sshguard-users — User questions and answers, bugs, and general support

[Sshguard-users] RPMS for RHEL4/5

[Phusion <phu...@gm...>]

I checked http://sshguard.sourceforge.net/packages/, but the RPM's
weren't in there. Is there another place to find the RPMS for
sshguard? Let me know.

Phusion

Re: [Sshguard-users] sshguard add multiple lines to sshguard chain

[Mij <mi...@bi...>]

I think I understood what you mean with some interpolation with the log
you included. From there, it seems a bug. I gotta see if I can reproduce
it: under linux on @x86 (that's what you have?) I didn't run into this  
problem.
If you can send the blacklist file to my address (don't pollute the  
list with
that) I'll have a look the next days.


On Feb 15, 2009, at 2:11 PM, Leonid Shulov wrote:

> Hi,
>
> If my router attack with ssh user list in sshguard chain I see some  
> lines, and I am forced to delete superfluous lines every day.
> It bug or so should be?
>
> Why sshguard don't find '78.135.0.30' in sshguard chain:
> Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.
>
>
>
> iptables -L:
> ....
> Chain sshguard (1 references)
> target     prot opt source               destination
> DROP       all  --  221.130.187.174      anywhere
> DROP       all  --  63.138.202.103       anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> ....
>
> iptables -L -n:
> ....
> Chain sshguard (1 references)
> target     prot opt source               destination
> DROP       all  --  221.130.187.174      0.0.0.0/0
> DROP       all  --  63.138.202.103       0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> ....
>
> /var/log/auth.log:
> Feb 13 06:29:19 asroute1 sshd[19796]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:19 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:20 asroute1 sshd[19798]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:21 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:22 asroute1 sshd[19800]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:22 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:25 asroute1 sshd[19802]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:25 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:25 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >420secs: 4 failures over 6 seconds.
> Feb 13 06:29:26 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:26 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:26 asroute1 sshguard[12567]: First sight of offender  
> '78.135.0.30:4', adding to offenders list.
> Feb 13 06:29:27 asroute1 sshd[19805]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:27 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:29 asroute1 sshd[19807]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:29 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:31 asroute1 sshd[19809]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:31 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:34 asroute1 sshd[19811]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:34 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:35 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >840secs: 4 failures over 7 seconds.
> Feb 13 06:29:35 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:35 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:35 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 2 times.
> Feb 13 06:29:36 asroute1 sshd[19813]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:36 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:38 asroute1 sshd[19816]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:38 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:40 asroute1 sshd[19818]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:40 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:42 asroute1 sshd[19820]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:43 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:43 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >1680secs: 4 failures over 7 seconds.
> Feb 13 06:29:43 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 3 times (threshold 3) -> blacklisted.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4'  
> blacklisted. Blacklist now 1 entries.
> Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >0secs: 4 failures over 5 seconds.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j  
> DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 4 times (threshold 3) -> blacklisted.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4'  
> blacklisted. Blacklist now 1 entries.
> Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >0secs: 4 failures over 5 seconds.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 4 times (threshold 3) -> blacklisted.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:51 asroute1 sshguard[12567]: Not found.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Attacked '78.135.0.30:4'  
> blacklisted. Blacklist now 1 entries.
>
>
>  --
> Leonid Shulov <Leo...@en...>
> Entropic Communications Israel
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San  
> Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the  
> Enterprise
> -Strategies to boost innovation and cut costs with open source  
> participation
> -Receive a $600 discount off the registration fee with the source  
> code: SFAD
> http://p.sf.net/sfu/XcvMzF8H_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard add multiple lines to sshguard chain

[Leonid S. <Leo...@en...>]

Hi,

If my router attack with ssh user list in sshguard chain I see some 
lines, and I am forced to delete superfluous lines every day.
It bug or so should be?

Why sshguard don't find '78.135.0.30' in sshguard chain:
Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address 
'78.135.0.30:4'...
Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.



iptables -L:
....
Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  221.130.187.174      anywhere
DROP       all  --  63.138.202.103       anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
....

iptables -L -n:
....
Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  221.130.187.174      0.0.0.0/0
DROP       all  --  63.138.202.103       0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
....

/var/log/auth.log:
Feb 13 06:29:19 asroute1 sshd[19796]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:19 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:20 asroute1 sshd[19798]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:21 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:22 asroute1 sshd[19800]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:22 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:25 asroute1 sshd[19802]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:25 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:25 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >420secs: 4 failures over 6 seconds.
Feb 13 06:29:26 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:26 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:26 asroute1 sshguard[12567]: First sight of offender 
'78.135.0.30:4', adding to offenders list.
Feb 13 06:29:27 asroute1 sshd[19805]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:27 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:29 asroute1 sshd[19807]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:29 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:31 asroute1 sshd[19809]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:31 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:34 asroute1 sshd[19811]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:34 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:35 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >840secs: 4 failures over 7 seconds.
Feb 13 06:29:35 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:35 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:35 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
2 times.
Feb 13 06:29:36 asroute1 sshd[19813]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:36 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:38 asroute1 sshd[19816]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:38 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:40 asroute1 sshd[19818]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:40 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:42 asroute1 sshd[19820]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:43 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:43 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >1680secs: 4 failures over 7 seconds.
Feb 13 06:29:43 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:44 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:44 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
3 times (threshold 3) -> blacklisted.
Feb 13 06:29:44 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:44 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.
Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >0secs: 4 failures over 5 seconds.
Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) 
exit -2 ;; esac": exited 0.
Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
4 times (threshold 3) -> blacklisted.
Feb 13 06:29:51 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:44 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.
Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >0secs: 4 failures over 5 seconds.
Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
4 times (threshold 3) -> blacklisted.
Feb 13 06:29:51 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:51 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:51 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.


-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel

Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Mij <mi...@bi...>]

On Feb 5, 2009, at 9:11 PM, Hans F. Nordhaug wrote:

> * Forrest Aldrich <fo...@fo...> [2009-02-05]:
>> I have the same problem -- my method of blocking is visually doing  
>> "tail
>> -F access.log" and putting filters in.
>>
>> To use SSHGuard for this, you'd have to implement pattern searches  
>> for
>> the specific attacks... might be okay for a few, annoying for more  
>> than
>> that.   I think something like mod_security may help in this case
>> (though I've never used it).
>
> Well, I don't think you have to do it that strict. I would say that if
> an IP is getting many 404 entries (maybe with the added condition of
> empty referrer) in very short time, it's likely to be a scanning
> attack. SSHGuard by default doesn't block for very long so if it was a
> legitime user hitting refresh like crazy, it wouldn't harm that much.

I'm not quite convinced for 2 reasons:
1) such rules appear quite "loose". I'm not sure this fits with the  
conservative
policy used so far to avoid false positives at the cost of complexity.  
For
example, crawlers issue a "GET /robots.txt" which often results in a  
404 and
lacks a referer. On webservers with plenty of vhosts a bunch of such  
requests
within few minutes may result in an undesired blocking.

A solution can be to add to such conditions sensitivity to the target  
filetype,
and block only those involving dynamic scripts like .php, .pl etc.


2) Sshguard currently assumes that all attacks have the same "density",
that is, 4 attacks to ssh are "as dangerous" as 4 to proftpd or  
anything else.
This case breaks this assumption, as you would require many more "404"s
than login failures before determining an abuse.

A solution is either to define the conditions above "tight enough" to  
raise
the density of each attack, or to wait for me to eventually implement
the system based on scoring and threshold.


> I'm using mod_security, but I would like to use SSHGuard to
> 1) get the burden of Apache and
> 2) block the IP at the network level since it probably will do other
>   unfriendly things
>
>> I tried to figure out how the lex stuff works for implementing my own
>> patterns, but alas I'm not a programmer -- if someone can explain it,
>> I'd love to do a few things with it.
>
> I happen to be a programmer, but I hate reinventing the wheel so I'll
> wait some more time before I give it a try myself.

The yacc parser itself (src/sshguard_parser.y) is quite easy to  
manipulate.
It contains many examples that can be used for inspiration for adding  
new
ones.

Otherwise, users can use this
http://sshguard.sourceforge.net/newattackpatt.php

michele


>
> Hans
>
>> Hans F. Nordhaug wrote:
>>> The last months the bots looking for vulnerable web apps on my  
>>> servers
>>> have increaed in number and intensity. I guess you all have entries
>>> like these in your log files:
>>>
>>> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/ 
>>> main.php HTTP/1.0" 404 357 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/ 
>>> main.php HTTP/1.0" 404 357 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php  
>>> HTTP/1.0" 404 350 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php  
>>> HTTP/1.0" 404 352 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/ 
>>> main.php HTTP/1.0" 404 354 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php  
>>> HTTP/1.0" 404 352 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/ 
>>> main.php HTTP/1.0" 404 354 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/ 
>>> main.php HTTP/1.0" 404 358 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/ 
>>> main.php HTTP/1.0" 404 358 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/ 
>>> main.php HTTP/1.0" 404 359 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/ 
>>> main.php HTTP/1.0" 404 359 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / 
>>> phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / 
>>> phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / 
>>> phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET / 
>>> phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
>>>
>>> I wonder if someone have already tried to use SSHguard to
>>> block this annoying traffic (in addition to brute force SSH  
>>> attacks)?
>>> Or could someone give me a hint about how to get started on
>>> setting this up (without breaking the existing SSH blocking)?
>>>
>>> Regards,
>>> Hans
>
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[Mij <mi...@bi...>]

I'll have a look and commit, thanks. The ipfilter backend has a narrow  
user base,
please report again in future if you find some lack of functionality.


On Feb 5, 2009, at 6:53 AM, alia rapirap wrote:

> Hi,
>
> Thanks again for replying. ~_~
>
> I used the SVN version and I'm so happy to inform you that it  
> worked! I just edited a file to make the proftpd monitoring work.  
> Here are the things I did to make it work:
>
> - I edited the src/fwalls/command_ipfilter.h (since i'm using  
> ipfilter).
> - I added another case statement or option for proftpd. Both for  
> COMMAND_BLOCK and COMMAND_RELEASE
>
> #define COMMAND_BLOCK      "if test $SSHG_ADDRKIND != 4; then exit  
> 1 ; fi ; case $SSHG_SERVICE in 100) TMP=`mktemp
> /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print  
> \"block in quick proto tcp from '\"$SSHG_ADDR\"' to any port =  
> 22\" }' <" IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE  
> " ;; 310) TMP=`mktemp /tmp/ipfconf.XX` && awk '1 ; /^##sshguard- 
> begin##$/     { print \"block in quick proto tcp from '\"$SSHG_ADDR 
> \"' to any port = 21\" }' <" IPFILTER_CONFFILE " > $TMP && mv $TMP "  
> IPFILTER_CONFFILE " ;; *) exit 0 ;; esac && " IPFPATH "/ipf -Fa && "  
> IPFPATH /ipf -f " IPFILTER_CONFFILE
>
> #define COMMAND_RELEASE    "if test $SSHG_ADDRKIND != 4; then exit  
> 1 ; fi ; case $SSHG_SERVICE in 100) TMP=`mktemp /tmp/ipfconf.XX` &&  
> awk 'BEGIN { copy = 1 } copy ; /^##sshguard-begin##$/    { copy =  
> 0 ; next } !copy { if ($0 !~ /'\"$SSHG_ADDR\"'.*22/) print $0 } / 
> ^##sshguard-end##$/  { copy = 1 }' <" IPFILTER_CONFFILE " >$TMP ; mv  
> $TMP " IPFILTER_CONFFILE " ;; 310) TMP=`mktemp /tmp/ipfconf.XX` &&  
> awk 'BEGIN { copy = 1 } copy ; /^##sshguard-begin##$/    { copy =  
> 0 ; next } !copy { if ($0 !~ /'\"$SSHG_ADDR\"'.*21/) print $0 } / 
> ^##sshguard-end##$/  { copy = 1 }' <" IPFILTER_CONFFILE " >$TMP ; mv  
> $TMP " IPFILTER_CONFFILE " ;; esac ; " IPFPATH "/ipf -Fa && "  
> IPFPATH "/ipf -f " IPFILTER_CONFFILE
>
> NOTE: I think there is an easier way to add the proftpd service  
> using the scripts/sshguard_backendgen.sh script. Haven't tested that  
> but I did tried to run that script before.
>
> - Save the changes I've made in the command_ipfilter.h file
> - Reconfigure sshguard
> - Make and make install clean
> - Rehash (since I'm using FreeBSD)
> - Then run sshguard manually using the tail -f ...| sshguard command
> - Tried making a failed ssh login and failed proftpd login. Sshguard  
> is now blocking both service when maximum failed attempts is reached.
>
> Thanks for your help Mij! Thanks for replying to my messages. I'll  
> just post again if I have a problem. But I think everything is good  
> now. Thank you very much! ~_~
>
> Regards,
> Alia
>
> > Date: Tue, 3 Feb 2009 20:35:32 +0100
> > From: Mij <mi...@bi...>
> > Subject: Re: [Sshguard-users] Proftpd and ipfilter blocking failures
> > To: ssh...@li...
> > Message-ID: <A60...@bi...>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Please try with the SVN version, see
> >
> > http://sshguard.sourceforge.net/svn.html
> >
> >
> > On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:
> >
> > Hi,
> >
> > Thank you very much for replying. ~_~
> >
> > I did what you suggested me to do but I had problems while
> > reconfiguring sshguard. Here's the error:
> >
> > Making all in src
> > make  all-recursive
> > Making all in fwalls
> > gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT
> > command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> > mv -f .deps/command.Tpo .deps/command.Po
> > rm -f libfwall.a
> > ar cru libfwall.a command.o
> > ranlib libfwall.a
> > gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -
> > MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> > mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> > /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> > gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o - 
> MD -
> > MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o
> > attack_scanner.c
> > In file included from attack_scanner.c:2279:
> > /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> > attack_scanner.l:25: error: previous implicit declaration of
> > 'strtol' was here
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3.
> >
> > I think it has something to do with the data type that is being
> > passed?
> > Not sure though. Still trying to make it work.
> >
> > > Alia,
> > >
> > > please try this:
> > > 1) cd sshguard/src/ and edit attack_scanner.c
> > > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > > {HOSTADDR}" ("[^\[]+"["
> > > 3) run
> > > flex attack_scanner.l
> > > bison -vd attack_parser.y
> > >
> > > then recompile and use "sshguard -d" as you did for reporting.
> > > Please report again if that does not fix.
> > >
> > >
> > > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> > >
> > > Hello to everyone!
> > >
> > > Just started using sshguard. I've managed to configure it to  
> monitor
> > > SSH brute force attack. My problem now is to monitor the FTP brute
> > > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > > for FTP.
> > >
> > > I'm 100% sure that logging is working because I used the tail -f /
> > > var/log/auth.log command to monitor if failed ftp logins are being
> > > logged.
> > >
> > > I've used the debug command to check where the problem is and I
> > > found these lines:
> > >
> > > Run command "grep -qE '^##sshguard-begin##
> > > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > > Starting parse
> > > Entering state 0
> > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > > sample proftpd[12194]:")
> > > Next token is token SYSLOG_BANNER_PID ()
> > > Shifting token SYSLOG_BANNER_PID ()
> > > Entering state 1
> > > Reading a token: --accepting rule at line 147 (" ")
> > > --accepting rule at line 136 ("localhost")
> > > Next token is token HOSTADDR ()
> > > Error: popping token SYSLOG_BANNER_PID ()
> > > Stack now 0
> > > Cleanup: discarding lookahead token HOSTADDR ()
> > > Stack now 0
> > > Starting parse
> > > Entering state 0
> > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > > sample proftpd[12194]:")
> > > Next token is token SYSLOG_BANNER_PID ()
> > > Shifting token SYSLOG_BANNER_PID ()
> > > Entering state 1
> > > Reading a token: --accepting rule at line 147 (" ")
> > > --accepting rule at line 136 ("localhost")
> > > Next token is token HOSTADDR ()
> > > Error: popping token SYSLOG_BANNER_PID ()
> > > Stack now 0
> > > Cleanup: discarding lookahead token HOSTADDR ()
> > > Stack now 0
> > >
> > > I think the problem lies in the accepting rule at line 147. It  
> just
> > > reads a blank character or line or a space. I've checked my  
> auth.log
> > > file and found these lines:
> > >
> > > Jan 29 14:30:34 sample proftpd[12194]: localhost  
> (x.x.x.x[x.x.x.x])
> > > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > > Jan 29 14:30:34 sample proftpd[12194]: localhost  
> (x.x.x.x[x.x.x.x])
> > > - FTP session closed.
> > >
> > > I've checked the attack_scanner.l file. I saw these lines:
> > >
> > > /* ProFTPd */
> > > ({WORD}\.)+{WORD}" ("[^\[]
> > > +"[" { BEGIN(proftpd_loginerr);
> > > return PROFTPD_LOGINERR_PREF; }
> > > <proftpd_loginerr>"]) -".*" no such user found ".+
> > > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> > >
> > > I'm guessing it's reading the second line instead of the first  
> line
> > > (in the auth.log file). Cause if it's reading the first line, it
> > > should be able to monitor the failed ftp logins or attempts right?
> > >
> > > Can someone help me about my problem on how I could fix this  
> issue?
> > > I'm starting to like sshguard and this is what I really need  
> because
> > > it has support for ipfilter.
> > >
> > > Thanks in advance!
> > >
> > > Regards,
> > > alia
> > >
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Hans F. N. <Han...@hi...>]

* Forrest Aldrich <fo...@fo...> [2009-02-05]:
> I have the same problem -- my method of blocking is visually doing "tail 
> -F access.log" and putting filters in.
> 
> To use SSHGuard for this, you'd have to implement pattern searches for 
> the specific attacks... might be okay for a few, annoying for more than 
> that.   I think something like mod_security may help in this case 
> (though I've never used it).

Well, I don't think you have to do it that strict. I would say that if
an IP is getting many 404 entries (maybe with the added condition of
empty referrer) in very short time, it's likely to be a scanning
attack. SSHGuard by default doesn't block for very long so if it was a
legitime user hitting refresh like crazy, it wouldn't harm that much.

I'm using mod_security, but I would like to use SSHGuard to
1) get the burden of Apache and
2) block the IP at the network level since it probably will do other
   unfriendly things 

> I tried to figure out how the lex stuff works for implementing my own 
> patterns, but alas I'm not a programmer -- if someone can explain it, 
> I'd love to do a few things with it.

I happen to be a programmer, but I hate reinventing the wheel so I'll
wait some more time before I give it a try myself.

Hans

> Hans F. Nordhaug wrote:
> > The last months the bots looking for vulnerable web apps on my servers
> > have increaed in number and intensity. I guess you all have entries
> > like these in your log files:
> >
> > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
> >
> > I wonder if someone have already tried to use SSHguard to
> > block this annoying traffic (in addition to brute force SSH attacks)? 
> > Or could someone give me a hint about how to get started on
> > setting this up (without breaking the existing SSH blocking)? 
> >
> > Regards,
> > Hans

Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Forrest A. <fo...@fo...>]

I have the same problem -- my method of blocking is visually doing "tail 
-F access.log" and putting filters in.

To use SSHGuard for this, you'd have to implement pattern searches for 
the specific attacks... might be okay for a few, annoying for more than 
that.   I think something like mod_security may help in this case 
(though I've never used it).

I tried to figure out how the lex stuff works for implementing my own 
patterns, but alas I'm not a programmer -- if someone can explain it, 
I'd love to do a few things with it.


_F


Hans F. Nordhaug wrote:
> The last months the bots looking for vulnerable web apps on my servers
> have increaed in number and intensity. I guess you all have entries
> like these in your log files:
>
> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
>
> I wonder if someone have already tried to use SSHguard to
> block this annoying traffic (in addition to brute force SSH attacks)? 
> Or could someone give me a hint about how to get started on
> setting this up (without breaking the existing SSH blocking)? 
>
> Regards,
> Hans
>
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills and code to
> build responsive, highly engaging applications that combine the power of local
> resources and data with the reach of the web. Download the Adobe AIR SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>   

[Sshguard-users] Blocking bots looking for vulnerable web apps

[Hans F. N. <Han...@hi...>]

The last months the bots looking for vulnerable web apps on my servers
have increaed in number and intensity. I guess you all have entries
like these in your log files:

74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"

I wonder if someone have already tried to use SSHguard to
block this annoying traffic (in addition to brute force SSH attacks)? 
Or could someone give me a hint about how to get started on
setting this up (without breaking the existing SSH blocking)? 

Regards,
Hans

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[alia r. <ali...@gm...>]

Hi,

Thanks again for replying. ~_~

I used the SVN version and I'm so happy to inform you that it worked! I just
edited a file to make the proftpd monitoring work. Here are the things I did
to make it work:

- I edited the src/fwalls/command_ipfilter.h (since i'm using ipfilter).
- I added another case statement or option for proftpd. Both for
COMMAND_BLOCK and COMMAND_RELEASE

#define COMMAND_BLOCK      "if test $SSHG_ADDRKIND != 4; then exit 1 ; fi ;
case $SSHG_SERVICE in 100) TMP=`mktemp
/tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print \"block in
quick proto tcp from '\"$SSHG_ADDR\"' to any port = 22\" }' <"
IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE " ;; 310)
TMP=`mktemp /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print
\"block in quick proto tcp from '\"$SSHG_ADDR\"' to any port = 21\" }' <"
IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE " ;; *) exit 0 ;;
esac && " IPFPATH "/ipf -Fa && " IPFPATH /ipf -f " IPFILTER_CONFFILE

#define COMMAND_RELEASE    "if test $SSHG_ADDRKIND != 4; then exit 1 ; fi ;
case $SSHG_SERVICE in 100) TMP=`mktemp /tmp/ipfconf.XX` && awk 'BEGIN { copy
= 1 } copy ; /^##sshguard-begin##$/    { copy = 0 ; next } !copy { if ($0 !~
/'\"$SSHG_ADDR\"'.*22/) print $0 } /^##sshguard-end##$/  { copy = 1 }' <"
IPFILTER_CONFFILE " >$TMP ; mv $TMP " IPFILTER_CONFFILE " ;; 310)
TMP=`mktemp /tmp/ipfconf.XX` && awk 'BEGIN { copy = 1 } copy ;
/^##sshguard-begin##$/    { copy = 0 ; next } !copy { if ($0 !~
/'\"$SSHG_ADDR\"'.*21/) print $0 } /^##sshguard-end##$/  { copy = 1 }' <"
IPFILTER_CONFFILE " >$TMP ; mv $TMP " IPFILTER_CONFFILE " ;; esac ;
" IPFPATH "/ipf -Fa && " IPFPATH "/ipf -f " IPFILTER_CONFFILE

NOTE: I think there is an easier way to add the proftpd service using the
scripts/sshguard_backendgen.sh script. Haven't tested that but I did tried
to run that script before.

- Save the changes I've made in the command_ipfilter.h file
- Reconfigure sshguard
- Make and make install clean
- Rehash (since I'm using FreeBSD)
- Then run sshguard manually using the tail -f ...| sshguard command
- Tried making a failed ssh login and failed proftpd login. Sshguard is now
blocking both service when maximum failed attempts is reached.

Thanks for your help Mij! Thanks for replying to my messages. I'll just post
again if I have a problem. But I think everything is good now. Thank you
very much! ~_~

Regards,
Alia

> Date: Tue, 3 Feb 2009 20:35:32 +0100
> From: Mij <mi...@bi...>
> Subject: Re: [Sshguard-users] Proftpd and ipfilter blocking failures
> To: ssh...@li...
> Message-ID: <A60...@bi...>
> Content-Type: text/plain; charset="us-ascii"
>
> Please try with the SVN version, see
>
> http://sshguard.sourceforge.net/svn.html
>
>
> On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:
>
> Hi,
>
> Thank you very much for replying. ~_~
>
> I did what you suggested me to do but I had problems while
> reconfiguring sshguard. Here's the error:
>
> Making all in src
> make  all-recursive
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT
> command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> mv -f .deps/command.Tpo .deps/command.Po
> rm -f libfwall.a
> ar cru libfwall.a command.o
> ranlib libfwall.a
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -
> MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD -
> MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o
> attack_scanner.c
> In file included from attack_scanner.c:2279:
> /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> attack_scanner.l:25: error: previous implicit declaration of
> 'strtol' was here
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3.
>
> I think it has something to do with the data type that is being
> passed?
> Not sure though. Still trying to make it work.
>
> > Alia,
> >
> > please try this:
> > 1) cd sshguard/src/ and edit attack_scanner.c
> > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > {HOSTADDR}" ("[^\[]+"["
> > 3) run
> > flex attack_scanner.l
> > bison -vd attack_parser.y
> >
> > then recompile and use "sshguard -d" as you did for reporting.
> > Please report again if that does not fix.
> >
> >
> > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> >
> > Hello to everyone!
> >
> > Just started using sshguard. I've managed to configure it to monitor
> > SSH brute force attack. My problem now is to monitor the FTP brute
> > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > for FTP.
> >
> > I'm 100% sure that logging is working because I used the tail -f /
> > var/log/auth.log command to monitor if failed ftp logins are being
> > logged.
> >
> > I've used the debug command to check where the problem is and I
> > found these lines:
> >
> > Run command "grep -qE '^##sshguard-begin##
> > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> >
> > I think the problem lies in the accepting rule at line 147. It just
> > reads a blank character or line or a space. I've checked my auth.log
> > file and found these lines:
> >
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - FTP session closed.
> >
> > I've checked the attack_scanner.l file. I saw these lines:
> >
> > /* ProFTPd */
> > ({WORD}\.)+{WORD}" ("[^\[]
> > +"[" { BEGIN(proftpd_loginerr);
> > return PROFTPD_LOGINERR_PREF; }
> > <proftpd_loginerr>"]) -".*" no such user found ".+
> > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> >
> > I'm guessing it's reading the second line instead of the first line
> > (in the auth.log file). Cause if it's reading the first line, it
> > should be able to monitor the failed ftp logins or attempts right?
> >
> > Can someone help me about my problem on how I could fix this issue?
> > I'm starting to like sshguard and this is what I really need because
> > it has support for ipfilter.
> >
> > Thanks in advance!
> >
> > Regards,
> > alia
> >
> >
> >
> >
> >
> >

Re: [Sshguard-users] problem with first configuration - linux syslog-ng

[Mij <mi...@bi...>]

see http://sshguard.sourceforge.net/doc/setup/blockingiptables.html


On Feb 3, 2009, at 21:16 , Giurrero Giurrero wrote:

>
>
> From: mi...@bi...
> To: ssh...@li...
> Date: Tue, 3 Feb 2009 20:39:08 +0100
> Subject: Re: [Sshguard-users] problem with first configuration -  
> linux	syslog-ng
>
>
> On Feb 3, 2009, at 2:25 PM, Giurrero Giurrero wrote:
>
> Dear experts,
>  I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng  
> support following the standard istruction:http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html
>
> When I restart the syslog:
>
>   killall -HUP syslog-ng
>
> I can't find any sshguard process:
>
> ps ax | grep sshguard
>
>
> after the killall in my /var/logs/messages I've:
>
> Feb  3 13:53:21 sole sshguard[26718]: Started successfully  
> [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing  
> blocked addresses and exiting...
> Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/ 
> iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.
>
> AFAIR syslog-ng uses a lazy execution, where services for target X  
> are started only when the first log entry arrives for X. That is,  
> check with ps only
> after having produced some suitable log msgs.
>
>
> If I try to log in in my system with ssh using a name that doesn't  
> exist I find in my /var/logs/messages:
>
> Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
> Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
>
> any message in some other log file that explains why that broken  
> pipe? Syslog-ng can't start sshguard successfully, did you double  
> check the path
> sshguard is at in your system, when copy-pasting from the  
> documentation?
>
> the path are all ok. As root I can do: sshguard, iptable, ... but if  
> I do: /usr/sbin/iptables -F ssh, I got:
>
> iptables: No chain/target/match by that name
>
>
> Scoprilo insieme ai nuovi servizi Windows Live! Messenger 9: oltre  
> le parole.  
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] problem with first configuration - linux syslog-ng

[Giurrero G. <giu...@ho...>]

From: mi...@bi...
To: ssh...@li...
Date: Tue, 3 Feb 2009 20:39:08 +0100
Subject: Re: [Sshguard-users] problem with first configuration - linux	syslog-ng


On Feb 3, 2009, at 2:25 PM, Giurrero Giurrero wrote:Dear experts,
 I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng support following the standard istruction:http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html

When I restart the syslog:

  killall -HUP syslog-ng

I can't find any sshguard process:

ps ax | grep sshguard


after the killall in my /var/logs/messages I've:

Feb  3 13:53:21 sole sshguard[26718]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing blocked addresses and exiting...
Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.

AFAIR syslog-ng uses a lazy execution, where services for target X are started only when the first log entry arrives for X. That is, check with ps onlyafter having produced some suitable log msgs.

If I try to log in in my system with ssh using a name that doesn't exist I find in my /var/logs/messages:

Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
any message in some other log file that explains why that broken pipe? Syslog-ng can't start sshguard successfully, did you double check the pathsshguard is at in your system, when copy-pasting from the documentation?

the path are all ok. As root I can do: sshguard, iptable, ... but if I do: /usr/sbin/iptables -F ssh, I got:

iptables: No chain/target/match by that name


_________________________________________________________________
Quali sono le più cliccate della settimana?
http://livesearch.it.msn.com/

Re: [Sshguard-users] problem with first configuration - linux syslog-ng

[Mij <mi...@bi...>]

On Feb 3, 2009, at 2:25 PM, Giurrero Giurrero wrote:

> Dear experts,
>  I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng  
> support following the standard istruction:http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html
>
> When I restart the syslog:
>
>   killall -HUP syslog-ng
>
> I can't find any sshguard process:
>
> ps ax | grep sshguard
>
>
> after the killall in my /var/logs/messages I've:
>
> Feb  3 13:53:21 sole sshguard[26718]: Started successfully  
> [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing  
> blocked addresses and exiting...
> Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/ 
> iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.

AFAIR syslog-ng uses a lazy execution, where services for target X are  
started only when the first log entry arrives for X. That is, check  
with ps only
after having produced some suitable log msgs.


> If I try to log in in my system with ssh using a name that doesn't  
> exist I find in my /var/logs/messages:
>
> Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
> Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2

any message in some other log file that explains why that broken pipe?  
Syslog-ng can't start sshguard successfully, did you double check the  
path
sshguard is at in your system, when copy-pasting from the documentation?

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[Mij <mi...@bi...>]

Please try with the SVN version, see

http://sshguard.sourceforge.net/svn.html


On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:

> Hi,
>
> Thank you very much for replying. ~_~
>
> I did what you suggested me to do but I had problems while  
> reconfiguring sshguard. Here's the error:
>
> Making all in src
> make  all-recursive
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT  
> command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> mv -f .deps/command.Tpo .deps/command.Po
> rm -f libfwall.a
> ar cru libfwall.a command.o
> ranlib libfwall.a
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD - 
> MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD - 
> MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o  
> attack_scanner.c
> In file included from attack_scanner.c:2279:
> /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> attack_scanner.l:25: error: previous implicit declaration of  
> 'strtol' was here
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3.
>
> I think it has something to do with the data type that is being  
> passed?
> Not sure though. Still trying to make it work.
>
> > Alia,
> >
> > please try this:
> > 1) cd sshguard/src/ and edit attack_scanner.c
> > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > {HOSTADDR}" ("[^\[]+"["
> > 3) run
> > flex attack_scanner.l
> > bison -vd attack_parser.y
> >
> > then recompile and use "sshguard -d" as you did for reporting.
> > Please report again if that does not fix.
> >
> >
> > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> >
> > Hello to everyone!
> >
> > Just started using sshguard. I've managed to configure it to monitor
> > SSH brute force attack. My problem now is to monitor the FTP brute
> > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > for FTP.
> >
> > I'm 100% sure that logging is working because I used the tail -f /
> > var/log/auth.log command to monitor if failed ftp logins are being
> > logged.
> >
> > I've used the debug command to check where the problem is and I
> > found these lines:
> >
> > Run command "grep -qE '^##sshguard-begin##
> > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> >
> > I think the problem lies in the accepting rule at line 147. It just
> > reads a blank character or line or a space. I've checked my auth.log
> > file and found these lines:
> >
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - FTP session closed.
> >
> > I've checked the attack_scanner.l file. I saw these lines:
> >
> > /* ProFTPd */
> > ({WORD}\.)+{WORD}" ("[^\[]
> > +"[" { BEGIN(proftpd_loginerr);
> > return PROFTPD_LOGINERR_PREF; }
> > <proftpd_loginerr>"]) -".*" no such user found ".+
> > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> >
> > I'm guessing it's reading the second line instead of the first line
> > (in the auth.log file). Cause if it's reading the first line, it
> > should be able to monitor the failed ftp logins or attempts right?
> >
> > Can someone help me about my problem on how I could fix this issue?
> > I'm starting to like sshguard and this is what I really need because
> > it has support for ipfilter.
> >
> > Thanks in advance!
> >
> > Regards,
> > alia
> >
> >
> >
> >
> >
> >  
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > SourcForge Community
> > SourceForge wants to tell your story.
> > http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> > Sshguard-users mailing list
> > Sshguard-users@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] problem with first configuration - linux syslog-ng

[Giurrero G. <giu...@ho...>]

Dear experts,
 I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng support following the standard istruction: http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html

When I restart the syslog:

  killall -HUP syslog-ng

I can't find any sshguard process:

ps ax | grep sshguard


after the killall in my /var/logs/messages I've:

Feb  3 13:53:21 sole sshguard[26718]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing blocked addresses and exiting...
Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.


If I try to log in in my system with ssh using a name that doesn't exist I find in my /var/logs/messages:

Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2




_________________________________________________________________
Vai oltre le parole, scarica Messenger 2009!
http://www.messenger.it

Re: [Sshguard-users] Blocking Failures

[Greg P. <gre...@hc...>]

Mij wrote:
> Hello Greg,
> 
> On Jan 20, 2009, at 15:34 , Greg Parrish wrote:
> 
>> I am having two issues with the 1.3 release as seen in the logs below.
>> This is on a Centos4 host using the auth.log method piped to sshguard
>> and not the syslog method.
>>
>> 1. Here the logs all have ffff in them and I am not sure why this is  
>> but
>> it seems normal from some other posts out there but it fails to  
>> block. I
>> have this running on a Centos3 host and it is working fine but there  
>> is
>> no ffff in the log entries which I assume is causing the failure.
>>
>> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification  
>> string
>> from ::ffff:192.168.122.234
>> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification  
>> string
>> from ::ffff:192.168.122.234
>> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures
>> over 0 seconds.
>> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed.  
>> Exited: -1

Hi Mij,

> 
> do you have the system utility ip6tables ?

No this package is not installed.

> This is what sshguard needs to block IPv6 addresses.

Ok, good to know and that makes sense.

>> 2. The above is an internal host so I am not concerned about him other
>> than the blocking is failing. From testing on an outside host it just
>> registers the failed login but never even reports a block attempt  
>> there
>> after I failed the login many times. Here are my params.
>>
>> 2 failures, in 30 minutes, block them for a month.
>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800
> 
> 1) Do you have debug-level entries for when you tried this?

No I dont.

> 2) what kind of log messages do you expect to cause blocking? Did
> you try to inject them manually in "sshguard -d" and see if it detects
> them?

I expect it to stop normal brute attacks that I have tested on other 
hosts. I did not try and inject them.

> 3) "-p 25920000" : this is dangerous, use with care. If you want  
> blacklisting, have a look at sshguard 1.4 (from SVN) which has it out of the box

Sounds good and thanks. I am okay with this as ssh is limited to just a 
few users. I dont want the bad guys banging on our hosts more than once 
a week.

I was able to resolve this by disabling IPv6 in modules.conf and 
restarting the host so there are no IPv6 addresses on the interfaces and 
thus not in the logs.

-greg


> 
> 
>>
>>
>> Thanks,
>> greg
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[alia r. <ali...@gm...>]

Hi,

Thank you very much for replying. ~_~

I did what you suggested me to do but I had problems while reconfiguring
sshguard. Here's the error:

Making all in src
make  all-recursive
Making all in fwalls
gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT command.o
-MD -MP -MF .deps/command.Tpo -c -o command.o command.c
mv -f .deps/command.Tpo .deps/command.Po
rm -f libfwall.a
ar cru libfwall.a command.o
ranlib libfwall.a
gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -MP -MF
.deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
/bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD -MP -MF
.deps/attack_scanner.Tpo -c -o attack_scanner.o attack_scanner.c
In file included from attack_scanner.c:2279:
/usr/include/stdlib.h:109: error: conflicting types for 'strtol'
attack_scanner.l:25: error: previous implicit declaration of 'strtol' was
here
*** Error code 1

Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1

Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1

Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1

Stop in /x/x/x/sshguard-1.3.

I think it has something to do with the data type that is being passed?
Not sure though. Still trying to make it work.

> Alia,
>
> please try this:
> 1) cd sshguard/src/ and edit attack_scanner.c
> 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> {HOSTADDR}" ("[^\[]+"["
> 3) run
> flex attack_scanner.l
> bison -vd attack_parser.y
>
> then recompile and use "sshguard -d" as you did for reporting.
> Please report again if that does not fix.
>
>
> On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
>
> Hello to everyone!
>
> Just started using sshguard. I've managed to configure it to monitor
> SSH brute force attack. My problem now is to monitor the FTP brute
> force attack. I'm using sshguard with ipfilter. I'm using proftpd
> for FTP.
>
> I'm 100% sure that logging is working because I used the tail -f /
> var/log/auth.log command to monitor if failed ftp logins are being
> logged.
>
> I've used the debug command to check where the problem is and I
> found these lines:
>
> Run command "grep -qE '^##sshguard-begin##
> ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
>
> I think the problem lies in the accepting rule at line 147. It just
> reads a blank character or line or a space. I've checked my auth.log
> file and found these lines:
>
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - FTP session closed.
>
> I've checked the attack_scanner.l file. I saw these lines:
>
> /* ProFTPd */
> ({WORD}\.)+{WORD}" ("[^\[]
> +"[" { BEGIN(proftpd_loginerr);
> return PROFTPD_LOGINERR_PREF; }
> <proftpd_loginerr>"]) -".*" no such user found ".+
> { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
>
> I'm guessing it's reading the second line instead of the first line
> (in the auth.log file). Cause if it's reading the first line, it
> should be able to monitor the failed ftp logins or attempts right?
>
> Can someone help me about my problem on how I could fix this issue?
> I'm starting to like sshguard and this is what I really need because
> it has support for ipfilter.
>
> Thanks in advance!
>
> Regards,
> alia
>
>
>
>
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
>
http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Sshguard-users mailing list
> Sshguard-users@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[Mij <mi...@bi...>]

Alia,

please try this:
1) cd sshguard/src/ and edit attack_scanner.c
2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
{HOSTADDR}" ("[^\[]+"["
3) run
flex attack_scanner.l
bison -vd attack_parser.y

then recompile and use "sshguard -d" as you did for reporting.
Please report again if that does not fix.


On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:

> Hello to everyone!
>
> Just started using sshguard. I've managed to configure it to monitor  
> SSH brute force attack. My problem now is to monitor the FTP brute  
> force attack. I'm using sshguard with ipfilter. I'm using proftpd  
> for FTP.
>
> I'm 100% sure that logging is working because I used the tail -f / 
> var/log/auth.log command to monitor if failed ftp logins are being  
> logged.
>
> I've used the debug command to check where the problem is and I  
> found these lines:
>
> Run command "grep -qE '^##sshguard-begin##
> ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34  
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34  
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
>
> I think the problem lies in the accepting rule at line 147. It just  
> reads a blank character or line or a space. I've checked my auth.log  
> file and found these lines:
>
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])  
> - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx  
> [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])  
> - FTP session closed.
>
> I've checked the attack_scanner.l file. I saw these lines:
>
>  /* ProFTPd */
> ({WORD}\.)+{WORD}" ("[^\[] 
> +"["                                  { BEGIN(proftpd_loginerr);  
> return PROFTPD_LOGINERR_PREF; }
> <proftpd_loginerr>"]) -".*" no such user found ".+               
> { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
>
> I'm guessing it's reading the second line instead of the first line  
> (in the auth.log file). Cause if it's reading the first line, it  
> should be able to monitor the failed ftp logins or attempts right?
>
> Can someone help me about my problem on how I could fix this issue?  
> I'm starting to like sshguard and this is what I really need because  
> it has support for ipfilter.
>
> Thanks in advance!
>
> Regards,
> alia
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Blocking Failures

[Mij <mi...@bi...>]

Hello Greg,

On Jan 20, 2009, at 15:34 , Greg Parrish wrote:

> I am having two issues with the 1.3 release as seen in the logs below.
> This is on a Centos4 host using the auth.log method piped to sshguard
> and not the syslog method.
>
> 1. Here the logs all have ffff in them and I am not sure why this is  
> but
> it seems normal from some other posts out there but it fails to  
> block. I
> have this running on a Centos3 host and it is working fine but there  
> is
> no ffff in the log entries which I assume is causing the failure.
>
> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification  
> string
> from ::ffff:192.168.122.234
> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification  
> string
> from ::ffff:192.168.122.234
> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures
> over 0 seconds.
> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed.  
> Exited: -1

do you have the system utility ip6tables ?
This is what sshguard needs to block IPv6 addresses.


> 2. The above is an internal host so I am not concerned about him other
> than the blocking is failing. From testing on an outside host it just
> registers the failed login but never even reports a block attempt  
> there
> after I failed the login many times. Here are my params.
>
> 2 failures, in 30 minutes, block them for a month.
> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800

1) Do you have debug-level entries for when you tried this?
2) what kind of log messages do you expect to cause blocking? Did
you try to inject them manually in "sshguard -d" and see if it detects
them?
3) "-p 25920000" : this is dangerous, use with care. If you want  
blacklisting,
have a look at sshguard 1.4 (from SVN) which has it out of the box


>
>
>
> Thanks,
> greg
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard go to 100% cpu

[Mij <mi...@bi...>]

On Jan 20, 2009, at 9:43 , Michel wrote:

> Le samedi 17 janvier 2009, Mij a écrit :
>> If so, do they have the same parent and status? You can
>> derive this answer with this command:
>>
>> ps axjh | grep -E 'sshguard|syslog'
>>
>
> dedi2# ps axjh | grep -E 'sshguard|syslog'
> root       426     1   426   426    0 Ss    ??    3:30.50 /usr/sbin/ 
> syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198
> root       746     1   746   746    0 SsJ   ??    1:07.35 /usr/sbin/ 
> syslogd -s
> root      1302     1  1302  1302    0 IsJ   ??    1:03.50 /usr/sbin/ 
> syslogd -s
> root     78143     1 74878 74878    0 R     ??  1358:09.42 /usr/ 
> local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s  
> 1800
> root     82313     1 82313 82313    0 IsJ   ??    0:15.04 /usr/sbin/ 
> syslogd -s
> root     88115   426 88115 88115    0 Ss    ??    0:00.10 /usr/local/ 
> sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
> root     95765 95761 95764 95758    2 R+    p1    0:00.00 grep -E  
> sshguard|syslog

I see several instances of syslogd as well. I'm no jail expert, but as  
the "further" ones operate
in secure my intuition is that they are raised for the jails. Sshguard  
is not designed to run in multiple
instances, but technically, even after reviewing the code, I don't see  
a reason for the looping.

The problem is interesting. When you kill the program, the OS should  
dump a core file somewhere
(use "locate sshguard.core"): can you send it to me? That would be  
even more valuable if you can
1) use the current SVN version
mkdir sshguard && cd sshguard
svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard/ ./

2) compile with debug symbols and send the core of that version.
./configure --with-firewall=pf --enable-debug=yes
make
cp sshguard /usr/local/bin (do NOT use make install, which strips  
debug symbols)

michele


>> As a further curiosity: if you signal the "looped" instance with  
>> TSTP,
>> does it remain looping?
>> kill -s TSTP <pid_looped>
>> after this command, do you see anything in the log like "Got STOP
>> signal, suspending activity." ?
>>
>>
> kill -s TSTP 78143
> and it remain looping !
>
> and nothing in messages nor in debug :
>
> Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl - 
> Tadd -t sshguard $SSHG_ADDR": exited 0.
> Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment:  
> SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl - 
> Tdel -t sshguard $SSHG_ADDR": exited 0.
>
> only a kill -9 78143 stop the loop ...
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Proftpd and ipfilter blocking failures

[alia r. <ali...@gm...>]

Hello to everyone!
Just started using sshguard. I've managed to configure it to monitor SSH
brute force attack. My problem now is to monitor the FTP brute force attack.
I'm using sshguard with ipfilter. I'm using proftpd for FTP.

I'm 100% sure that logging is working because I used the tail -f
/var/log/auth.log command to monitor if failed ftp logins are being logged.

I've used the debug command to check where the problem is and I found these
lines:

Run command "grep -qE '^##sshguard-begin##
##sshguard-end##$' < /etc/ipf.rules": exited 0.
Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 sample
proftpd[12194]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 147 (" ")
--accepting rule at line 136 ("localhost")
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0
Starting parse
Entering state 0
Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 sample
proftpd[12194]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 147 (" ")
--accepting rule at line 136 ("localhost")
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0

I think the problem lies in the accepting rule at line 147. It just reads a
blank character or line or a space. I've checked my auth.log file and found
these lines:

Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) - USER
jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx [xx.xx.xx.xxx] to
xx.xx.xx.xxx:21
Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) - FTP
session closed.

I've checked the attack_scanner.l file. I saw these lines:

 /* ProFTPd */
({WORD}\.)+{WORD}" ("[^\[]+"["                                  {
BEGIN(proftpd_loginerr); return PROFTPD_LOGINERR_PREF; }
<proftpd_loginerr>"]) -".*" no such user found ".+              {
BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }

I'm guessing it's reading the second line instead of the first line (in the
auth.log file). Cause if it's reading the first line, it should be able to
monitor the failed ftp logins or attempts right?

Can someone help me about my problem on how I could fix this issue? I'm
starting to like sshguard and this is what I really need because it has
support for ipfilter.

Thanks in advance!

Regards,
alia

[Sshguard-users] Blocking Failures

[Greg P. <gre...@hc...>]

I am having two issues with the 1.3 release as seen in the logs below. 
This is on a Centos4 host using the auth.log method piped to sshguard 
and not the syslog method.

1. Here the logs all have ffff in them and I am not sure why this is but 
it seems normal from some other posts out there but it fails to block. I 
have this running on a Centos3 host and it is working fine but there is 
no ffff in the log entries which I assume is causing the failure.

Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification string 
from ::ffff:192.168.122.234
Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification string 
from ::ffff:192.168.122.234
Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures 
over 0 seconds.
Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed. Exited: -1


2. The above is an internal host so I am not concerned about him other 
than the blocking is failing. From testing on an outside host it just 
registers the failed login but never even reports a block attempt there 
after I failed the login many times. Here are my params.

2 failures, in 30 minutes, block them for a month.
/usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800



Thanks,
greg

Re: [Sshguard-users] sshguard go to 100% cpu

[Michel <mi...@do...>]

Le samedi 17 janvier 2009, Mij a écrit :
> Hello Michel,
> 
> On Jan 15, 2009, at 13:31 , Michel wrote:
> 
> > Le mercredi 14 janvier 2009, Mij a écrit :
> >> Hello Michel,
> >>
> >> Sorry for overlooking this post, I'm actually very interested.
> >> To clarify your scenario: you have 2 instances of sshguard,
> >> one for the host, the other one for both jails. I guess both
> >> jails are logging to the same file, and you are monitoring that (?).
> >>
> >> Is it always the "jails" process to show this behavior? Do you see
> >> anything strange ending up in logs? Can you report sshguard's more
> >> verbose messages (do you have debug.log or similar?)?
> >>
> >> thanks
> >>
> >
> > No, I usualy have only one sshguard running :
> > ps -aux | grep sshguard \
> >       root     46873  0.0  0.1  1888  1132  ??  Is   10:00AM    
> > 0:00.05 /usr/local/sbin/sshguard -w
> >
> > I use syslog in the jails to log all auth.log on the host and the  
> > syslog.conf of the host have the lines :
> > auth.info;authpriv.info                         /var/log/auth.log
> > auth.info;authpriv.info       |exec /usr/local/sbin/sshguard -w  
> > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
> 
> so you're saying:
> 1) there is one syslog running in your system, collecting everything  
> from host+jails to auth.log

Yes

> 2) one sshguard is configured to be given these auth.log lines and  
> blocks through PF for everything

Yes

> 
> > The last time the problem appear (from daily security mail) :
> >
> > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from  
> > 203.252.182.37
> > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from  
> > 203.252.182.37
> > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from  
> > 203.252.182.37
> > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from  
> > 203.252.182.37
> > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from  
> > 203.252.182.37
> 
> here you don't mean that after these lines sshguard loops, do you?
> 
> 
> > In the auth.log of the host (dedi2 is the host, dedi_? are the  
> > jails) :
> >
> > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive  
> > identification string from 216.127.160.82
> > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3  
> > failures over 156 seconds.
> > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after  
> > 690 seconds.
> > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification  
> > string from 201.134.249.168
> > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking  
> > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx  
> > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT!
> > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from  
> > 201.134.249.168
> > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from  
> > 203.252.182.37
> > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from  
> > 203.252.182.37
> > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from  
> > 203.252.182.37
> > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from  
> > 203.252.182.37
> > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from  
> > 203.252.182.37
> > ....
> > a lot of lines : >600 (1 every 2-3 seconds)
> > ....
> > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from  
> > 203.252.182.37
> > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from  
> > 203.252.182.37
> > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully  
> > [(a,p,s)=(3, 600, 1800)], now ready to scan.
> > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from  
> > 203.252.182.37
> > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from  
> > 203.252.182.37
> >
> >
> > And debug.0.log :
> >
> > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ 	      
> > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - 
> > Tdel -t sshguard $SSHG_ADDR": exited 0.
> > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as  
> > plain IPv4.
> > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24.
> > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as  
> > plain IPv4.
> > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81.
> > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address  
> > 203.252.182.37
> > Jan 14 10:03:01 dedi2 last message repeated 2 times
> > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \  
> > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - 
> > Tadd -t sshguard $SSHG_ADDR": exited 0.
> > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - 
> > Tflush -t sshguard": exited 0.
> > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \  
> > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> >
> > It look like sshguard is trarting twice on 10:02:56 ?
> 
> When that message occurs, sshguard is actually starting. This happens  
> frequently for a restart (e.g.
> for log rotation) but there I don't see a "Got exit signal" message  
> before. Do you see two instances
> at that point? 

Yes

> If so, do they have the same parent and status? You can   
> derive this answer with this command:
> 
> ps axjh | grep -E 'sshguard|syslog'
> 

dedi2# ps axjh | grep -E 'sshguard|syslog'
root       426     1   426   426    0 Ss    ??    3:30.50 /usr/sbin/syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198
root       746     1   746   746    0 SsJ   ??    1:07.35 /usr/sbin/syslogd -s
root      1302     1  1302  1302    0 IsJ   ??    1:03.50 /usr/sbin/syslogd -s
root     78143     1 74878 74878    0 R     ??  1358:09.42 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
root     82313     1 82313 82313    0 IsJ   ??    0:15.04 /usr/sbin/syslogd -s
root     88115   426 88115 88115    0 Ss    ??    0:00.10 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
root     95765 95761 95764 95758    2 R+    p1    0:00.00 grep -E sshguard|syslog



> As a further curiosity: if you signal the "looped" instance with TSTP,  
> does it remain looping?
> kill -s TSTP <pid_looped>
> after this command, do you see anything in the log like "Got STOP  
> signal, suspending activity." ?
> 
> 
kill -s TSTP 78143
and it remain looping !

and nothing in messages nor in debug :

Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0.
Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment: SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0.

only a kill -9 78143 stop the loop ...

Re: [Sshguard-users] sshguard go to 100% cpu

[Mij <mi...@bi...>]

Hello Michel,

On Jan 15, 2009, at 13:31 , Michel wrote:

> Le mercredi 14 janvier 2009, Mij a écrit :
>> Hello Michel,
>>
>> Sorry for overlooking this post, I'm actually very interested.
>> To clarify your scenario: you have 2 instances of sshguard,
>> one for the host, the other one for both jails. I guess both
>> jails are logging to the same file, and you are monitoring that (?).
>>
>> Is it always the "jails" process to show this behavior? Do you see
>> anything strange ending up in logs? Can you report sshguard's more
>> verbose messages (do you have debug.log or similar?)?
>>
>> thanks
>>
>
> No, I usualy have only one sshguard running :
> ps -aux | grep sshguard \
>       root     46873  0.0  0.1  1888  1132  ??  Is   10:00AM    
> 0:00.05 /usr/local/sbin/sshguard -w
>
> I use syslog in the jails to log all auth.log on the host and the  
> syslog.conf of the host have the lines :
> auth.info;authpriv.info                         /var/log/auth.log
> auth.info;authpriv.info       |exec /usr/local/sbin/sshguard -w  
> 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800

so you're saying:
1) there is one syslog running in your system, collecting everything  
from host+jails to auth.log
2) one sshguard is configured to be given these auth.log lines and  
blocks through PF for everything


> The last time the problem appear (from daily security mail) :
>
> Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from  
> 203.252.182.37
> Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from  
> 203.252.182.37
> Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from  
> 203.252.182.37
> Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from  
> 203.252.182.37
> Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from  
> 203.252.182.37

here you don't mean that after these lines sshguard loops, do you?


> In the auth.log of the host (dedi2 is the host, dedi_? are the  
> jails) :
>
> Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive  
> identification string from 216.127.160.82
> Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3  
> failures over 156 seconds.
> Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after  
> 690 seconds.
> Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification  
> string from 201.134.249.168
> Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking  
> getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx  
> [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT!
> Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from  
> 201.134.249.168
> Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from  
> 203.252.182.37
> Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from  
> 203.252.182.37
> Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from  
> 203.252.182.37
> Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from  
> 203.252.182.37
> Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from  
> 203.252.182.37
> ....
> a lot of lines : >600 (1 every 2-3 seconds)
> ....
> Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from  
> 203.252.182.37
> Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from  
> 203.252.182.37
> Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully  
> [(a,p,s)=(3, 600, 1800)], now ready to scan.
> Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from  
> 203.252.182.37
> Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from  
> 203.252.182.37
>
>
> And debug.0.log :
>
> Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ 	      
> SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - 
> Tdel -t sshguard $SSHG_ADDR": exited 0.
> Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as  
> plain IPv4.
> Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24.
> Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as  
> plain IPv4.
> Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81.
> Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address  
> 203.252.182.37
> Jan 14 10:03:01 dedi2 last message repeated 2 times
> Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \  
> SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - 
> Tadd -t sshguard $SSHG_ADDR": exited 0.
> Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - 
> Tflush -t sshguard": exited 0.
> Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \  
> SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
>
> It look like sshguard is trarting twice on 10:02:56 ?

When that message occurs, sshguard is actually starting. This happens  
frequently for a restart (e.g.
for log rotation) but there I don't see a "Got exit signal" message  
before. Do you see two instances
at that point? If so, do they have the same parent and status? You can  
derive this answer with this command:

ps axjh | grep -E 'sshguard|syslog'

As a further curiosity: if you signal the "looped" instance with TSTP,  
does it remain looping?
kill -s TSTP <pid_looped>
after this command, do you see anything in the log like "Got STOP  
signal, suspending activity." ?



>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Compile Time Issue

[Mij <mi...@bi...>]

Hello Greg,

This is a problem with non-POSIX compliant libc implementations, where
getopt() stuff is not defined in unistd.h but in getopt.h .

Nobuhiro Iwamatsu has reported the same problem some days ago, and
support for these settings has been added in the SVN version. You can
either download and compile that, or wait a some days for 1.4 to be  
released.

michele


On Jan 16, 2009, at 17:45 , Greg Parrish wrote:

>
> I am having an issue compiling the 1.4RC2 on my system. Here are the  
> OS
> details and the tail of the error. Any ideas on this make error, the
> configure ran fine.
>
> CentOS release 3.9 (Final)
> 2.4.21-53.EL #1 Mon Dec 3 13:43:24 EST 2007 i686 athlon i386 GNU/Linux
>
> ./configure --with-firewall=iptables
>
> make:
>
>
> make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src/fwalls'
> make[3]: Entering directory `/home/software/sshguard-1.4rc2/src'
> gcc -DHAVE_CONFIG_H -I.    -I. -O2 -std=c99 -Wall -g -O2 -MT
> sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o
> sshguard_options.o sshguard_options.c
> sshguard_options.c: In function `get_options_cmdline':
> sshguard_options.c:44: warning: implicit declaration of function  
> `getopt'
> sshguard_options.c:47: `optarg' undeclared (first use in this  
> function)
> sshguard_options.c:47: (Each undeclared identifier is reported only  
> once
> sshguard_options.c:47: for each function it appears in.)
> make[3]: *** [sshguard_options.o] Error 1
> make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/home/software/sshguard-1.4rc2/src'
> make[1]: *** [all] Error 2
> make[1]: Leaving directory `/home/software/sshguard-1.4rc2/src'
> make: *** [all-recursive] Error 1
>
> Thanks,
> greg
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Compile Time Issue

[Greg P. <gre...@hc...>]

I am having an issue compiling the 1.4RC2 on my system. Here are the OS 
details and the tail of the error. Any ideas on this make error, the 
configure ran fine.

CentOS release 3.9 (Final)
2.4.21-53.EL #1 Mon Dec 3 13:43:24 EST 2007 i686 athlon i386 GNU/Linux

./configure --with-firewall=iptables

make:


make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src/fwalls'
make[3]: Entering directory `/home/software/sshguard-1.4rc2/src'
gcc -DHAVE_CONFIG_H -I.    -I. -O2 -std=c99 -Wall -g -O2 -MT 
sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o 
sshguard_options.o sshguard_options.c
sshguard_options.c: In function `get_options_cmdline':
sshguard_options.c:44: warning: implicit declaration of function `getopt'
sshguard_options.c:47: `optarg' undeclared (first use in this function)
sshguard_options.c:47: (Each undeclared identifier is reported only once
sshguard_options.c:47: for each function it appears in.)
make[3]: *** [sshguard_options.o] Error 1
make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/software/sshguard-1.4rc2/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/software/sshguard-1.4rc2/src'
make: *** [all-recursive] Error 1

Thanks,
greg