ssh2 > > Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error > > for illegal user test from 123.123.123.123 from office.aivd.net > > Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for > > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > > ssh2 > > Aug 2 21:58:01 melon sshd[11108]: Invalid user test from > > 123.123.123.123 from 217.149.194.146 > > Aug 2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4 > > failures over 8 seconds. > > > > melon# pfctl -t sshguard -T show > > No ALTQ support in kernel > > ALTQ related functions disabled > > 123.123.123.123 > > melon# > > > > Obviously, sshguard is blocking the wrong IP. > > > > Kind regards, > > Jochem Oosterveen > > > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > > 30-Day > > trial. Simplify your report design, integration and deployment - and > > focus on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@bi...> - 2009-08-06 14:01:44
|
On Aug 4, 2009, at 21:08 , Peter Beckman wrote: > 1.4rc5 is out. I didn't build an sshguard-devel port, but maybe I > should > and submit it to Mij. You're welcome to submit your work directly to the FreeBSD project. Maintaining a well-made FreeBSD port is a pain in the a55 which I prefer not to extend any further on my side. Ideally the -devel port should reflect the master, that is, you should break it down as sshguard + the three port variants for the different firewall backends. Consider copying as much as possible from the current ports for stable. > /usr/ports/security/sshguard-devel --> cat distinfo > MD5 (sshguard-1.4rc5.tar.bz2) = ff57d62bb8891fe06748bc7c3968ff37 > SHA256 (sshguard-1.4rc5.tar.bz2) = > d12565cb7344113ada38a21abf7875c24aa073e0fe728f1d7d3e61b1f041567b > SIZE (sshguard-1.4rc5.tar.bz2) = 153697 > > /usr/ports/security --> diff -u sshguard/Makefile sshguard-devel/ > Makefile > --- sshguard/Makefile Sat Oct 4 18:36:11 2008 > +++ sshguard-devel/Makefile Tue Jul 21 19:05:36 2009 > @@ -6,14 +6,15 @@ > # > > PORTNAME= sshguard > -PORTVERSION= 1.3 > +UNIQUENAME= sshguard-devel > +PORTVERSION= 1.4rc5 > CATEGORIES= security > MASTER_SITES= SF > > MAINTAINER= mi...@bi... > COMMENT?= Protect hosts from brute force attacks against ssh > and other services > > -CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard- > pf-1.* > +CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard- > pf-1.* sshguard-devel-1.* sshguard-devel-pf-1.* > > PLIST_FILES= sbin/sshguard > > It still installs incorrectly as sshguard-1.4rc5 because I didn't > take the > time to figure out how to make it install as sshguard-devel-1.4rc5, > but > these two modifications make the sshguard port install 1.4rc5 nicely. > > Beckman > > On Tue, 4 Aug 2009, Jochem Oosterveen wrote: > >> Hi Mij, >> >> On Aug 4, 2009, at 4:17 PM, Mij wrote: >>> what SSHGuard version are you using? >> >> The one currently in the FreeBSD ports tree: >> >> [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo >> MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c >> SHA256 (sshguard-1.3.tar.bz2) = >> 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac >> SIZE (sshguard-1.3.tar.bz2) = 140745 >> >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports >> 2008 30-Day >> trial. Simplify your report design, integration and deployment - >> and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > --------------------------------------------------------------------------- > Peter Beckman > Internet Guy > be...@an... http://www.angryox.com/ > --------------------------------------------------------------------------- > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Jochem O. <jo...@ai...> - 2009-08-06 13:25:25
|
On Aug 6, 2009, at 3:21 PM, Mij wrote: > This was a mistake in the flex rule for the "Invalid user pattern", > now fixed in HEAD. > As we decided to wait for Federico to finish up the new website before > releasing > 1.4 stable, we'll probably wrap up the recent changes in a further > 1.4rc6 in few > days. Thanks for reporting. Cool, thanks for fixing. :) |
|
From: Mij <mi...@bi...> - 2009-08-06 13:22:10
|
This was a mistake in the flex rule for the "Invalid user pattern", now fixed in HEAD. As we decided to wait for Federico to finish up the new website before releasing 1.4 stable, we'll probably wrap up the recent changes in a further 1.4rc6 in few days. Thanks for reporting. On Aug 4, 2009, at 16:30 , Jochem Oosterveen wrote: > Hi Mij, > > On Aug 4, 2009, at 4:17 PM, Mij wrote: >> what SSHGuard version are you using? > > The one currently in the FreeBSD ports tree: > > [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo > MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c > SHA256 (sshguard-1.3.tar.bz2) = > 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac > SIZE (sshguard-1.3.tar.bz2) = 140745 > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Peter B. <be...@an...> - 2009-08-04 19:08:39
|
1.4rc5 is out. I didn't build an sshguard-devel port, but maybe I should and submit it to Mij. /usr/ports/security/sshguard-devel --> cat distinfo MD5 (sshguard-1.4rc5.tar.bz2) = ff57d62bb8891fe06748bc7c3968ff37 SHA256 (sshguard-1.4rc5.tar.bz2) = d12565cb7344113ada38a21abf7875c24aa073e0fe728f1d7d3e61b1f041567b SIZE (sshguard-1.4rc5.tar.bz2) = 153697 /usr/ports/security --> diff -u sshguard/Makefile sshguard-devel/Makefile --- sshguard/Makefile Sat Oct 4 18:36:11 2008 +++ sshguard-devel/Makefile Tue Jul 21 19:05:36 2009 @@ -6,14 +6,15 @@ # PORTNAME= sshguard -PORTVERSION= 1.3 +UNIQUENAME= sshguard-devel +PORTVERSION= 1.4rc5 CATEGORIES= security MASTER_SITES= SF MAINTAINER= mi...@bi... COMMENT?= Protect hosts from brute force attacks against ssh and other services -CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.* +CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.* sshguard-devel-1.* sshguard-devel-pf-1.* PLIST_FILES= sbin/sshguard It still installs incorrectly as sshguard-1.4rc5 because I didn't take the time to figure out how to make it install as sshguard-devel-1.4rc5, but these two modifications make the sshguard port install 1.4rc5 nicely. Beckman On Tue, 4 Aug 2009, Jochem Oosterveen wrote: > Hi Mij, > > On Aug 4, 2009, at 4:17 PM, Mij wrote: >> what SSHGuard version are you using? > > The one currently in the FreeBSD ports tree: > > [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo > MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c > SHA256 (sshguard-1.3.tar.bz2) = > 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac > SIZE (sshguard-1.3.tar.bz2) = 140745 > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > --------------------------------------------------------------------------- Peter Beckman Internet Guy be...@an... http://www.angryox.com/ --------------------------------------------------------------------------- |
|
From: Jochem O. <jo...@ai...> - 2009-08-04 14:30:35
|
Hi Mij, On Aug 4, 2009, at 4:17 PM, Mij wrote: > what SSHGuard version are you using? The one currently in the FreeBSD ports tree: [jochem@melon ~]$ cat /usr/ports/security/sshguard/distinfo MD5 (sshguard-1.3.tar.bz2) = 0e4c82f3c3bfe0880cbb0cc43568f82c SHA256 (sshguard-1.3.tar.bz2) = 1ff0ea3349c67fdab8f8046eeae6a96046a752ae7458c2259cb31b78c2de08ac SIZE (sshguard-1.3.tar.bz2) = 140745 |
|
From: Mij <mi...@bi...> - 2009-08-04 14:17:58
|
Hello Jochem, what SSHGuard version are you using? On Aug 2, 2009, at 22:06 , Jochem Oosterveen wrote: > Hi there, > > I would like to submit a bug report. > > jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl > Password: > Password: > Password: > Permission denied (publickey,keyboard-interactive). > jochem@office:~$ > > Aug 2 21:57:59 melon sshd[11103]: Invalid user test from > 123.123.123.123 from 217.149.194.146 > Aug 2 21:57:59 melon sshd[11103]: error: PAM: authentication error > for illegal user test from 123.123.123.123 from office.aivd.net > Aug 2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > ssh2 > Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error > for illegal user test from 123.123.123.123 from office.aivd.net > Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > ssh2 > Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error > for illegal user test from 123.123.123.123 from office.aivd.net > Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for > invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 > ssh2 > Aug 2 21:58:01 melon sshd[11108]: Invalid user test from > 123.123.123.123 from 217.149.194.146 > Aug 2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4 > failures over 8 seconds. > > melon# pfctl -t sshguard -T show > No ALTQ support in kernel > ALTQ related functions disabled > 123.123.123.123 > melon# > > Obviously, sshguard is blocking the wrong IP. > > Kind regards, > Jochem Oosterveen > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Jochem O. <jo...@ai...> - 2009-08-02 20:33:50
|
Hi there, I would like to submit a bug report. jochem@office:~$ ssh "test from 123.123.123.123"@melon.internex.nl Password: Password: Password: Permission denied (publickey,keyboard-interactive). jochem@office:~$ Aug 2 21:57:59 melon sshd[11103]: Invalid user test from 123.123.123.123 from 217.149.194.146 Aug 2 21:57:59 melon sshd[11103]: error: PAM: authentication error for illegal user test from 123.123.123.123 from office.aivd.net Aug 2 21:57:59 melon sshd[11103]: Failed keyboard-interactive/pam for invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 ssh2 Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error for illegal user test from 123.123.123.123 from office.aivd.net Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 ssh2 Aug 2 21:58:00 melon sshd[11103]: error: PAM: authentication error for illegal user test from 123.123.123.123 from office.aivd.net Aug 2 21:58:00 melon sshd[11103]: Failed keyboard-interactive/pam for invalid user test from 123.123.123.123 from 217.149.194.146 port 38367 ssh2 Aug 2 21:58:01 melon sshd[11108]: Invalid user test from 123.123.123.123 from 217.149.194.146 Aug 2 21:58:01 melon sshguard[11056]: Blocking 123.123.123.123: 4 failures over 8 seconds. melon# pfctl -t sshguard -T show No ALTQ support in kernel ALTQ related functions disabled 123.123.123.123 melon# Obviously, sshguard is blocking the wrong IP. Kind regards, Jochem Oosterveen |
|
From: Mij <mi...@bi...> - 2009-07-31 11:44:36
|
On Jul 31, 2009, at 12:53 , Tobias Lott wrote: >>> Jul 31 02:48:05 hostname sshguard[71965]: Offender >>> '::ffff:CC.CC.CC.CC:6' seen 2 times. >>> >>> # pfctl -t sshguard -T show >>> ::ffff:CC.CC.CC.CC >> >> looks good, what's wrong? > > The Problem is that ::ffff:CC.CC.CC.CC is not a Valid IP Address for > PF. > Somehow Proftpd just puts ::ffff: in front of the real IPv4 Address so > thats gotta be stripped off. Think I should dig up why proftpd is > doing > that. It is a valid IPv6 address (IPv4 transitional), you read it as ::ffff:cccc:cccc I bet PF does not insert an address into a table without validating it. If you don't see blocking applied, try checking the rule itself. |
|
From: Tobias L. <tl...@ga...> - 2009-07-31 10:53:50
|
On Fri, 31 Jul 2009 10:47:26 +0200 Mij <mi...@bi...> wrote: > > On Jul 31, 2009, at 02:57 , Tobias Lott wrote: > > > Dovecot looks fine: > > Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth > > failed, 1 attempts): user=<lala@lala>, method=PLAIN, > > rip=CC.CC.CC.CC, lip=SS.SS.SS.SS > > Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for > >> 300secs: 1 failures over 0 seconds. > > > > # pfctl -t sshguard -T show > > CC.CC.CC.CC > > > > > > Proftpd doesn't look that fine: > > Jul 31 02:47:49 hostname proftpd[72114]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login > > failed): Limit access denies login > > Jul 31 02:47:49 hostname sshguard[71965]: > > Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0 > > seconds. > > Jul 31 02:47:49 hostname proftpd[72114]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed. > > Jul 31 02:48:05 hostname proftpd[72148]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened. > > Jul 31 02:48:05 hostname proftpd[72148]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login > > failed): Limit access denies login > > Jul 31 02:48:05 hostname sshguard[71965]: > > Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0 > > seconds. > > Jul 31 02:48:05 hostname sshguard[71965]: Offender > > '::ffff:CC.CC.CC.CC:6' seen 2 times. > > > > # pfctl -t sshguard -T show > > ::ffff:CC.CC.CC.CC > > looks good, what's wrong? > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day trial. Simplify your report design, integration and deployment > - and focus on what you do best, core application coding. Discover > what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users The Problem is that ::ffff:CC.CC.CC.CC is not a Valid IP Address for PF. Somehow Proftpd just puts ::ffff: in front of the real IPv4 Address so thats gotta be stripped off. Think I should dig up why proftpd is doing that. -- Tobias Lott |
|
From: Mij <mi...@bi...> - 2009-07-31 08:47:40
|
On Jul 31, 2009, at 02:57 , Tobias Lott wrote: > Dovecot looks fine: > Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth > failed, 1 attempts): user=<lala@lala>, method=PLAIN, rip=CC.CC.CC.CC, > lip=SS.SS.SS.SS > Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for >> 300secs: 1 failures over 0 seconds. > > # pfctl -t sshguard -T show > CC.CC.CC.CC > > > Proftpd doesn't look that fine: > Jul 31 02:47:49 hostname proftpd[72114]: hostname > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login > failed): Limit access denies login > Jul 31 02:47:49 hostname sshguard[71965]: > Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0 > seconds. > Jul 31 02:47:49 hostname proftpd[72114]: hostname > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed. > Jul 31 02:48:05 hostname proftpd[72148]: hostname > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened. > Jul 31 02:48:05 hostname proftpd[72148]: hostname > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login > failed): Limit access denies login > Jul 31 02:48:05 hostname sshguard[71965]: > Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0 > seconds. > Jul 31 02:48:05 hostname sshguard[71965]: Offender > '::ffff:CC.CC.CC.CC:6' seen 2 times. > > # pfctl -t sshguard -T show > ::ffff:CC.CC.CC.CC looks good, what's wrong? |
2 messages has been excluded from this view by a project administrator.
