sshguard-users — User questions and answers, bugs, and general support

[Sshguard-users] ip addrs not being parsed from log messages

[Adam C. <ada...@be...>]

sshguard 1.4rc3 on rhel5

My first host is up and running great and today I went to install to a 
second host.  But I must have missed documenting a step in my process 
because I'm having an issue.  Looks like the IP address isn't being 
parsed out the log message correctly.  Here's a simple example, running 
from the command line with debug:

[root@ebi-prod01 sbin]# sshguard -d -a 2 -p 10
Started successfully [(a,p,s)=(2, 10, 1200)], now ready to scan.
Apr 21 14:11:00 ebi-prod01 sshd[21594]: Failed password for adam from 
128.32.152.8 port 61158 ssh2
Starting parse
Entering state 0
Reading a token: --accepting rule at line 96 ("Apr 21 14:11:00 
ebi-prod01 sshd[21594]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 169 (" ")
--accepting rule at line 113 ("Failed password for adam from ")
Next token is token SSH_LOGINERR_PREF ()
Shifting token SSH_LOGINERR_PREF ()
Entering state 6
Reading a token: --accepting rule at line 159 ("128")
Next token is token INTEGER ()
Error: popping token SSH_LOGINERR_PREF ()
Stack now 0 1
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token INTEGER ()
Stack now 0

I've tried modifying the input but only get a reasonable response when I 
use a hostname:

[root@ebi-prod01 sbin]# sshguard -d -a 2 -p 10
Started successfully [(a,p,s)=(2, 10, 1200)], now ready to scan.
Apr 21 14:11:00 ebi-prod01 sshd[21594]: Failed password for adam from 
tech.dyn.berkeley.edu <http://tech.dyn.berkeley.edu> port 51152 ssh2
Starting parse
Entering state 0
Reading a token: --accepting rule at line 96 ("Apr 21 14:11:00 
ebi-prod01 sshd[21594]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 169 (" ")
--accepting rule at line 113 ("Failed password for adam from ")
Next token is token SSH_LOGINERR_PREF ()
Shifting token SSH_LOGINERR_PREF ()
Entering state 6
Reading a token: --accepting rule at line 158 ("tech.dyn.berkeley.edu 
<http://tech.dyn.berkeley.edu>")
Next token is token HOSTADDR ()
Shifting token HOSTADDR ()
Entering state 40
Reducing stack by rule 18 (line 115):
   $1 = token HOSTADDR ()
Could not resolve hostname 'tech.dyn.berkeley.edu 
<http://tech.dyn.berkeley.edu>' in IPv4 address: Unknown host.
Could not resolve hostname 'tech.dyn.berkeley.edu 
<http://tech.dyn.berkeley.edu>' in IPv6 address: Unknown host.
Could not resolve hostname 'tech.dyn.berkeley.edu 
<http://tech.dyn.berkeley.edu>' in IPv4 nor IPv6 address!
Stack now 0 1 6
Cleanup: popping token SSH_LOGINERR_PREF ()
Cleanup: popping token SYSLOG_BANNER_PID ()

I've also recompiled and replaced the binary to no avail.  I am afraid 
that I did see this symptom at one point during my first installation 
but I have no notes on what cleared the problem.  Any suggestions?

thanks
Adam

-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709

Re: [Sshguard-users] blocking ports different from 22

[michele <mi...@ma...>]

On 21-04-2009 15:04, michele wrote:

> How can I tell to sshguard (1.3) to block my ssh port and not the
> default 22?

Responding to myself...

In fwalls/command_ipfilter.h there's the
#define COMMAND_BLOCK
which defines the IPFILTER rule to be added and the port 22 is hard coded.

I think it should be interesting to have a command line option to pass 
to sshguard the ssh listening port, even if using a different port 
drastically decreases the number of scans by attackers.

If you think this feature can be interesting, I can provide a patch.

Bye

[Sshguard-users] blocking ports different from 22

[michele <mi...@ma...>]

On a FreeBSD machine, I've an ssh daemon listening on a port different
from the default 22.
After some failures, the following IPFILTER rule is added to my
ipf.rules:

block in quick proto tcp from x.x.x.x to any port = 22

How can I tell to sshguard (1.3) to block my ssh port and not the
default 22?

Thanks

Re: [Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Hi Mij,

I have updated my init script to use the -d option and that is working. 
It does not appear to log to the auth.log file I am using, any details 
of the incoming blocked connections, I assume this is expected.

Further I am not sure how to snap the entries into sshguard when running 
with -d, can you detail what you want me to do there or provide a link?

Now here is an update as I have been watching this while running under 
the -d option. I got to 30 entries in the iptables chain and it stopped 
working. I was on the console and watching the logs go by from the -d 
output. I noticed at one point there  was no more updates from the 
console. I attempted to login incorrectly from a few remote locations 
and I never got blocked, I could attempt to login over and over and 
there was NO output from sshguard as before. The process was still 
running but it was like it was just doing nothing. It remained like this 
for a few hours until restart.

So our problem does not appear to be unrecognized entries but any entry 
after some time or some number of previous blocking events, it just stop 
s working.

I used the init to stop and start and tested and it is working again all 
fine. Let me know how you would like to proceed on gathering more data 
on this issue if interested.

Thanks,
greg



Mij wrote:
> Hello,
> 
> sorry for the latency, busy time.
> 
> Whenever you see some log entries that you expect to be "suspicious"  
> but are
> not recognized as such, you should repeat the manual check: pick the  
> log entry
> as-is, and snap it into sshguard run with -d. This takes few seconds  
> and both
> confirms whether the entry should be recognized, and if not shows why  
> with
> descriptive output.
> 
> Can you do this and, if failed, send in the precise log entry that  
> fails to be reported?
> 
> 
> On Mar 26, 2009, at 17:10 , Greg Parrish wrote:
> 
>> Greg Parrish wrote:
>>> Mij wrote:
>>>> As SimCList is used for recording those, there is no such limit by
>>>> design.
>>> Okay that is good to know. I check on another host we have  
>>> elsewhere and
>>> it has 72 entries in the table so it is not seeing this limit.
>>>
>>>> What evidence makes you think that (nothing logged, errors or else)?
>>> As mentioned there are entries showing in Logwatch for multiple  
>>> logins
>>> on valid user names that are not being prevented after 2 failed  
>>> logins.
>>> For example today:
>>>
>>>   ftp/password from 219.94.152.55: 7 Time(s)
>>>
>>> Once I noticed this I logged in from a remote location with an  
>>> invalid
>>> password and it does not initiate a block from my IP address. For  
>>> example:
>>>
>>> Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from
>>> 129.90.96.101 port 12156 ssh2
>>> Mar 17 08:07:13 arnold last message repeated 2 times
>>> Mar 17 08:07:13 arnold sshd[17505]: Connection closed by  
>>> 129.90.96.101
>>> Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>>> user=gparrish
>>> Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from
>>> 129.90.96.101 port 12186 ssh2
>>> Mar 17 08:07:23 arnold last message repeated 2 times
>>> Mar 17 08:07:23 arnold sshd[17509]: Connection closed by  
>>> 129.90.96.101
>>> Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>>> user=gparrish
>>>
>>>
>>>> Run sshguard in interactive mode (add -d) and paste attack lines
>>>> repeatedly, change address once one has been blocked, and please  
>>>> report what happens
>>>> at the 17th time.
>>> I botched it. I used the init script to take it down and it cleared  
>>> the
>>> iptables DROP list in the sshguard chain. I do have the new logging
>>> where this same IP is now blocked:
>>>
>>>
>>> Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from
>>> 129.90.96.101 port 12353 ssh2
>>> Mar 17 08:11:33 arnold last message repeated 2 times
>>> Mar 17 08:11:33 arnold sshd[17697]: Connection closed by  
>>> 129.90.96.101
>>> Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>>> user=gparrish
>>> Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure;
>>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>>> user=gparrish
>>> Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from
>>> 129.90.96.101 port 12362 ssh2
>>> Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2
>>> failures over 10 seconds.
>>>
>>>
>>> Once I get back to this point I will kill the process and initiate it
>>> with the -d option and report back.
>>>
>>> Using Centos 4.2 on 2.6.9-22.0.1.ELsmp
>>>
>>> -greg
>>>
>>>
>>>
>>>> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am using the following parameters for sshguard (v1.3). I know  
>>>>> the -p
>>>>> is huge and we dont mind blacklisting intruders for long periods. I
>>>>> noticed today in logwatch and from further testing that once we  
>>>>> reach
>>>>> about 16 entries in the accumulated list for iptables that no  
>>>>> further
>>>>> entries are being accepted.
>>>>>
>>>>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/
>>>>> sshguard.whitelist
>>>>>
>>>>> Please review and let me know if you need more information or logs.
>>>>> I am
>>>>> wondering if there is a limit somewhere in the binary or if this  
>>>>> is by
>>>>> design.
>>>>>
>>>>> Thanks,
>>>>> greg
>>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)  
>>> are
>>> powering Web 2.0 with engaging, cross-platform capabilities.  
>>> Quickly and
>>> easily build your RIAs with Flex Builder, the Eclipse(TM)based  
>>> development
>>> software that enables intelligent coding and step-through debugging.
>>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> Okay I have ran into this problem again. This time we have 12  
>> entries in
>> the drop table, last time was 16. Logwatch shows multiple root login
>> attempts from the same IP which does not happen when this is working.
>>
>> I ran the command with the -d option but I get no output. I tried
>> connecting to the host 7 times, with 3 failed logins each and nothing,
>> so of what I am seeing otherwise.
>>
>> /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w
>> /etc/sshguard.whitelist
>>
>>
>> SSH Guard Server Log from CLI:
>>
>> [hostname]# /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w
>> /etc/sshguard.whitelist
>> whitelist: add '192.168.122.234' as plain IPv4.
>> whitelist: add plain ip 192.168.122.234.
>> whitelist: add '127.0.0.1' as plain IPv4.
>> whitelist: add plain ip 127.0.0.1.
>> Started successfully [(a,p,s)=(2, 25920000, 1800)], now ready to scan.
>>
>> -greg
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and 
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today. 
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] new installation

[Adam C. <ada...@be...>]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffcc" text="#000099">
<tt>1.4rc3<br>
<br>
I ran a simple test from a known ssh client and purposely entered a bad
password.&nbsp; Sshguard caught it and blocked the host.&nbsp; So I guess I need
to look more closely at why this other attacker isn't getting blocked.&nbsp;
<br>
<br>
It looks like he's trying to guess a user name and then makes one
password attempt before trying another account name.&nbsp; I might need to
lower the threshold to 1 but that could be harsh on real users who
mistype a legitimate password.<br>
<br>
</tt><br>
Mij wrote:
<blockquote cite="mid:CFE...@bi..."
 type="cite">
  <pre wrap="">On Apr 18, 2009, at 0:56 , Adam Cohen wrote:

  </pre>
  <blockquote type="cite">
    <pre wrap="">Running interactively seems to work fine.

In my log, the message for the release that failed shows an  
incomplete IP.  (see "Releaseing 4...." below)
It looks like the IP address might not have been parsed out  
completely?

Also, not sure how to report this, but my version of Redhat  
generates a message that sshguard isn't catching.  They look like  
this:

Apr 17 14:42:41 prod-02 sshd[12923]: Failed password for invalid  
user staff from 209.9.188.68 port 54513 ssh2
    </pre>
  </blockquote>
  <pre wrap=""><!---->
This is supported; which version did you install? Have a peek at the  
SVN version
<a class="moz-txt-link-freetext" href="http://sshguard.sourceforge.net/svn.html">http://sshguard.sourceforge.net/svn.html</a>

  </pre>
  <blockquote type="cite">
    <pre wrap="">Can additional scanning rules be added by the user (me?)   I will  
look at the source in svn to see how this is structured.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
You can sure do that if you're vaguely familiar with Yacc parsers.
In general, users can submit here
<a class="moz-txt-link-freetext" href="http://sshguard.sourceforge.net/newattackpatt.php">http://sshguard.sourceforge.net/newattackpatt.php</a>

I periodically check there and integrate.

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
  </pre>
</blockquote>
</body>
</html>

Re: [Sshguard-users] new installation

[Mij <mi...@bi...>]

On Apr 18, 2009, at 0:56 , Adam Cohen wrote:

> Running interactively seems to work fine.
>
> In my log, the message for the release that failed shows an  
> incomplete IP.  (see "Releaseing 4...." below)
> It looks like the IP address might not have been parsed out  
> completely?
>
> Also, not sure how to report this, but my version of Redhat  
> generates a message that sshguard isn't catching.  They look like  
> this:
>
> Apr 17 14:42:41 prod-02 sshd[12923]: Failed password for invalid  
> user staff from 209.9.188.68 port 54513 ssh2

This is supported; which version did you install? Have a peek at the  
SVN version
http://sshguard.sourceforge.net/svn.html

> Can additional scanning rules be added by the user (me?)   I will  
> look at the source in svn to see how this is structured.

You can sure do that if you're vaguely familiar with Yacc parsers.
In general, users can submit here
http://sshguard.sourceforge.net/newattackpatt.php

I periodically check there and integrate.

Re: [Sshguard-users] new installation

[Adam C. <ada...@be...>]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Running interactively seems to work fine.&nbsp;&nbsp; <br>
<br>
In my log, the message for the release that failed shows an incomplete
IP.&nbsp; (see "Releaseing 4...." below)<br>
It looks like the IP address might not have been parsed out completely?<br>
<br>
Also, not sure how to report this, but my version of Redhat generates a
message that sshguard isn't catching.&nbsp; They look like this:<br>
<br>
<div class="moz-text-html" lang="x-western"><tt>Apr 17 14:42:41 prod-02
sshd[12923]: Failed password for invalid user staff from 209.9.188.68
port 54513 ssh2<br>
</tt></div>
<br>
Can additional scanning rules be added by the user (me?)&nbsp;&nbsp; I will look
at the source in svn to see how this is structured.<br>
<br>
thanks<br>
Adam<br>
<br>
<br>
Mij wrote:
<blockquote cite="mid:2EE...@bi..."
 type="cite">
  <pre wrap="">On Apr 16, 2009, at 19:09 , Adam Cohen wrote:

  </pre>
  <blockquote type="cite">
    <pre wrap="">greetings,
I've recently installed sshguard 1x. on a Redhat box and it seems to  
be
working well.  However, I noticed the following on my system log:

Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402
seconds.
Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed.  
Exited: -1

Seems like the dynamic removal of blocked hosts from iptables is
failing.   iptables -L shows multiple entries for the same host on the
sshguard chain.  Is this a valid conclusion?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
yes, reasonable if releasing fails.


  </pre>
  <blockquote type="cite">
    <pre wrap="">Any ideas on why or how to fix?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
can you run sshguard manually, as root:

/usr/local/bin/sshguard -d -a2 -p10

and then paste *2 times* as its input one line like:
Apr 12 10:11:12 foo sshd[1234]: Invalid user root from 1.2.3.4

it should block the address. Wait some seconds, it should release it.
If you still see the "Release command failed. Exited: -1", there
should now be more debug info. Please send that in.


  </pre>
  <blockquote type="cite">
    <pre wrap="">thanks

-- 
Adam Cohen
IT Manager
Energy Biosciences Institute
109 Calvin Lab
642-7709


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
    </pre>
  </blockquote>
  <pre wrap=""><!---->

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
  </pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
</pre>
</body>
</html>

Re: [Sshguard-users] new installation

[Mij <mi...@bi...>]

On Apr 16, 2009, at 19:09 , Adam Cohen wrote:

> greetings,
> I've recently installed sshguard 1x. on a Redhat box and it seems to  
> be
> working well.  However, I noticed the following on my system log:
>
> Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402
> seconds.
> Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed.  
> Exited: -1
>
> Seems like the dynamic removal of blocked hosts from iptables is
> failing.   iptables -L shows multiple entries for the same host on the
> sshguard chain.  Is this a valid conclusion?

yes, reasonable if releasing fails.


> Any ideas on why or how to fix?

can you run sshguard manually, as root:

/usr/local/bin/sshguard -d -a2 -p10

and then paste *2 times* as its input one line like:
Apr 12 10:11:12 foo sshd[1234]: Invalid user root from 1.2.3.4

it should block the address. Wait some seconds, it should release it.
If you still see the "Release command failed. Exited: -1", there
should now be more debug info. Please send that in.


>
> thanks
>
> -- 
> Adam Cohen
> IT Manager
> Energy Biosciences Institute
> 109 Calvin Lab
> 642-7709
>
>
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHGuard Limits

[Mij <mi...@bi...>]

Hello,

sorry for the latency, busy time.

Whenever you see some log entries that you expect to be "suspicious"  
but are
not recognized as such, you should repeat the manual check: pick the  
log entry
as-is, and snap it into sshguard run with -d. This takes few seconds  
and both
confirms whether the entry should be recognized, and if not shows why  
with
descriptive output.

Can you do this and, if failed, send in the precise log entry that  
fails to be reported?


On Mar 26, 2009, at 17:10 , Greg Parrish wrote:

> Greg Parrish wrote:
>> Mij wrote:
>>> As SimCList is used for recording those, there is no such limit by
>>> design.
>>
>> Okay that is good to know. I check on another host we have  
>> elsewhere and
>> it has 72 entries in the table so it is not seeing this limit.
>>
>>> What evidence makes you think that (nothing logged, errors or else)?
>>
>> As mentioned there are entries showing in Logwatch for multiple  
>> logins
>> on valid user names that are not being prevented after 2 failed  
>> logins.
>> For example today:
>>
>>   ftp/password from 219.94.152.55: 7 Time(s)
>>
>> Once I noticed this I logged in from a remote location with an  
>> invalid
>> password and it does not initiate a block from my IP address. For  
>> example:
>>
>> Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>> user=gparrish
>> Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from
>> 129.90.96.101 port 12156 ssh2
>> Mar 17 08:07:13 arnold last message repeated 2 times
>> Mar 17 08:07:13 arnold sshd[17505]: Connection closed by  
>> 129.90.96.101
>> Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>> user=gparrish
>> Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>> user=gparrish
>> Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from
>> 129.90.96.101 port 12186 ssh2
>> Mar 17 08:07:23 arnold last message repeated 2 times
>> Mar 17 08:07:23 arnold sshd[17509]: Connection closed by  
>> 129.90.96.101
>> Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>> user=gparrish
>>
>>
>>> Run sshguard in interactive mode (add -d) and paste attack lines
>>> repeatedly, change address once one has been blocked, and please  
>>> report what happens
>>> at the 17th time.
>>
>> I botched it. I used the init script to take it down and it cleared  
>> the
>> iptables DROP list in the sshguard chain. I do have the new logging
>> where this same IP is now blocked:
>>
>>
>> Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>> user=gparrish
>> Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from
>> 129.90.96.101 port 12353 ssh2
>> Mar 17 08:11:33 arnold last message repeated 2 times
>> Mar 17 08:11:33 arnold sshd[17697]: Connection closed by  
>> 129.90.96.101
>> Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101
>> user=gparrish
>> Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure;
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101   
>> user=gparrish
>> Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from
>> 129.90.96.101 port 12362 ssh2
>> Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2
>> failures over 10 seconds.
>>
>>
>> Once I get back to this point I will kill the process and initiate it
>> with the -d option and report back.
>>
>> Using Centos 4.2 on 2.6.9-22.0.1.ELsmp
>>
>> -greg
>>
>>
>>
>>>
>>> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using the following parameters for sshguard (v1.3). I know  
>>>> the -p
>>>> is huge and we dont mind blacklisting intruders for long periods. I
>>>> noticed today in logwatch and from further testing that once we  
>>>> reach
>>>> about 16 entries in the accumulated list for iptables that no  
>>>> further
>>>> entries are being accepted.
>>>>
>>>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/
>>>> sshguard.whitelist
>>>>
>>>> Please review and let me know if you need more information or logs.
>>>> I am
>>>> wondering if there is a limit somewhere in the binary or if this  
>>>> is by
>>>> design.
>>>>
>>>> Thanks,
>>>> greg
>>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)  
>> are
>> powering Web 2.0 with engaging, cross-platform capabilities.  
>> Quickly and
>> easily build your RIAs with Flex Builder, the Eclipse(TM)based  
>> development
>> software that enables intelligent coding and step-through debugging.
>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
>
> Okay I have ran into this problem again. This time we have 12  
> entries in
> the drop table, last time was 16. Logwatch shows multiple root login
> attempts from the same IP which does not happen when this is working.
>
> I ran the command with the -d option but I get no output. I tried
> connecting to the host 7 times, with 3 failed logins each and nothing,
> so of what I am seeing otherwise.
>
> /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w
> /etc/sshguard.whitelist
>
>
> SSH Guard Server Log from CLI:
>
> [hostname]# /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w
> /etc/sshguard.whitelist
> whitelist: add '192.168.122.234' as plain IPv4.
> whitelist: add plain ip 192.168.122.234.
> whitelist: add '127.0.0.1' as plain IPv4.
> whitelist: add plain ip 127.0.0.1.
> Started successfully [(a,p,s)=(2, 25920000, 1800)], now ready to scan.
>
> -greg
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguar has not stopped attack

[Mij <mi...@bi...>]

On Mar 10, 2009, at 15:53 , Leonid Shulov wrote:

> sshguar has not stopped attack from IP, which were sent 1 ssh in 1
> second - to 2-10 seconds.
> In my opinion attack needs to be stopped if from one IP more -a<> hits
> in -p<> seconds.
>
> Mar 10 14:30:27 router sshd[28492]: Invalid user raimundo from  
> 83.15.28.2
> Mar 10 14:30:28 router sshd[28494]: Invalid user joan from 83.15.28.2
> [...]
> Mar 10 14:31:17 router sshd[28550]: Invalid user altagracia from  
> 83.15.28.2
> Mar 10 14:31:19 router sshd[28552]: Invalid user piedad from  
> 83.19.51.22
> ........
>
> Now I try svn rev. 85 with:
> router:~/sshguard_svn_090310/sshguard/src# ./sshguard -d -a 2 -b
> 1:/var/cache/sshguard/blacklist

these entries are valid, they should be recognized. What does this  
latter test
say? When run regularly, you should see log entries like "Blocking  
83.15.28.2:4 for ".
If these don't appear, sshguard is probably not receiving such log  
messages. If
they do appear and the address is not blocked, there may be a problem  
with the
firewall backend (permissions, or mechanism).

Re: [Sshguard-users] SSHGuard Limits

[Mij <mi...@bi...>]

On Apr 8, 2009, at 14:27 , Greg Parrish wrote:

> I am still having this same issue as it continues every few days. This
> time had about 20 entries in the iptable sshguard chain before it stop
> working.
>
> 1. Start sshguard using init script
> 2. Runs fine and stops attacks for days (verified with logwatch)
> 3. New logwatch shows many ssh root login attempts from single IP
> 4. Restart sshgaurd using init, clears iptables chain and begins  
> working
>
> I have verified the above using my own failed login from outside  
> hosts.
>
> Again I stopped sshguard using pkill and then the init (which clears  
> the
> chain filter list) and ran this manually as requested and it does
> nothing, no log, no screen output. Can I get some idea on how to  
> better
> troubleshoot this issue please?

this is interesting news. I have never observed this behavior and I'm  
very
interested in it. Please do this:
1) wait until you observe this behaviour (stopping recognition)
2) locate the place in logs where sshguard started last
3) send in all the log activity related to ssh after that.

You can easily use awk to obfuscate hostnames, IPs and user names.
As I can't reproduce this behaviour, I don't see any other way to  
inspect
the problem.


>
> [root@hostname ~]# /usr/local/sbin/sshguard -d -a 2 -p 2592000 -s 1800
> -w /etc/sshguard.whitelist
> whitelist: add '192.168.122.234' as plain IPv4.
> whitelist: add plain ip 192.168.122.234.
> whitelist: add '127.0.0.1' as plain IPv4.
> whitelist: add plain ip 127.0.0.1.
> Started successfully [(a,p,s)=(2, 2592000, 1800)], now ready to scan.
>
>
> After a few attacks from the outside (>2) there is no blocking, no  
> log,
> nothing when running this manually as suggested previously as seen  
> above.
>
> Thanks much,
> -greg

[Sshguard-users] new installation

[Adam C. <ada...@be...>]

greetings,
I've recently installed sshguard 1x. on a Redhat box and it seems to be 
working well.  However, I noticed the following on my system log:

Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402 
seconds.
Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed. Exited: -1

Seems like the dynamic removal of blocked hosts from iptables is 
failing.   iptables -L shows multiple entries for the same host on the 
sshguard chain.  Is this a valid conclusion?  Any ideas on why or how to 
fix?

thanks

-- 
Adam Cohen
IT Manager
Energy Biosciences Institute
109 Calvin Lab
642-7709

Re: [Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Greg Parrish wrote:
> Greg Parrish wrote:
>> Mij wrote:
>>> As SimCList is used for recording those, there is no such limit by  
>>> design.
>> Okay that is good to know. I check on another host we have elsewhere and 
>> it has 72 entries in the table so it is not seeing this limit.
>>
>>> What evidence makes you think that (nothing logged, errors or else)?
>> As mentioned there are entries showing in Logwatch for multiple logins 
>> on valid user names that are not being prevented after 2 failed logins. 
>> For example today:
>>
>>     ftp/password from 219.94.152.55: 7 Time(s)
>>
>> Once I noticed this I logged in from a remote location with an invalid 
>> password and it does not initiate a block from my IP address. For example:
>>
>> Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from 
>> 129.90.96.101 port 12156 ssh2
>> Mar 17 08:07:13 arnold last message repeated 2 times
>> Mar 17 08:07:13 arnold sshd[17505]: Connection closed by 129.90.96.101
>> Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
>> user=gparrish
>> Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from 
>> 129.90.96.101 port 12186 ssh2
>> Mar 17 08:07:23 arnold last message repeated 2 times
>> Mar 17 08:07:23 arnold sshd[17509]: Connection closed by 129.90.96.101
>> Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
>> user=gparrish
>>
>>
>>> Run sshguard in interactive mode (add -d) and paste attack lines  
>>> repeatedly, change address once one has been blocked, and please report what happens
>>> at the 17th time.
>> I botched it. I used the init script to take it down and it cleared the 
>> iptables DROP list in the sshguard chain. I do have the new logging 
>> where this same IP is now blocked:
>>
>>
>> Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from 
>> 129.90.96.101 port 12353 ssh2
>> Mar 17 08:11:33 arnold last message repeated 2 times
>> Mar 17 08:11:33 arnold sshd[17697]: Connection closed by 129.90.96.101
>> Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
>> user=gparrish
>> Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
>> Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from 
>> 129.90.96.101 port 12362 ssh2
>> Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2 
>> failures over 10 seconds.
>>
>>
>> Once I get back to this point I will kill the process and initiate it 
>> with the -d option and report back.
>>
>> Using Centos 4.2 on 2.6.9-22.0.1.ELsmp
>>
>> -greg
>>
>>
>>
>>> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
>>>
>>>> Hi,
>>>>
>>>> I am using the following parameters for sshguard (v1.3). I know the -p
>>>> is huge and we dont mind blacklisting intruders for long periods. I
>>>> noticed today in logwatch and from further testing that once we reach
>>>> about 16 entries in the accumulated list for iptables that no further
>>>> entries are being accepted.
>>>>
>>>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/ 
>>>> sshguard.whitelist
>>>>
>>>> Please review and let me know if you need more information or logs.  
>>>> I am
>>>> wondering if there is a limit somewhere in the binary or if this is by
>>>> design.
>>>>
>>>> Thanks,
>>>> greg
>>>>
>>
>> ------------------------------------------------------------------------------
>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
>> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
>> software that enables intelligent coding and step-through debugging.
>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> 
> Okay I have ran into this problem again. This time we have 12 entries in 
> the drop table, last time was 16. Logwatch shows multiple root login 
> attempts from the same IP which does not happen when this is working.
> 
> I ran the command with the -d option but I get no output. I tried 
> connecting to the host 7 times, with 3 failed logins each and nothing, 
> so of what I am seeing otherwise.
> 
> /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w 
> /etc/sshguard.whitelist
> 
> 
> SSH Guard Server Log from CLI:
> 
> [hostname]# /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w 
> /etc/sshguard.whitelist
> whitelist: add '192.168.122.234' as plain IPv4.
> whitelist: add plain ip 192.168.122.234.
> whitelist: add '127.0.0.1' as plain IPv4.
> whitelist: add plain ip 127.0.0.1.
> Started successfully [(a,p,s)=(2, 25920000, 1800)], now ready to scan.
> 
> -greg
> 
> 

I am still having this same issue as it continues every few days. This 
time had about 20 entries in the iptable sshguard chain before it stop 
working.

1. Start sshguard using init script
2. Runs fine and stops attacks for days (verified with logwatch)
3. New logwatch shows many ssh root login attempts from single IP
4. Restart sshgaurd using init, clears iptables chain and begins working

I have verified the above using my own failed login from outside hosts.

Again I stopped sshguard using pkill and then the init (which clears the 
chain filter list) and ran this manually as requested and it does 
nothing, no log, no screen output. Can I get some idea on how to better 
troubleshoot this issue please?



[root@hostname ~]# /usr/local/sbin/sshguard -d -a 2 -p 2592000 -s 1800 
-w /etc/sshguard.whitelist
whitelist: add '192.168.122.234' as plain IPv4.
whitelist: add plain ip 192.168.122.234.
whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain ip 127.0.0.1.
Started successfully [(a,p,s)=(2, 2592000, 1800)], now ready to scan.


After a few attacks from the outside (>2) there is no blocking, no log, 
nothing when running this manually as suggested previously as seen above.

Thanks much,
-greg

Re: [Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Greg Parrish wrote:
> Mij wrote:
>> As SimCList is used for recording those, there is no such limit by  
>> design.
> 
> Okay that is good to know. I check on another host we have elsewhere and 
> it has 72 entries in the table so it is not seeing this limit.
> 
>> What evidence makes you think that (nothing logged, errors or else)?
> 
> As mentioned there are entries showing in Logwatch for multiple logins 
> on valid user names that are not being prevented after 2 failed logins. 
> For example today:
> 
>     ftp/password from 219.94.152.55: 7 Time(s)
> 
> Once I noticed this I logged in from a remote location with an invalid 
> password and it does not initiate a block from my IP address. For example:
> 
> Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
> Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from 
> 129.90.96.101 port 12156 ssh2
> Mar 17 08:07:13 arnold last message repeated 2 times
> Mar 17 08:07:13 arnold sshd[17505]: Connection closed by 129.90.96.101
> Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication 
> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
> user=gparrish
> Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
> Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from 
> 129.90.96.101 port 12186 ssh2
> Mar 17 08:07:23 arnold last message repeated 2 times
> Mar 17 08:07:23 arnold sshd[17509]: Connection closed by 129.90.96.101
> Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication 
> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
> user=gparrish
> 
> 
>> Run sshguard in interactive mode (add -d) and paste attack lines  
>> repeatedly, change address once one has been blocked, and please report what happens
>> at the 17th time.
> 
> I botched it. I used the init script to take it down and it cleared the 
> iptables DROP list in the sshguard chain. I do have the new logging 
> where this same IP is now blocked:
> 
> 
> Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
> Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from 
> 129.90.96.101 port 12353 ssh2
> Mar 17 08:11:33 arnold last message repeated 2 times
> Mar 17 08:11:33 arnold sshd[17697]: Connection closed by 129.90.96.101
> Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication 
> failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
> user=gparrish
> Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
> Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from 
> 129.90.96.101 port 12362 ssh2
> Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2 
> failures over 10 seconds.
> 
> 
> Once I get back to this point I will kill the process and initiate it 
> with the -d option and report back.
> 
> Using Centos 4.2 on 2.6.9-22.0.1.ELsmp
> 
> -greg
> 
> 
> 
>>
>> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
>>
>>> Hi,
>>>
>>> I am using the following parameters for sshguard (v1.3). I know the -p
>>> is huge and we dont mind blacklisting intruders for long periods. I
>>> noticed today in logwatch and from further testing that once we reach
>>> about 16 entries in the accumulated list for iptables that no further
>>> entries are being accepted.
>>>
>>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/ 
>>> sshguard.whitelist
>>>
>>> Please review and let me know if you need more information or logs.  
>>> I am
>>> wondering if there is a limit somewhere in the binary or if this is by
>>> design.
>>>
>>> Thanks,
>>> greg
>>>
> 
> 
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users



Okay I have ran into this problem again. This time we have 12 entries in 
the drop table, last time was 16. Logwatch shows multiple root login 
attempts from the same IP which does not happen when this is working.

I ran the command with the -d option but I get no output. I tried 
connecting to the host 7 times, with 3 failed logins each and nothing, 
so of what I am seeing otherwise.

/usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w 
/etc/sshguard.whitelist


SSH Guard Server Log from CLI:

[hostname]# /usr/local/sbin/sshguard -d -a 2 -p 25920000 -s 1800 -w 
/etc/sshguard.whitelist
whitelist: add '192.168.122.234' as plain IPv4.
whitelist: add plain ip 192.168.122.234.
whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain ip 127.0.0.1.
Started successfully [(a,p,s)=(2, 25920000, 1800)], now ready to scan.

-greg

Re: [Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Mij wrote:
> As SimCList is used for recording those, there is no such limit by  
> design.

Okay that is good to know. I check on another host we have elsewhere and 
it has 72 entries in the table so it is not seeing this limit.

> What evidence makes you think that (nothing logged, errors or else)?

As mentioned there are entries showing in Logwatch for multiple logins 
on valid user names that are not being prevented after 2 failed logins. 
For example today:

    ftp/password from 219.94.152.55: 7 Time(s)

Once I noticed this I logged in from a remote location with an invalid 
password and it does not initiate a block from my IP address. For example:

Mar 17 08:07:04 arnold sshd(pam_unix)[17502]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
Mar 17 08:07:07 arnold sshd[17502]: Failed password for gparrish from 
129.90.96.101 port 12156 ssh2
Mar 17 08:07:13 arnold last message repeated 2 times
Mar 17 08:07:13 arnold sshd[17505]: Connection closed by 129.90.96.101
Mar 17 08:07:13 arnold sshd(pam_unix)[17502]: 2 more authentication 
failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
user=gparrish
Mar 17 08:07:14 arnold sshd(pam_unix)[17506]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
Mar 17 08:07:17 arnold sshd[17506]: Failed password for gparrish from 
129.90.96.101 port 12186 ssh2
Mar 17 08:07:23 arnold last message repeated 2 times
Mar 17 08:07:23 arnold sshd[17509]: Connection closed by 129.90.96.101
Mar 17 08:07:23 arnold sshd(pam_unix)[17506]: 2 more authentication 
failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
user=gparrish


> Run sshguard in interactive mode (add -d) and paste attack lines  
> repeatedly, change address once one has been blocked, and please report what happens
> at the 17th time.

I botched it. I used the init script to take it down and it cleared the 
iptables DROP list in the sshguard chain. I do have the new logging 
where this same IP is now blocked:


Mar 17 08:11:25 arnold sshd(pam_unix)[17694]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
Mar 17 08:11:27 arnold sshd[17694]: Failed password for gparrish from 
129.90.96.101 port 12353 ssh2
Mar 17 08:11:33 arnold last message repeated 2 times
Mar 17 08:11:33 arnold sshd[17697]: Connection closed by 129.90.96.101
Mar 17 08:11:33 arnold sshd(pam_unix)[17694]: 2 more authentication 
failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101 
user=gparrish
Mar 17 08:11:35 arnold sshd(pam_unix)[17698]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=129.90.96.101  user=gparrish
Mar 17 08:11:38 arnold sshd[17698]: Failed password for gparrish from 
129.90.96.101 port 12362 ssh2
Mar 17 08:11:38 arnold sshguard[17605]: Blocking 129.90.96.101: 2 
failures over 10 seconds.


Once I get back to this point I will kill the process and initiate it 
with the -d option and report back.

Using Centos 4.2 on 2.6.9-22.0.1.ELsmp

-greg



> 
> 
> On Mar 10, 2009, at 14:01 , Greg Parrish wrote:
> 
>> Hi,
>>
>> I am using the following parameters for sshguard (v1.3). I know the -p
>> is huge and we dont mind blacklisting intruders for long periods. I
>> noticed today in logwatch and from further testing that once we reach
>> about 16 entries in the accumulated list for iptables that no further
>> entries are being accepted.
>>
>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/ 
>> sshguard.whitelist
>>
>> Please review and let me know if you need more information or logs.  
>> I am
>> wondering if there is a limit somewhere in the binary or if this is by
>> design.
>>
>> Thanks,
>> greg
>>

Re: [Sshguard-users] SSHGuard Limits

[Mij <mi...@bi...>]

As SimCList is used for recording those, there is no such limit by  
design.
What evidence makes you think that (nothing logged, errors or else)?

Run sshguard in interactive mode (add -d) and paste attack lines  
repeatedly,
change address once one has been blocked, and please report what happens
at the 17th time.


On Mar 10, 2009, at 14:01 , Greg Parrish wrote:

> Hi,
>
> I am using the following parameters for sshguard (v1.3). I know the -p
> is huge and we dont mind blacklisting intruders for long periods. I
> noticed today in logwatch and from further testing that once we reach
> about 16 entries in the accumulated list for iptables that no further
> entries are being accepted.
>
> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/ 
> sshguard.whitelist
>
> Please review and let me know if you need more information or logs.  
> I am
> wondering if there is a limit somewhere in the binary or if this is by
> design.
>
> Thanks,
> greg
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHGuard Limits

[Mij <mi...@bi...>]

As SimCList is used for recording those, there is no such limit by design.
What evidence makes you think that (nothing logged, errors or else)?

Run sshguard in interactive mode (add -d) and paste attack lines repeatedly,
change address once one has been blocked, and please report what happens
at the 17th time.


> Hi,
>
> I am using the following parameters for sshguard (v1.3). I know the -p
> is huge and we dont mind blacklisting intruders for long periods. I
> noticed today in logwatch and from further testing that once we reach
> about 16 entries in the accumulated list for iptables that no further
> entries are being accepted.
>
> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w
> /etc/sshguard.whitelist
>
> Please review and let me know if you need more information or logs. I am
> wondering if there is a limit somewhere in the binary or if this is by
> design.
>
> Thanks,
> greg
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

[Sshguard-users] sshguar has not stopped attack

[Leonid S. <Leo...@en...>]

sshguar has not stopped attack from IP, which were sent 1 ssh in 1 
second - to 2-10 seconds.
In my opinion attack needs to be stopped if from one IP more -a<> hits 
in -p<> seconds.

Mar 10 14:30:27 router sshd[28492]: Invalid user raimundo from 83.15.28.2
Mar 10 14:30:28 router sshd[28494]: Invalid user joan from 83.15.28.2
Mar 10 14:30:33 router sshd[28496]: Invalid user johan from 83.19.51.22
Mar 10 14:30:34 router sshd[28498]: Invalid user sebastian from 83.15.28.2
Mar 10 14:30:35 router sshd[28500]: Invalid user agata from 83.15.28.2
Mar 10 14:30:40 router sshd[28502]: Invalid user administrator from 
83.19.51.22
Mar 10 14:30:42 router sshd[28506]: Invalid user alexandre from 83.19.51.22
Mar 10 14:30:43 router sshd[28508]: Invalid user joseluis from 83.15.28.2
Mar 10 14:30:44 router sshd[28510]: Invalid user ppazmino from 83.15.28.2
Mar 10 14:30:46 router sshd[28512]: Invalid user utilidades from 83.19.51.22
Mar 10 14:30:47 router sshd[28514]: Invalid user utilidad from 83.15.28.2
Mar 10 14:30:48 router sshd[28516]: Invalid user amstelecom from 83.15.28.2
Mar 10 14:30:50 router sshd[28518]: Invalid user dedlogistica from 
83.15.28.2
Mar 10 14:30:51 router sshd[28520]: Invalid user dsantiago from 83.19.51.22
Mar 10 14:30:52 router sshd[28522]: Invalid user marcia from 83.15.28.2
Mar 10 14:30:54 router sshd[28524]: Invalid user consultoria from 83.15.28.2
Mar 10 14:30:55 router sshd[28526]: Invalid user primaveras from 83.15.28.2
Mar 10 14:30:56 router sshd[28528]: Invalid user salvatore from 83.19.51.22
Mar 10 14:30:58 router sshd[28530]: Invalid user comerciais from 83.15.28.2
Mar 10 14:30:59 router sshd[28532]: Invalid user cartas from 83.19.51.22
Mar 10 14:31:00 router sshd[28534]: Invalid user carta from 83.15.28.2
Mar 10 14:31:01 router sshd[28536]: Invalid user moralez from 83.15.28.2
Mar 10 14:31:10 router sshd[28538]: Invalid user nieves from 83.19.51.22
Mar 10 14:31:11 router sshd[28540]: Invalid user sol from 83.15.28.2
Mar 10 14:31:12 router sshd[28542]: Invalid user perla from 83.15.28.2
Mar 10 14:31:13 router sshd[28544]: Invalid user rocio from 83.19.51.22
Mar 10 14:31:15 router sshd[28546]: Invalid user simon from 83.19.51.22
Mar 10 14:31:16 router sshd[28548]: Invalid user sergio from 83.19.51.22
Mar 10 14:31:17 router sshd[28550]: Invalid user altagracia from 83.15.28.2
Mar 10 14:31:19 router sshd[28552]: Invalid user piedad from 83.19.51.22
........

Now I try svn rev. 85 with:
router:~/sshguard_svn_090310/sshguard/src# ./sshguard -d -a 2 -b 
1:/var/cache/sshguard/blacklist

-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel

[Sshguard-users] SSHGuard Limits

[Greg P. <gre...@hc...>]

Hi,

I am using the following parameters for sshguard (v1.3). I know the -p 
is huge and we dont mind blacklisting intruders for long periods. I 
noticed today in logwatch and from further testing that once we reach 
about 16 entries in the accumulated list for iptables that no further 
entries are being accepted.

/usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 -w /etc/sshguard.whitelist

Please review and let me know if you need more information or logs. I am 
wondering if there is a limit somewhere in the binary or if this is by 
design.

Thanks,
greg

Re: [Sshguard-users] sshguard crash

[Mij <mi...@bi...>]

Hi Leonid,

Thanks for your feedback on the blacklisting feature. I want to get it  
quickly out of the
experimental status as many people manifested primary interest in it.
Yet I cannot reproduce this crash. Please
1) fetch the version currently in svn
2) please compile without installing (installing strips debug symbols)
3) run the binary by hand from the src directory (mind the "-d"):

$ cd src
$ ./sshguard -d -a 2 -b 1:/var/cache/sshguard/blacklist

4) paste the messages you report causing crash, observe if it crashes

5) send your next messages in plain text

if it still crashes, you'd need to run sshguard under gdb:

$ gdb ./sshguard
run -d -a 2 -b 1:/var/cache/sshguard/blacklist

paste your stuff and when it crashes issue "backtrace", and send in the
output of that.


On Mar 9, 2009, at 8:22 , Leonid Shulov wrote:

> Hi,
>
> After below attack sshguard creshed:
> Mar  8 21:01:54 router sshd[23464]: Did not receive identification  
> string from 81.21.15.199
> Mar  8 21:01:55 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:13 router sshd[23466]: reverse mapping checking  
> getaddrinfo for unknown-host.intellecom.net.ua [81.21.15.199] failed  
> - POSSIBLE BREAK-IN ATTEMPT!
> Mar  8 21:08:13 router sshd[23466]: Invalid user staff from  
> 81.21.15.199
> Mar  8 21:08:14 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:14 router sshguard[23158]: Blocking 81.21.15.199:4 for  
> >420secs: 2 failures over 379 seconds.
> Mar  8 21:08:14 router sshguard[23158]: Setting environment:  
> SSHG_ADDR=81.21.15.199;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Mar  8 21:08:14 router sshguard[23158]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -I sshguard -s $SSHG_ADDR -j  
> DROP ;; *) exit -2 ;; esac": exited 0.
> Mar  8 21:08:14 router sshguard[23158]: First sight of offender  
> '81.21.15.199:4', adding to offenders list.
> Mar  8 21:08:14 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:15 router sshd[23468]: reverse mapping checking  
> getaddrinfo for unknown-host.intellecom.net.ua [81.21.15.199] failed  
> - POSSIBLE BREAK-IN ATTEMPT!
> Mar  8 21:08:15 router sshd[23468]: Invalid user sales from  
> 81.21.15.199
> Mar  8 21:08:15 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:15 router sshguard[23158]: Looking for address  
> '81.21.15.199:4'...
> Mar  8 21:08:15 router sshguard[23158]: Not found.
> Mar  8 21:08:15 router sshguard[23158]: Blacklisting address  
> '81.21.15.199:4' after 1 abuses.
>
>
> Memory dump:
> router: # *** glibc detected *** /usr/local/sbin/sshguard: free():  
> invalid pointer: 0x0000000000615500 ***
> [snip]
>
> sshguard starts a command:
> /usr/bin/tail -- -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard  
> -a 2 -b 1:/var/cache/sshguard/blacklist &
>
>
> I use a copy sshguard from svn http://sshguard.sourceforge.net/svn.html 
> .
>
> sshguard is compiled on Debian lenny with libc6 version 2.7.
>
>
> Thanks,
>  --
> Leonid Shulov <Leo...@en...>
> Entropic Communications Israel

Re: [Sshguard-users] Fwd: sshguard using 100% CPU

[Sebastian H. <seb...@gm...>]

Hi,

seems to work quite well - thanks.

br,
Sebastian

Am Samstag 07 März 2009 18:04:32 schrieb Mij:
> Hi Sebastian
>
> thanks for reporting. Can you give a try to the version currently in
> the SVN?
>
> On Mar 2, 2009, at 16:24 , Sebastian Held wrote:
> > further investigation shows a problem in blacklist_load():
> >
> > # cat /var/log/sshguard.fifo | valgrind --tool=memcheck /usr/local/
> > sbin/sshguard
> > ==9364== Memcheck, a memory error detector.
> > ==9364== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
> > al.
> > ==9364== Using LibVEX rev 1732, a library for dynamic binary
> > translation.
> > ==9364== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
> > ==9364== Using valgrind-3.2.3, a dynamic binary instrumentation
> > framework.
> > ==9364== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
> > al.
> > ==9364== For more details, rerun with: -v
> > ==9364==
> > ==9364== Syscall param open(filename) points to unaddressable byte(s)
> > ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> > ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> > ==9364==    by 0x804D6D5: blacklist_lookup_address
> > (sshguard_blacklist.c:199)
> > ==9364==    by 0x804BAD9: report_address (sshguard.c:368)
> > ==9364==    by 0x804C415: main (sshguard.c:240)
> > ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > ==9364==
> > ==9364== Syscall param open(filename) points to unaddressable byte(s)
> > ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> > ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> > ==9364==    by 0x804D78C: blacklist_add (sshguard_blacklist.c:173)
> > ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> > ==9364==    by 0x804C415: main (sshguard.c:240)
> > ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > ==9364==
> > ==9364== Syscall param open(filename) points to unaddressable byte(s)
> > ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> > ==9364==    by 0x804D7C7: blacklist_add (sshguard_blacklist.c:182)
> > ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> > ==9364==    by 0x804C415: main (sshguard.c:240)
> > ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> >
> > But currently sshguard is not yet running at 100%... It's idle as it
> > should.
> >
> >
> >
> >
> > ----------  Weitergeleitete Nachricht  ----------
> >
> > Betreff: sshguard using 100% CPU
> > Datum: Montag 02 März 2009
> > Von: Sebastian Held <seb...@gm...>
> > An: ssh...@li...
> >
> > Hello,
> >
> > sshguard (svn rev. 74 + mod, but same issue is found in pristine rev
> > 74) is started like this:
> > cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -w
> > 192.168.90.86 -w 192.168.90.52 >&/dev/null &
> >
> > After a short time (around an hour) CPU utilization increases to 100%.
> > A core dump is attached. There was only one sshguard process running.
> >
> > Stacktrace:
> > # gdb /usr/local/sbin/sshguard core.23814
> > GNU gdb 6.6.50.20070726-cvs
> > Copyright (C) 2007 Free Software Foundation, Inc.
> > GDB is free software, covered by the GNU General Public License, and
> > you are
> > welcome to change it and/or distribute copies of it under certain
> > conditions.
> > Type "show copying" to see the conditions.
> > There is absolutely no warranty for GDB.  Type "show warranty" for
> > details.
> > This GDB was configured as "i586-suse-linux"...
> > Using host libthread_db library "/lib/libthread_db.so.1".
> > Core was generated by `/usr/local/sbin/sshguard'.
> > #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
> > 431             for (pos = 0; pos < list_size(& hell); ) {
> > (gdb) bt full
> > #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
> >        now = 1235994775
> >        tmpel = (attacker_t *) 0x8060128
> >        ret = 0
> >        pos = 0
> > #1  0xb7fc9192 in ?? ()
> > No symbol table info available.
> > #2  0x00000000 in ?? ()
> > No symbol table info available.
> > (gdb) p *tmpel
> > $2 = {attack = {address = {value =
> > "62.109.4.89\00041\000\blvps92-51-146-81 sshd[23934]: ", kind = 4},
> > service = 400}, whenfirst = 1235994599, whenlast = 1235994603,
> >  pardontime = 0, numhits = 4}
> > (gdb)
> >
> >
> >
> > br,
> > Sebastian
> >
> > -------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> >----- Open Source Business Conference (OSBC), March 24-25, 2009, San
> > Francisco, CA
> > -OSBC tackles the biggest issue in open source: Open Sourcing the
> > Enterprise
> > -Strategies to boost innovation and cut costs with open source
> > participation
> > -Receive a $600 discount off the registration fee with the source
> > code: SFAD
> > http://p.sf.net/sfu/XcvMzF8H
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
> ---------------------------------------------------------------------------
>--- Open Source Business Conference (OSBC), March 24-25, 2009, San
> Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing
> the Enterprise -Strategies to boost innovation and cut costs with open
> source participation -Receive a $600 discount off the registration fee with
> the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard crash

[Leonid S. <Leo...@en...>]

Hi,

*After below attack sshguard creshed: *
Mar  8 21:01:54 router sshd[23464]: Did not receive identification 
string from 81.21.15.199
Mar  8 21:01:55 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:13 router sshd[23466]: reverse mapping checking getaddrinfo 
for unknown-host.intellecom.net.ua [81.21.15.199] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Mar  8 21:08:13 router sshd[23466]: Invalid user staff from 81.21.15.199
Mar  8 21:08:14 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:14 router sshguard[23158]: Blocking 81.21.15.199:4 for 
 >420secs: 2 failures over 379 seconds.
Mar  8 21:08:14 router sshguard[23158]: Setting environment: 
SSHG_ADDR=81.21.15.199;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Mar  8 21:08:14 router sshguard[23158]: Run command "case $SSHG_ADDRKIND 
in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec 
/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; 
esac": exited 0.
Mar  8 21:08:14 router sshguard[23158]: First sight of offender 
'81.21.15.199:4', adding to offenders list.
Mar  8 21:08:14 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:15 router sshd[23468]: reverse mapping checking getaddrinfo 
for unknown-host.intellecom.net.ua [81.21.15.199] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Mar  8 21:08:15 router sshd[23468]: Invalid user sales from 81.21.15.199
Mar  8 21:08:15 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:15 router sshguard[23158]: Looking for address 
'81.21.15.199:4'...
Mar  8 21:08:15 router sshguard[23158]: Not found.
Mar  8 21:08:15 router sshguard[23158]: Blacklisting address 
'81.21.15.199:4' after 1 abuses.

*
Memory dump:
*router: # *** glibc detected *** /usr/local/sbin/sshguard: free(): 
invalid pointer: 0x0000000000615500 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5573990948]
/lib/libc.so.6(cfree+0x76)[0x7f5573992a56]
/usr/local/sbin/sshguard[0x4076d6]
/usr/local/sbin/sshguard[0x4079b7]
/usr/local/sbin/sshguard[0x405eb0]
/usr/local/sbin/sshguard[0x404586]
/usr/local/sbin/sshguard[0x404c74]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f557393b1a6]
/usr/local/sbin/sshguard[0x401ba9]
======= Memory map: ========
00400000-00415000 r-xp 00000000 fe:03 3153923                            
/usr/local/sbin/sshguard
00615000-00616000 rw-p 00015000 fe:03 3153923                            
/usr/local/sbin/sshguard
00616000-00618000 rw-p 00616000 00:00 0
0109c000-010c5000 rw-p 0109c000 00:00 0                                  
[heap]
40a84000-40a85000 ---p 40a84000 00:00 0
40a85000-41285000 rw-p 40a85000 00:00 0
7f556c000000-7f556c021000 rw-p 7f556c000000 00:00 0
7f556c021000-7f5570000000 ---p 7f556c021000 00:00 0
7f5573706000-7f557371c000 r-xp 00000000 08:02 7888                       
/lib/libgcc_s.so.1
7f557371c000-7f557391c000 ---p 00016000 08:02 7888                       
/lib/libgcc_s.so.1
7f557391c000-7f557391d000 rw-p 00016000 08:02 7888                       
/lib/libgcc_s.so.1
7f557391d000-7f5573a67000 r-xp 00000000 08:02 8125                       
/lib/libc-2.7.so
7f5573a67000-7f5573c66000 ---p 0014a000 08:02 8125                       
/lib/libc-2.7.so
7f5573c66000-7f5573c69000 r--p 00149000 08:02 8125                       
/lib/libc-2.7.so
7f5573c69000-7f5573c6b000 rw-p 0014c000 08:02 8125                       
/lib/libc-2.7.so
7f5573c6b000-7f5573c70000 rw-p 7f5573c6b000 00:00 0
7f5573c70000-7f5573c86000 r-xp 00000000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573c86000-7f5573e86000 ---p 00016000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573e86000-7f5573e88000 rw-p 00016000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573e88000-7f5573e8c000 rw-p 7f5573e88000 00:00 0
7f5573e8c000-7f5573ea8000 r-xp 00000000 08:02 8128                       
/lib/ld-2.7.so
7f5574096000-7f5574098000 rw-p 7f5574096000 00:00 0
7f55740a3000-7f55740a7000 rw-p 7f55740a3000 00:00 0
7f55740a7000-7f55740a9000 rw-p 0001b000 08:02 8128                       
/lib/ld-2.7.so
7fff7c093000-7fff7c0a8000 rw-p 7ffffffea000 00:00 0                      
[stack]
7fff7c1fe000-7fff7c1ff000 r-xp 7fff7c1fe000 00:00 0                      
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
*
*
*sshguard starts a command:
*/usr/bin/tail -- -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard -a 
2 -b 1:/var/cache/sshguard/blacklist &


I use a copy sshguard from svn http://sshguard.sourceforge.net/svn.html.

sshguard is compiled on Debian lenny with libc6 version 2.7.


Thanks,

-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel

Re: [Sshguard-users] Fwd: sshguard using 100% CPU

[Mij <mi...@bi...>]

Hi Sebastian

thanks for reporting. Can you give a try to the version currently in  
the SVN?



On Mar 2, 2009, at 16:24 , Sebastian Held wrote:

> further investigation shows a problem in blacklist_load():
>
> # cat /var/log/sshguard.fifo | valgrind --tool=memcheck /usr/local/ 
> sbin/sshguard
> ==9364== Memcheck, a memory error detector.
> ==9364== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et  
> al.
> ==9364== Using LibVEX rev 1732, a library for dynamic binary  
> translation.
> ==9364== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
> ==9364== Using valgrind-3.2.3, a dynamic binary instrumentation  
> framework.
> ==9364== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et  
> al.
> ==9364== For more details, rerun with: -v
> ==9364==
> ==9364== Syscall param open(filename) points to unaddressable byte(s)
> ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> ==9364==    by 0x804D6D5: blacklist_lookup_address  
> (sshguard_blacklist.c:199)
> ==9364==    by 0x804BAD9: report_address (sshguard.c:368)
> ==9364==    by 0x804C415: main (sshguard.c:240)
> ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==9364==
> ==9364== Syscall param open(filename) points to unaddressable byte(s)
> ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> ==9364==    by 0x804D78C: blacklist_add (sshguard_blacklist.c:173)
> ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> ==9364==    by 0x804C415: main (sshguard.c:240)
> ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==9364==
> ==9364== Syscall param open(filename) points to unaddressable byte(s)
> ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> ==9364==    by 0x804D7C7: blacklist_add (sshguard_blacklist.c:182)
> ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> ==9364==    by 0x804C415: main (sshguard.c:240)
> ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
> But currently sshguard is not yet running at 100%... It's idle as it  
> should.
>
>
>
>
> ----------  Weitergeleitete Nachricht  ----------
>
> Betreff: sshguard using 100% CPU
> Datum: Montag 02 März 2009
> Von: Sebastian Held <seb...@gm...>
> An: ssh...@li...
>
> Hello,
>
> sshguard (svn rev. 74 + mod, but same issue is found in pristine rev  
> 74) is started like this:
> cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -w  
> 192.168.90.86 -w 192.168.90.52 >&/dev/null &
>
> After a short time (around an hour) CPU utilization increases to 100%.
> A core dump is attached. There was only one sshguard process running.
>
> Stacktrace:
> # gdb /usr/local/sbin/sshguard core.23814
> GNU gdb 6.6.50.20070726-cvs
> Copyright (C) 2007 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "i586-suse-linux"...
> Using host libthread_db library "/lib/libthread_db.so.1".
> Core was generated by `/usr/local/sbin/sshguard'.
> #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
> 431             for (pos = 0; pos < list_size(& hell); ) {
> (gdb) bt full
> #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
>        now = 1235994775
>        tmpel = (attacker_t *) 0x8060128
>        ret = 0
>        pos = 0
> #1  0xb7fc9192 in ?? ()
> No symbol table info available.
> #2  0x00000000 in ?? ()
> No symbol table info available.
> (gdb) p *tmpel
> $2 = {attack = {address = {value =  
> "62.109.4.89\00041\000\blvps92-51-146-81 sshd[23934]: ", kind = 4},  
> service = 400}, whenfirst = 1235994599, whenlast = 1235994603,
>  pardontime = 0, numhits = 4}
> (gdb)
>
>
>
> br,
> Sebastian
>
> -------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San  
> Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the  
> Enterprise
> -Strategies to boost innovation and cut costs with open source  
> participation
> -Receive a $600 discount off the registration fee with the source  
> code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Fwd: sshguard using 100% CPU

[Sebastian H. <seb...@gm...>]

further investigation shows a problem in blacklist_load():

# cat /var/log/sshguard.fifo | valgrind --tool=memcheck /usr/local/sbin/sshguard
==9364== Memcheck, a memory error detector.
==9364== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==9364== Using LibVEX rev 1732, a library for dynamic binary translation.
==9364== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==9364== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==9364== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==9364== For more details, rerun with: -v
==9364==
==9364== Syscall param open(filename) points to unaddressable byte(s)
==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
==9364==    by 0x804D6D5: blacklist_lookup_address (sshguard_blacklist.c:199)
==9364==    by 0x804BAD9: report_address (sshguard.c:368)
==9364==    by 0x804C415: main (sshguard.c:240)
==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==9364==
==9364== Syscall param open(filename) points to unaddressable byte(s)
==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
==9364==    by 0x804D78C: blacklist_add (sshguard_blacklist.c:173)
==9364==    by 0x804BC28: report_address (sshguard.c:372)
==9364==    by 0x804C415: main (sshguard.c:240)
==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==9364==
==9364== Syscall param open(filename) points to unaddressable byte(s)
==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
==9364==    by 0x804D7C7: blacklist_add (sshguard_blacklist.c:182)
==9364==    by 0x804BC28: report_address (sshguard.c:372)
==9364==    by 0x804C415: main (sshguard.c:240)
==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

But currently sshguard is not yet running at 100%... It's idle as it should.




----------  Weitergeleitete Nachricht  ----------

Betreff: sshguard using 100% CPU
Datum: Montag 02 März 2009
Von: Sebastian Held <seb...@gm...>
An: ssh...@li...

Hello,

sshguard (svn rev. 74 + mod, but same issue is found in pristine rev 74) is started like this:
cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -w 192.168.90.86 -w 192.168.90.52 >&/dev/null &

After a short time (around an hour) CPU utilization increases to 100%.
A core dump is attached. There was only one sshguard process running.

Stacktrace:
# gdb /usr/local/sbin/sshguard core.23814
GNU gdb 6.6.50.20070726-cvs
Copyright (C) 2007 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-suse-linux"...
Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `/usr/local/sbin/sshguard'.
#0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
431             for (pos = 0; pos < list_size(& hell); ) {
(gdb) bt full
#0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
        now = 1235994775
        tmpel = (attacker_t *) 0x8060128
        ret = 0
        pos = 0
#1  0xb7fc9192 in ?? ()
No symbol table info available.
#2  0x00000000 in ?? ()
No symbol table info available.
(gdb) p *tmpel
$2 = {attack = {address = {value = "62.109.4.89\00041\000\blvps92-51-146-81 sshd[23934]: ", kind = 4}, service = 400}, whenfirst = 1235994599, whenlast = 1235994603,
  pardontime = 0, numhits = 4}
(gdb)



br,
Sebastian

-------------------------------------------------------

Re: [Sshguard-users] RPMS for RHEL4/5

[Mij <mi...@bi...>]

Thanks for reporting. I removed the repos because the author didn't  
maintain it any longer.
I will update the links.

Btw, if there is anybody interested in taking over, of course the RPM  
package is a significant plus.


On Feb 18, 2009, at 18:15 , Phusion wrote:

> I checked http://sshguard.sourceforge.net/packages/, but the RPM's
> weren't in there. Is there another place to find the RPMS for
> sshguard? Let me know.
>
> Phusion
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San  
> Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the  
> Enterprise
> -Strategies to boost innovation and cut costs with open source  
> participation
> -Receive a $600 discount off the registration fee with the source  
> code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users