sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] sshguard crash

[Mij <mi...@bi...>]

Hi Leonid,

Thanks for your feedback on the blacklisting feature. I want to get it  
quickly out of the
experimental status as many people manifested primary interest in it.
Yet I cannot reproduce this crash. Please
1) fetch the version currently in svn
2) please compile without installing (installing strips debug symbols)
3) run the binary by hand from the src directory (mind the "-d"):

$ cd src
$ ./sshguard -d -a 2 -b 1:/var/cache/sshguard/blacklist

4) paste the messages you report causing crash, observe if it crashes

5) send your next messages in plain text

if it still crashes, you'd need to run sshguard under gdb:

$ gdb ./sshguard
run -d -a 2 -b 1:/var/cache/sshguard/blacklist

paste your stuff and when it crashes issue "backtrace", and send in the
output of that.


On Mar 9, 2009, at 8:22 , Leonid Shulov wrote:

> Hi,
>
> After below attack sshguard creshed:
> Mar  8 21:01:54 router sshd[23464]: Did not receive identification  
> string from 81.21.15.199
> Mar  8 21:01:55 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:13 router sshd[23466]: reverse mapping checking  
> getaddrinfo for unknown-host.intellecom.net.ua [81.21.15.199] failed  
> - POSSIBLE BREAK-IN ATTEMPT!
> Mar  8 21:08:13 router sshd[23466]: Invalid user staff from  
> 81.21.15.199
> Mar  8 21:08:14 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:14 router sshguard[23158]: Blocking 81.21.15.199:4 for  
> >420secs: 2 failures over 379 seconds.
> Mar  8 21:08:14 router sshguard[23158]: Setting environment:  
> SSHG_ADDR=81.21.15.199;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Mar  8 21:08:14 router sshguard[23158]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -I sshguard -s $SSHG_ADDR -j  
> DROP ;; *) exit -2 ;; esac": exited 0.
> Mar  8 21:08:14 router sshguard[23158]: First sight of offender  
> '81.21.15.199:4', adding to offenders list.
> Mar  8 21:08:14 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:15 router sshd[23468]: reverse mapping checking  
> getaddrinfo for unknown-host.intellecom.net.ua [81.21.15.199] failed  
> - POSSIBLE BREAK-IN ATTEMPT!
> Mar  8 21:08:15 router sshd[23468]: Invalid user sales from  
> 81.21.15.199
> Mar  8 21:08:15 router sshguard[23158]: Matched address  
> 81.21.15.199:4 attacking service 100
> Mar  8 21:08:15 router sshguard[23158]: Looking for address  
> '81.21.15.199:4'...
> Mar  8 21:08:15 router sshguard[23158]: Not found.
> Mar  8 21:08:15 router sshguard[23158]: Blacklisting address  
> '81.21.15.199:4' after 1 abuses.
>
>
> Memory dump:
> router: # *** glibc detected *** /usr/local/sbin/sshguard: free():  
> invalid pointer: 0x0000000000615500 ***
> [snip]
>
> sshguard starts a command:
> /usr/bin/tail -- -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard  
> -a 2 -b 1:/var/cache/sshguard/blacklist &
>
>
> I use a copy sshguard from svn http://sshguard.sourceforge.net/svn.html 
> .
>
> sshguard is compiled on Debian lenny with libc6 version 2.7.
>
>
> Thanks,
>  --
> Leonid Shulov <Leo...@en...>
> Entropic Communications Israel

Re: [Sshguard-users] Fwd: sshguard using 100% CPU

[Sebastian H. <seb...@gm...>]

Hi,

seems to work quite well - thanks.

br,
Sebastian

Am Samstag 07 März 2009 18:04:32 schrieb Mij:
> Hi Sebastian
>
> thanks for reporting. Can you give a try to the version currently in
> the SVN?
>
> On Mar 2, 2009, at 16:24 , Sebastian Held wrote:
> > further investigation shows a problem in blacklist_load():
> >
> > # cat /var/log/sshguard.fifo | valgrind --tool=memcheck /usr/local/
> > sbin/sshguard
> > ==9364== Memcheck, a memory error detector.
> > ==9364== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et
> > al.
> > ==9364== Using LibVEX rev 1732, a library for dynamic binary
> > translation.
> > ==9364== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
> > ==9364== Using valgrind-3.2.3, a dynamic binary instrumentation
> > framework.
> > ==9364== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et
> > al.
> > ==9364== For more details, rerun with: -v
> > ==9364==
> > ==9364== Syscall param open(filename) points to unaddressable byte(s)
> > ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> > ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> > ==9364==    by 0x804D6D5: blacklist_lookup_address
> > (sshguard_blacklist.c:199)
> > ==9364==    by 0x804BAD9: report_address (sshguard.c:368)
> > ==9364==    by 0x804C415: main (sshguard.c:240)
> > ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > ==9364==
> > ==9364== Syscall param open(filename) points to unaddressable byte(s)
> > ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> > ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> > ==9364==    by 0x804D78C: blacklist_add (sshguard_blacklist.c:173)
> > ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> > ==9364==    by 0x804C415: main (sshguard.c:240)
> > ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > ==9364==
> > ==9364== Syscall param open(filename) points to unaddressable byte(s)
> > ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> > ==9364==    by 0x804D7C7: blacklist_add (sshguard_blacklist.c:182)
> > ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> > ==9364==    by 0x804C415: main (sshguard.c:240)
> > ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> >
> > But currently sshguard is not yet running at 100%... It's idle as it
> > should.
> >
> >
> >
> >
> > ----------  Weitergeleitete Nachricht  ----------
> >
> > Betreff: sshguard using 100% CPU
> > Datum: Montag 02 März 2009
> > Von: Sebastian Held <seb...@gm...>
> > An: ssh...@li...
> >
> > Hello,
> >
> > sshguard (svn rev. 74 + mod, but same issue is found in pristine rev
> > 74) is started like this:
> > cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -w
> > 192.168.90.86 -w 192.168.90.52 >&/dev/null &
> >
> > After a short time (around an hour) CPU utilization increases to 100%.
> > A core dump is attached. There was only one sshguard process running.
> >
> > Stacktrace:
> > # gdb /usr/local/sbin/sshguard core.23814
> > GNU gdb 6.6.50.20070726-cvs
> > Copyright (C) 2007 Free Software Foundation, Inc.
> > GDB is free software, covered by the GNU General Public License, and
> > you are
> > welcome to change it and/or distribute copies of it under certain
> > conditions.
> > Type "show copying" to see the conditions.
> > There is absolutely no warranty for GDB.  Type "show warranty" for
> > details.
> > This GDB was configured as "i586-suse-linux"...
> > Using host libthread_db library "/lib/libthread_db.so.1".
> > Core was generated by `/usr/local/sbin/sshguard'.
> > #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
> > 431             for (pos = 0; pos < list_size(& hell); ) {
> > (gdb) bt full
> > #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
> >        now = 1235994775
> >        tmpel = (attacker_t *) 0x8060128
> >        ret = 0
> >        pos = 0
> > #1  0xb7fc9192 in ?? ()
> > No symbol table info available.
> > #2  0x00000000 in ?? ()
> > No symbol table info available.
> > (gdb) p *tmpel
> > $2 = {attack = {address = {value =
> > "62.109.4.89\00041\000\blvps92-51-146-81 sshd[23934]: ", kind = 4},
> > service = 400}, whenfirst = 1235994599, whenlast = 1235994603,
> >  pardontime = 0, numhits = 4}
> > (gdb)
> >
> >
> >
> > br,
> > Sebastian
> >
> > -------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> >----- Open Source Business Conference (OSBC), March 24-25, 2009, San
> > Francisco, CA
> > -OSBC tackles the biggest issue in open source: Open Sourcing the
> > Enterprise
> > -Strategies to boost innovation and cut costs with open source
> > participation
> > -Receive a $600 discount off the registration fee with the source
> > code: SFAD
> > http://p.sf.net/sfu/XcvMzF8H
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
> ---------------------------------------------------------------------------
>--- Open Source Business Conference (OSBC), March 24-25, 2009, San
> Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing
> the Enterprise -Strategies to boost innovation and cut costs with open
> source participation -Receive a $600 discount off the registration fee with
> the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard crash

[Leonid S. <Leo...@en...>]

Hi,

*After below attack sshguard creshed: *
Mar  8 21:01:54 router sshd[23464]: Did not receive identification 
string from 81.21.15.199
Mar  8 21:01:55 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:13 router sshd[23466]: reverse mapping checking getaddrinfo 
for unknown-host.intellecom.net.ua [81.21.15.199] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Mar  8 21:08:13 router sshd[23466]: Invalid user staff from 81.21.15.199
Mar  8 21:08:14 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:14 router sshguard[23158]: Blocking 81.21.15.199:4 for 
 >420secs: 2 failures over 379 seconds.
Mar  8 21:08:14 router sshguard[23158]: Setting environment: 
SSHG_ADDR=81.21.15.199;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Mar  8 21:08:14 router sshguard[23158]: Run command "case $SSHG_ADDRKIND 
in 4) exec /sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec 
/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; 
esac": exited 0.
Mar  8 21:08:14 router sshguard[23158]: First sight of offender 
'81.21.15.199:4', adding to offenders list.
Mar  8 21:08:14 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:15 router sshd[23468]: reverse mapping checking getaddrinfo 
for unknown-host.intellecom.net.ua [81.21.15.199] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Mar  8 21:08:15 router sshd[23468]: Invalid user sales from 81.21.15.199
Mar  8 21:08:15 router sshguard[23158]: Matched address 81.21.15.199:4 
attacking service 100
Mar  8 21:08:15 router sshguard[23158]: Looking for address 
'81.21.15.199:4'...
Mar  8 21:08:15 router sshguard[23158]: Not found.
Mar  8 21:08:15 router sshguard[23158]: Blacklisting address 
'81.21.15.199:4' after 1 abuses.

*
Memory dump:
*router: # *** glibc detected *** /usr/local/sbin/sshguard: free(): 
invalid pointer: 0x0000000000615500 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5573990948]
/lib/libc.so.6(cfree+0x76)[0x7f5573992a56]
/usr/local/sbin/sshguard[0x4076d6]
/usr/local/sbin/sshguard[0x4079b7]
/usr/local/sbin/sshguard[0x405eb0]
/usr/local/sbin/sshguard[0x404586]
/usr/local/sbin/sshguard[0x404c74]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f557393b1a6]
/usr/local/sbin/sshguard[0x401ba9]
======= Memory map: ========
00400000-00415000 r-xp 00000000 fe:03 3153923                            
/usr/local/sbin/sshguard
00615000-00616000 rw-p 00015000 fe:03 3153923                            
/usr/local/sbin/sshguard
00616000-00618000 rw-p 00616000 00:00 0
0109c000-010c5000 rw-p 0109c000 00:00 0                                  
[heap]
40a84000-40a85000 ---p 40a84000 00:00 0
40a85000-41285000 rw-p 40a85000 00:00 0
7f556c000000-7f556c021000 rw-p 7f556c000000 00:00 0
7f556c021000-7f5570000000 ---p 7f556c021000 00:00 0
7f5573706000-7f557371c000 r-xp 00000000 08:02 7888                       
/lib/libgcc_s.so.1
7f557371c000-7f557391c000 ---p 00016000 08:02 7888                       
/lib/libgcc_s.so.1
7f557391c000-7f557391d000 rw-p 00016000 08:02 7888                       
/lib/libgcc_s.so.1
7f557391d000-7f5573a67000 r-xp 00000000 08:02 8125                       
/lib/libc-2.7.so
7f5573a67000-7f5573c66000 ---p 0014a000 08:02 8125                       
/lib/libc-2.7.so
7f5573c66000-7f5573c69000 r--p 00149000 08:02 8125                       
/lib/libc-2.7.so
7f5573c69000-7f5573c6b000 rw-p 0014c000 08:02 8125                       
/lib/libc-2.7.so
7f5573c6b000-7f5573c70000 rw-p 7f5573c6b000 00:00 0
7f5573c70000-7f5573c86000 r-xp 00000000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573c86000-7f5573e86000 ---p 00016000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573e86000-7f5573e88000 rw-p 00016000 08:02 8092                       
/lib/libpthread-2.7.so
7f5573e88000-7f5573e8c000 rw-p 7f5573e88000 00:00 0
7f5573e8c000-7f5573ea8000 r-xp 00000000 08:02 8128                       
/lib/ld-2.7.so
7f5574096000-7f5574098000 rw-p 7f5574096000 00:00 0
7f55740a3000-7f55740a7000 rw-p 7f55740a3000 00:00 0
7f55740a7000-7f55740a9000 rw-p 0001b000 08:02 8128                       
/lib/ld-2.7.so
7fff7c093000-7fff7c0a8000 rw-p 7ffffffea000 00:00 0                      
[stack]
7fff7c1fe000-7fff7c1ff000 r-xp 7fff7c1fe000 00:00 0                      
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
*
*
*sshguard starts a command:
*/usr/bin/tail -- -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard -a 
2 -b 1:/var/cache/sshguard/blacklist &


I use a copy sshguard from svn http://sshguard.sourceforge.net/svn.html.

sshguard is compiled on Debian lenny with libc6 version 2.7.


Thanks,

-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel

Re: [Sshguard-users] Fwd: sshguard using 100% CPU

[Mij <mi...@bi...>]

Hi Sebastian

thanks for reporting. Can you give a try to the version currently in  
the SVN?



On Mar 2, 2009, at 16:24 , Sebastian Held wrote:

> further investigation shows a problem in blacklist_load():
>
> # cat /var/log/sshguard.fifo | valgrind --tool=memcheck /usr/local/ 
> sbin/sshguard
> ==9364== Memcheck, a memory error detector.
> ==9364== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et  
> al.
> ==9364== Using LibVEX rev 1732, a library for dynamic binary  
> translation.
> ==9364== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
> ==9364== Using valgrind-3.2.3, a dynamic binary instrumentation  
> framework.
> ==9364== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et  
> al.
> ==9364== For more details, rerun with: -v
> ==9364==
> ==9364== Syscall param open(filename) points to unaddressable byte(s)
> ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> ==9364==    by 0x804D6D5: blacklist_lookup_address  
> (sshguard_blacklist.c:199)
> ==9364==    by 0x804BAD9: report_address (sshguard.c:368)
> ==9364==    by 0x804C415: main (sshguard.c:240)
> ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==9364==
> ==9364== Syscall param open(filename) points to unaddressable byte(s)
> ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> ==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
> ==9364==    by 0x804D78C: blacklist_add (sshguard_blacklist.c:173)
> ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> ==9364==    by 0x804C415: main (sshguard.c:240)
> ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==9364==
> ==9364== Syscall param open(filename) points to unaddressable byte(s)
> ==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
> ==9364==    by 0x804D7C7: blacklist_add (sshguard_blacklist.c:182)
> ==9364==    by 0x804BC28: report_address (sshguard.c:372)
> ==9364==    by 0x804C415: main (sshguard.c:240)
> ==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
> But currently sshguard is not yet running at 100%... It's idle as it  
> should.
>
>
>
>
> ----------  Weitergeleitete Nachricht  ----------
>
> Betreff: sshguard using 100% CPU
> Datum: Montag 02 März 2009
> Von: Sebastian Held <seb...@gm...>
> An: ssh...@li...
>
> Hello,
>
> sshguard (svn rev. 74 + mod, but same issue is found in pristine rev  
> 74) is started like this:
> cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -w  
> 192.168.90.86 -w 192.168.90.52 >&/dev/null &
>
> After a short time (around an hour) CPU utilization increases to 100%.
> A core dump is attached. There was only one sshguard process running.
>
> Stacktrace:
> # gdb /usr/local/sbin/sshguard core.23814
> GNU gdb 6.6.50.20070726-cvs
> Copyright (C) 2007 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "i586-suse-linux"...
> Using host libthread_db library "/lib/libthread_db.so.1".
> Core was generated by `/usr/local/sbin/sshguard'.
> #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
> 431             for (pos = 0; pos < list_size(& hell); ) {
> (gdb) bt full
> #0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
>        now = 1235994775
>        tmpel = (attacker_t *) 0x8060128
>        ret = 0
>        pos = 0
> #1  0xb7fc9192 in ?? ()
> No symbol table info available.
> #2  0x00000000 in ?? ()
> No symbol table info available.
> (gdb) p *tmpel
> $2 = {attack = {address = {value =  
> "62.109.4.89\00041\000\blvps92-51-146-81 sshd[23934]: ", kind = 4},  
> service = 400}, whenfirst = 1235994599, whenlast = 1235994603,
>  pardontime = 0, numhits = 4}
> (gdb)
>
>
>
> br,
> Sebastian
>
> -------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San  
> Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the  
> Enterprise
> -Strategies to boost innovation and cut costs with open source  
> participation
> -Receive a $600 discount off the registration fee with the source  
> code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Fwd: sshguard using 100% CPU

[Sebastian H. <seb...@gm...>]

further investigation shows a problem in blacklist_load():

# cat /var/log/sshguard.fifo | valgrind --tool=memcheck /usr/local/sbin/sshguard
==9364== Memcheck, a memory error detector.
==9364== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==9364== Using LibVEX rev 1732, a library for dynamic binary translation.
==9364== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==9364== Using valgrind-3.2.3, a dynamic binary instrumentation framework.
==9364== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==9364== For more details, rerun with: -v
==9364==
==9364== Syscall param open(filename) points to unaddressable byte(s)
==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
==9364==    by 0x804D6D5: blacklist_lookup_address (sshguard_blacklist.c:199)
==9364==    by 0x804BAD9: report_address (sshguard.c:368)
==9364==    by 0x804C415: main (sshguard.c:240)
==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==9364==
==9364== Syscall param open(filename) points to unaddressable byte(s)
==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
==9364==    by 0x804D6A3: blacklist_load (sshguard_blacklist.c:151)
==9364==    by 0x804D78C: blacklist_add (sshguard_blacklist.c:173)
==9364==    by 0x804BC28: report_address (sshguard.c:372)
==9364==    by 0x804C415: main (sshguard.c:240)
==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==9364==
==9364== Syscall param open(filename) points to unaddressable byte(s)
==9364==    at 0x40007F2: (within /lib/ld-2.6.1.so)
==9364==    by 0x804D7C7: blacklist_add (sshguard_blacklist.c:182)
==9364==    by 0x804BC28: report_address (sshguard.c:372)
==9364==    by 0x804C415: main (sshguard.c:240)
==9364==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

But currently sshguard is not yet running at 100%... It's idle as it should.




----------  Weitergeleitete Nachricht  ----------

Betreff: sshguard using 100% CPU
Datum: Montag 02 März 2009
Von: Sebastian Held <seb...@gm...>
An: ssh...@li...

Hello,

sshguard (svn rev. 74 + mod, but same issue is found in pristine rev 74) is started like this:
cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -w 192.168.90.86 -w 192.168.90.52 >&/dev/null &

After a short time (around an hour) CPU utilization increases to 100%.
A core dump is attached. There was only one sshguard process running.

Stacktrace:
# gdb /usr/local/sbin/sshguard core.23814
GNU gdb 6.6.50.20070726-cvs
Copyright (C) 2007 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-suse-linux"...
Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `/usr/local/sbin/sshguard'.
#0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
431             for (pos = 0; pos < list_size(& hell); ) {
(gdb) bt full
#0  0x0804b7dc in pardonBlocked (par=0x0) at sshguard.c:431
        now = 1235994775
        tmpel = (attacker_t *) 0x8060128
        ret = 0
        pos = 0
#1  0xb7fc9192 in ?? ()
No symbol table info available.
#2  0x00000000 in ?? ()
No symbol table info available.
(gdb) p *tmpel
$2 = {attack = {address = {value = "62.109.4.89\00041\000\blvps92-51-146-81 sshd[23934]: ", kind = 4}, service = 400}, whenfirst = 1235994599, whenlast = 1235994603,
  pardontime = 0, numhits = 4}
(gdb)



br,
Sebastian

-------------------------------------------------------

Re: [Sshguard-users] RPMS for RHEL4/5

[Mij <mi...@bi...>]

Thanks for reporting. I removed the repos because the author didn't  
maintain it any longer.
I will update the links.

Btw, if there is anybody interested in taking over, of course the RPM  
package is a significant plus.


On Feb 18, 2009, at 18:15 , Phusion wrote:

> I checked http://sshguard.sourceforge.net/packages/, but the RPM's
> weren't in there. Is there another place to find the RPMS for
> sshguard? Let me know.
>
> Phusion
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San  
> Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the  
> Enterprise
> -Strategies to boost innovation and cut costs with open source  
> participation
> -Receive a $600 discount off the registration fee with the source  
> code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] RPMS for RHEL4/5

[Phusion <phu...@gm...>]

I checked http://sshguard.sourceforge.net/packages/, but the RPM's
weren't in there. Is there another place to find the RPMS for
sshguard? Let me know.

Phusion

Re: [Sshguard-users] sshguard add multiple lines to sshguard chain

[Mij <mi...@bi...>]

I think I understood what you mean with some interpolation with the log
you included. From there, it seems a bug. I gotta see if I can reproduce
it: under linux on @x86 (that's what you have?) I didn't run into this  
problem.
If you can send the blacklist file to my address (don't pollute the  
list with
that) I'll have a look the next days.


On Feb 15, 2009, at 2:11 PM, Leonid Shulov wrote:

> Hi,
>
> If my router attack with ssh user list in sshguard chain I see some  
> lines, and I am forced to delete superfluous lines every day.
> It bug or so should be?
>
> Why sshguard don't find '78.135.0.30' in sshguard chain:
> Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.
>
>
>
> iptables -L:
> ....
> Chain sshguard (1 references)
> target     prot opt source               destination
> DROP       all  --  221.130.187.174      anywhere
> DROP       all  --  63.138.202.103       anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> DROP       all  --  78-135-0-30.extend   anywhere
> ....
>
> iptables -L -n:
> ....
> Chain sshguard (1 references)
> target     prot opt source               destination
> DROP       all  --  221.130.187.174      0.0.0.0/0
> DROP       all  --  63.138.202.103       0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> DROP       all  --  78.135.0.30          0.0.0.0/0
> ....
>
> /var/log/auth.log:
> Feb 13 06:29:19 asroute1 sshd[19796]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:19 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:20 asroute1 sshd[19798]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:21 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:22 asroute1 sshd[19800]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:22 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:25 asroute1 sshd[19802]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:25 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:25 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >420secs: 4 failures over 6 seconds.
> Feb 13 06:29:26 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:26 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:26 asroute1 sshguard[12567]: First sight of offender  
> '78.135.0.30:4', adding to offenders list.
> Feb 13 06:29:27 asroute1 sshd[19805]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:27 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:29 asroute1 sshd[19807]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:29 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:31 asroute1 sshd[19809]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:31 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:34 asroute1 sshd[19811]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:34 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:35 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >840secs: 4 failures over 7 seconds.
> Feb 13 06:29:35 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:35 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:35 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 2 times.
> Feb 13 06:29:36 asroute1 sshd[19813]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:36 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:38 asroute1 sshd[19816]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:38 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:40 asroute1 sshd[19818]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:40 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:42 asroute1 sshd[19820]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:43 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:43 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >1680secs: 4 failures over 7 seconds.
> Feb 13 06:29:43 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 3 times (threshold 3) -> blacklisted.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4'  
> blacklisted. Blacklist now 1 entries.
> Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >0secs: 4 failures over 5 seconds.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j  
> DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 4 times (threshold 3) -> blacklisted.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.
> Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4'  
> blacklisted. Blacklist now 1 entries.
> Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking  
> getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE  
> BREAK-IN ATTEMPT!
> Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address  
> 78.135.0.30:4 attacking service 100
> Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for  
> >0secs: 4 failures over 5 seconds.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment:  
> SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case  
> $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR - 
> j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
> SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4'  
> seen 4 times (threshold 3) -> blacklisted.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Looking for address  
> '78.135.0.30:4'...
> Feb 13 06:29:51 asroute1 sshguard[12567]: Not found.
> Feb 13 06:29:51 asroute1 sshguard[12567]: Attacked '78.135.0.30:4'  
> blacklisted. Blacklist now 1 entries.
>
>
>  --
> Leonid Shulov <Leo...@en...>
> Entropic Communications Israel
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San  
> Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the  
> Enterprise
> -Strategies to boost innovation and cut costs with open source  
> participation
> -Receive a $600 discount off the registration fee with the source  
> code: SFAD
> http://p.sf.net/sfu/XcvMzF8H_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard add multiple lines to sshguard chain

[Leonid S. <Leo...@en...>]

Hi,

If my router attack with ssh user list in sshguard chain I see some 
lines, and I am forced to delete superfluous lines every day.
It bug or so should be?

Why sshguard don't find '78.135.0.30' in sshguard chain:
Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address 
'78.135.0.30:4'...
Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.



iptables -L:
....
Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  221.130.187.174      anywhere
DROP       all  --  63.138.202.103       anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
....

iptables -L -n:
....
Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  221.130.187.174      0.0.0.0/0
DROP       all  --  63.138.202.103       0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
....

/var/log/auth.log:
Feb 13 06:29:19 asroute1 sshd[19796]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:19 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:20 asroute1 sshd[19798]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:21 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:22 asroute1 sshd[19800]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:22 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:25 asroute1 sshd[19802]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:25 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:25 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >420secs: 4 failures over 6 seconds.
Feb 13 06:29:26 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:26 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:26 asroute1 sshguard[12567]: First sight of offender 
'78.135.0.30:4', adding to offenders list.
Feb 13 06:29:27 asroute1 sshd[19805]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:27 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:29 asroute1 sshd[19807]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:29 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:31 asroute1 sshd[19809]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:31 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:34 asroute1 sshd[19811]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:34 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:35 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >840secs: 4 failures over 7 seconds.
Feb 13 06:29:35 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:35 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:35 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
2 times.
Feb 13 06:29:36 asroute1 sshd[19813]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:36 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:38 asroute1 sshd[19816]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:38 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:40 asroute1 sshd[19818]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:40 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:42 asroute1 sshd[19820]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:43 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:43 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >1680secs: 4 failures over 7 seconds.
Feb 13 06:29:43 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:44 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:44 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
3 times (threshold 3) -> blacklisted.
Feb 13 06:29:44 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:44 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.
Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >0secs: 4 failures over 5 seconds.
Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) 
exit -2 ;; esac": exited 0.
Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
4 times (threshold 3) -> blacklisted.
Feb 13 06:29:51 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:44 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.
Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >0secs: 4 failures over 5 seconds.
Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
4 times (threshold 3) -> blacklisted.
Feb 13 06:29:51 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:51 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:51 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.


-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel

Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Mij <mi...@bi...>]

On Feb 5, 2009, at 9:11 PM, Hans F. Nordhaug wrote:

> * Forrest Aldrich <fo...@fo...> [2009-02-05]:
>> I have the same problem -- my method of blocking is visually doing  
>> "tail
>> -F access.log" and putting filters in.
>>
>> To use SSHGuard for this, you'd have to implement pattern searches  
>> for
>> the specific attacks... might be okay for a few, annoying for more  
>> than
>> that.   I think something like mod_security may help in this case
>> (though I've never used it).
>
> Well, I don't think you have to do it that strict. I would say that if
> an IP is getting many 404 entries (maybe with the added condition of
> empty referrer) in very short time, it's likely to be a scanning
> attack. SSHGuard by default doesn't block for very long so if it was a
> legitime user hitting refresh like crazy, it wouldn't harm that much.

I'm not quite convinced for 2 reasons:
1) such rules appear quite "loose". I'm not sure this fits with the  
conservative
policy used so far to avoid false positives at the cost of complexity.  
For
example, crawlers issue a "GET /robots.txt" which often results in a  
404 and
lacks a referer. On webservers with plenty of vhosts a bunch of such  
requests
within few minutes may result in an undesired blocking.

A solution can be to add to such conditions sensitivity to the target  
filetype,
and block only those involving dynamic scripts like .php, .pl etc.


2) Sshguard currently assumes that all attacks have the same "density",
that is, 4 attacks to ssh are "as dangerous" as 4 to proftpd or  
anything else.
This case breaks this assumption, as you would require many more "404"s
than login failures before determining an abuse.

A solution is either to define the conditions above "tight enough" to  
raise
the density of each attack, or to wait for me to eventually implement
the system based on scoring and threshold.


> I'm using mod_security, but I would like to use SSHGuard to
> 1) get the burden of Apache and
> 2) block the IP at the network level since it probably will do other
>   unfriendly things
>
>> I tried to figure out how the lex stuff works for implementing my own
>> patterns, but alas I'm not a programmer -- if someone can explain it,
>> I'd love to do a few things with it.
>
> I happen to be a programmer, but I hate reinventing the wheel so I'll
> wait some more time before I give it a try myself.

The yacc parser itself (src/sshguard_parser.y) is quite easy to  
manipulate.
It contains many examples that can be used for inspiration for adding  
new
ones.

Otherwise, users can use this
http://sshguard.sourceforge.net/newattackpatt.php

michele


>
> Hans
>
>> Hans F. Nordhaug wrote:
>>> The last months the bots looking for vulnerable web apps on my  
>>> servers
>>> have increaed in number and intensity. I guess you all have entries
>>> like these in your log files:
>>>
>>> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/ 
>>> main.php HTTP/1.0" 404 357 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/ 
>>> main.php HTTP/1.0" 404 357 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php  
>>> HTTP/1.0" 404 350 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php  
>>> HTTP/1.0" 404 352 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/ 
>>> main.php HTTP/1.0" 404 354 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php  
>>> HTTP/1.0" 404 352 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/ 
>>> main.php HTTP/1.0" 404 354 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/ 
>>> main.php HTTP/1.0" 404 358 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/ 
>>> main.php HTTP/1.0" 404 358 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/ 
>>> main.php HTTP/1.0" 404 359 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/ 
>>> main.php HTTP/1.0" 404 359 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / 
>>> phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / 
>>> phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / 
>>> phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
>>> 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET / 
>>> phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
>>>
>>> I wonder if someone have already tried to use SSHguard to
>>> block this annoying traffic (in addition to brute force SSH  
>>> attacks)?
>>> Or could someone give me a hint about how to get started on
>>> setting this up (without breaking the existing SSH blocking)?
>>>
>>> Regards,
>>> Hans
>
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[Mij <mi...@bi...>]

I'll have a look and commit, thanks. The ipfilter backend has a narrow  
user base,
please report again in future if you find some lack of functionality.


On Feb 5, 2009, at 6:53 AM, alia rapirap wrote:

> Hi,
>
> Thanks again for replying. ~_~
>
> I used the SVN version and I'm so happy to inform you that it  
> worked! I just edited a file to make the proftpd monitoring work.  
> Here are the things I did to make it work:
>
> - I edited the src/fwalls/command_ipfilter.h (since i'm using  
> ipfilter).
> - I added another case statement or option for proftpd. Both for  
> COMMAND_BLOCK and COMMAND_RELEASE
>
> #define COMMAND_BLOCK      "if test $SSHG_ADDRKIND != 4; then exit  
> 1 ; fi ; case $SSHG_SERVICE in 100) TMP=`mktemp
> /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print  
> \"block in quick proto tcp from '\"$SSHG_ADDR\"' to any port =  
> 22\" }' <" IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE  
> " ;; 310) TMP=`mktemp /tmp/ipfconf.XX` && awk '1 ; /^##sshguard- 
> begin##$/     { print \"block in quick proto tcp from '\"$SSHG_ADDR 
> \"' to any port = 21\" }' <" IPFILTER_CONFFILE " > $TMP && mv $TMP "  
> IPFILTER_CONFFILE " ;; *) exit 0 ;; esac && " IPFPATH "/ipf -Fa && "  
> IPFPATH /ipf -f " IPFILTER_CONFFILE
>
> #define COMMAND_RELEASE    "if test $SSHG_ADDRKIND != 4; then exit  
> 1 ; fi ; case $SSHG_SERVICE in 100) TMP=`mktemp /tmp/ipfconf.XX` &&  
> awk 'BEGIN { copy = 1 } copy ; /^##sshguard-begin##$/    { copy =  
> 0 ; next } !copy { if ($0 !~ /'\"$SSHG_ADDR\"'.*22/) print $0 } / 
> ^##sshguard-end##$/  { copy = 1 }' <" IPFILTER_CONFFILE " >$TMP ; mv  
> $TMP " IPFILTER_CONFFILE " ;; 310) TMP=`mktemp /tmp/ipfconf.XX` &&  
> awk 'BEGIN { copy = 1 } copy ; /^##sshguard-begin##$/    { copy =  
> 0 ; next } !copy { if ($0 !~ /'\"$SSHG_ADDR\"'.*21/) print $0 } / 
> ^##sshguard-end##$/  { copy = 1 }' <" IPFILTER_CONFFILE " >$TMP ; mv  
> $TMP " IPFILTER_CONFFILE " ;; esac ; " IPFPATH "/ipf -Fa && "  
> IPFPATH "/ipf -f " IPFILTER_CONFFILE
>
> NOTE: I think there is an easier way to add the proftpd service  
> using the scripts/sshguard_backendgen.sh script. Haven't tested that  
> but I did tried to run that script before.
>
> - Save the changes I've made in the command_ipfilter.h file
> - Reconfigure sshguard
> - Make and make install clean
> - Rehash (since I'm using FreeBSD)
> - Then run sshguard manually using the tail -f ...| sshguard command
> - Tried making a failed ssh login and failed proftpd login. Sshguard  
> is now blocking both service when maximum failed attempts is reached.
>
> Thanks for your help Mij! Thanks for replying to my messages. I'll  
> just post again if I have a problem. But I think everything is good  
> now. Thank you very much! ~_~
>
> Regards,
> Alia
>
> > Date: Tue, 3 Feb 2009 20:35:32 +0100
> > From: Mij <mi...@bi...>
> > Subject: Re: [Sshguard-users] Proftpd and ipfilter blocking failures
> > To: ssh...@li...
> > Message-ID: <A60...@bi...>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Please try with the SVN version, see
> >
> > http://sshguard.sourceforge.net/svn.html
> >
> >
> > On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:
> >
> > Hi,
> >
> > Thank you very much for replying. ~_~
> >
> > I did what you suggested me to do but I had problems while
> > reconfiguring sshguard. Here's the error:
> >
> > Making all in src
> > make  all-recursive
> > Making all in fwalls
> > gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT
> > command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> > mv -f .deps/command.Tpo .deps/command.Po
> > rm -f libfwall.a
> > ar cru libfwall.a command.o
> > ranlib libfwall.a
> > gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -
> > MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> > mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> > /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> > gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o - 
> MD -
> > MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o
> > attack_scanner.c
> > In file included from attack_scanner.c:2279:
> > /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> > attack_scanner.l:25: error: previous implicit declaration of
> > 'strtol' was here
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3/src.
> > *** Error code 1
> >
> > Stop in /x/x/x/sshguard-1.3.
> >
> > I think it has something to do with the data type that is being
> > passed?
> > Not sure though. Still trying to make it work.
> >
> > > Alia,
> > >
> > > please try this:
> > > 1) cd sshguard/src/ and edit attack_scanner.c
> > > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > > {HOSTADDR}" ("[^\[]+"["
> > > 3) run
> > > flex attack_scanner.l
> > > bison -vd attack_parser.y
> > >
> > > then recompile and use "sshguard -d" as you did for reporting.
> > > Please report again if that does not fix.
> > >
> > >
> > > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> > >
> > > Hello to everyone!
> > >
> > > Just started using sshguard. I've managed to configure it to  
> monitor
> > > SSH brute force attack. My problem now is to monitor the FTP brute
> > > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > > for FTP.
> > >
> > > I'm 100% sure that logging is working because I used the tail -f /
> > > var/log/auth.log command to monitor if failed ftp logins are being
> > > logged.
> > >
> > > I've used the debug command to check where the problem is and I
> > > found these lines:
> > >
> > > Run command "grep -qE '^##sshguard-begin##
> > > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > > Starting parse
> > > Entering state 0
> > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > > sample proftpd[12194]:")
> > > Next token is token SYSLOG_BANNER_PID ()
> > > Shifting token SYSLOG_BANNER_PID ()
> > > Entering state 1
> > > Reading a token: --accepting rule at line 147 (" ")
> > > --accepting rule at line 136 ("localhost")
> > > Next token is token HOSTADDR ()
> > > Error: popping token SYSLOG_BANNER_PID ()
> > > Stack now 0
> > > Cleanup: discarding lookahead token HOSTADDR ()
> > > Stack now 0
> > > Starting parse
> > > Entering state 0
> > > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > > sample proftpd[12194]:")
> > > Next token is token SYSLOG_BANNER_PID ()
> > > Shifting token SYSLOG_BANNER_PID ()
> > > Entering state 1
> > > Reading a token: --accepting rule at line 147 (" ")
> > > --accepting rule at line 136 ("localhost")
> > > Next token is token HOSTADDR ()
> > > Error: popping token SYSLOG_BANNER_PID ()
> > > Stack now 0
> > > Cleanup: discarding lookahead token HOSTADDR ()
> > > Stack now 0
> > >
> > > I think the problem lies in the accepting rule at line 147. It  
> just
> > > reads a blank character or line or a space. I've checked my  
> auth.log
> > > file and found these lines:
> > >
> > > Jan 29 14:30:34 sample proftpd[12194]: localhost  
> (x.x.x.x[x.x.x.x])
> > > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > > Jan 29 14:30:34 sample proftpd[12194]: localhost  
> (x.x.x.x[x.x.x.x])
> > > - FTP session closed.
> > >
> > > I've checked the attack_scanner.l file. I saw these lines:
> > >
> > > /* ProFTPd */
> > > ({WORD}\.)+{WORD}" ("[^\[]
> > > +"[" { BEGIN(proftpd_loginerr);
> > > return PROFTPD_LOGINERR_PREF; }
> > > <proftpd_loginerr>"]) -".*" no such user found ".+
> > > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> > >
> > > I'm guessing it's reading the second line instead of the first  
> line
> > > (in the auth.log file). Cause if it's reading the first line, it
> > > should be able to monitor the failed ftp logins or attempts right?
> > >
> > > Can someone help me about my problem on how I could fix this  
> issue?
> > > I'm starting to like sshguard and this is what I really need  
> because
> > > it has support for ipfilter.
> > >
> > > Thanks in advance!
> > >
> > > Regards,
> > > alia
> > >
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Hans F. N. <Han...@hi...>]

* Forrest Aldrich <fo...@fo...> [2009-02-05]:
> I have the same problem -- my method of blocking is visually doing "tail 
> -F access.log" and putting filters in.
> 
> To use SSHGuard for this, you'd have to implement pattern searches for 
> the specific attacks... might be okay for a few, annoying for more than 
> that.   I think something like mod_security may help in this case 
> (though I've never used it).

Well, I don't think you have to do it that strict. I would say that if
an IP is getting many 404 entries (maybe with the added condition of
empty referrer) in very short time, it's likely to be a scanning
attack. SSHGuard by default doesn't block for very long so if it was a
legitime user hitting refresh like crazy, it wouldn't harm that much.

I'm using mod_security, but I would like to use SSHGuard to
1) get the burden of Apache and
2) block the IP at the network level since it probably will do other
   unfriendly things 

> I tried to figure out how the lex stuff works for implementing my own 
> patterns, but alas I'm not a programmer -- if someone can explain it, 
> I'd love to do a few things with it.

I happen to be a programmer, but I hate reinventing the wheel so I'll
wait some more time before I give it a try myself.

Hans

> Hans F. Nordhaug wrote:
> > The last months the bots looking for vulnerable web apps on my servers
> > have increaed in number and intensity. I guess you all have entries
> > like these in your log files:
> >
> > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
> >
> > I wonder if someone have already tried to use SSHguard to
> > block this annoying traffic (in addition to brute force SSH attacks)? 
> > Or could someone give me a hint about how to get started on
> > setting this up (without breaking the existing SSH blocking)? 
> >
> > Regards,
> > Hans

Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Forrest A. <fo...@fo...>]

I have the same problem -- my method of blocking is visually doing "tail 
-F access.log" and putting filters in.

To use SSHGuard for this, you'd have to implement pattern searches for 
the specific attacks... might be okay for a few, annoying for more than 
that.   I think something like mod_security may help in this case 
(though I've never used it).

I tried to figure out how the lex stuff works for implementing my own 
patterns, but alas I'm not a programmer -- if someone can explain it, 
I'd love to do a few things with it.


_F


Hans F. Nordhaug wrote:
> The last months the bots looking for vulnerable web apps on my servers
> have increaed in number and intensity. I guess you all have entries
> like these in your log files:
>
> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
> 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
>
> I wonder if someone have already tried to use SSHguard to
> block this annoying traffic (in addition to brute force SSH attacks)? 
> Or could someone give me a hint about how to get started on
> setting this up (without breaking the existing SSH blocking)? 
>
> Regards,
> Hans
>
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills and code to
> build responsive, highly engaging applications that combine the power of local
> resources and data with the reach of the web. Download the Adobe AIR SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>   

[Sshguard-users] Blocking bots looking for vulnerable web apps

[Hans F. N. <Han...@hi...>]

The last months the bots looking for vulnerable web apps on my servers
have increaed in number and intensity. I guess you all have entries
like these in your log files:

74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"

I wonder if someone have already tried to use SSHguard to
block this annoying traffic (in addition to brute force SSH attacks)? 
Or could someone give me a hint about how to get started on
setting this up (without breaking the existing SSH blocking)? 

Regards,
Hans

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[alia r. <ali...@gm...>]

Hi,

Thanks again for replying. ~_~

I used the SVN version and I'm so happy to inform you that it worked! I just
edited a file to make the proftpd monitoring work. Here are the things I did
to make it work:

- I edited the src/fwalls/command_ipfilter.h (since i'm using ipfilter).
- I added another case statement or option for proftpd. Both for
COMMAND_BLOCK and COMMAND_RELEASE

#define COMMAND_BLOCK      "if test $SSHG_ADDRKIND != 4; then exit 1 ; fi ;
case $SSHG_SERVICE in 100) TMP=`mktemp
/tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print \"block in
quick proto tcp from '\"$SSHG_ADDR\"' to any port = 22\" }' <"
IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE " ;; 310)
TMP=`mktemp /tmp/ipfconf.XX` && awk '1 ; /^##sshguard-begin##$/     { print
\"block in quick proto tcp from '\"$SSHG_ADDR\"' to any port = 21\" }' <"
IPFILTER_CONFFILE " > $TMP && mv $TMP " IPFILTER_CONFFILE " ;; *) exit 0 ;;
esac && " IPFPATH "/ipf -Fa && " IPFPATH /ipf -f " IPFILTER_CONFFILE

#define COMMAND_RELEASE    "if test $SSHG_ADDRKIND != 4; then exit 1 ; fi ;
case $SSHG_SERVICE in 100) TMP=`mktemp /tmp/ipfconf.XX` && awk 'BEGIN { copy
= 1 } copy ; /^##sshguard-begin##$/    { copy = 0 ; next } !copy { if ($0 !~
/'\"$SSHG_ADDR\"'.*22/) print $0 } /^##sshguard-end##$/  { copy = 1 }' <"
IPFILTER_CONFFILE " >$TMP ; mv $TMP " IPFILTER_CONFFILE " ;; 310)
TMP=`mktemp /tmp/ipfconf.XX` && awk 'BEGIN { copy = 1 } copy ;
/^##sshguard-begin##$/    { copy = 0 ; next } !copy { if ($0 !~
/'\"$SSHG_ADDR\"'.*21/) print $0 } /^##sshguard-end##$/  { copy = 1 }' <"
IPFILTER_CONFFILE " >$TMP ; mv $TMP " IPFILTER_CONFFILE " ;; esac ;
" IPFPATH "/ipf -Fa && " IPFPATH "/ipf -f " IPFILTER_CONFFILE

NOTE: I think there is an easier way to add the proftpd service using the
scripts/sshguard_backendgen.sh script. Haven't tested that but I did tried
to run that script before.

- Save the changes I've made in the command_ipfilter.h file
- Reconfigure sshguard
- Make and make install clean
- Rehash (since I'm using FreeBSD)
- Then run sshguard manually using the tail -f ...| sshguard command
- Tried making a failed ssh login and failed proftpd login. Sshguard is now
blocking both service when maximum failed attempts is reached.

Thanks for your help Mij! Thanks for replying to my messages. I'll just post
again if I have a problem. But I think everything is good now. Thank you
very much! ~_~

Regards,
Alia

> Date: Tue, 3 Feb 2009 20:35:32 +0100
> From: Mij <mi...@bi...>
> Subject: Re: [Sshguard-users] Proftpd and ipfilter blocking failures
> To: ssh...@li...
> Message-ID: <A60...@bi...>
> Content-Type: text/plain; charset="us-ascii"
>
> Please try with the SVN version, see
>
> http://sshguard.sourceforge.net/svn.html
>
>
> On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:
>
> Hi,
>
> Thank you very much for replying. ~_~
>
> I did what you suggested me to do but I had problems while
> reconfiguring sshguard. Here's the error:
>
> Making all in src
> make  all-recursive
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT
> command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> mv -f .deps/command.Tpo .deps/command.Po
> rm -f libfwall.a
> ar cru libfwall.a command.o
> ranlib libfwall.a
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -
> MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD -
> MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o
> attack_scanner.c
> In file included from attack_scanner.c:2279:
> /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> attack_scanner.l:25: error: previous implicit declaration of
> 'strtol' was here
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3.
>
> I think it has something to do with the data type that is being
> passed?
> Not sure though. Still trying to make it work.
>
> > Alia,
> >
> > please try this:
> > 1) cd sshguard/src/ and edit attack_scanner.c
> > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > {HOSTADDR}" ("[^\[]+"["
> > 3) run
> > flex attack_scanner.l
> > bison -vd attack_parser.y
> >
> > then recompile and use "sshguard -d" as you did for reporting.
> > Please report again if that does not fix.
> >
> >
> > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> >
> > Hello to everyone!
> >
> > Just started using sshguard. I've managed to configure it to monitor
> > SSH brute force attack. My problem now is to monitor the FTP brute
> > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > for FTP.
> >
> > I'm 100% sure that logging is working because I used the tail -f /
> > var/log/auth.log command to monitor if failed ftp logins are being
> > logged.
> >
> > I've used the debug command to check where the problem is and I
> > found these lines:
> >
> > Run command "grep -qE '^##sshguard-begin##
> > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> >
> > I think the problem lies in the accepting rule at line 147. It just
> > reads a blank character or line or a space. I've checked my auth.log
> > file and found these lines:
> >
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - FTP session closed.
> >
> > I've checked the attack_scanner.l file. I saw these lines:
> >
> > /* ProFTPd */
> > ({WORD}\.)+{WORD}" ("[^\[]
> > +"[" { BEGIN(proftpd_loginerr);
> > return PROFTPD_LOGINERR_PREF; }
> > <proftpd_loginerr>"]) -".*" no such user found ".+
> > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> >
> > I'm guessing it's reading the second line instead of the first line
> > (in the auth.log file). Cause if it's reading the first line, it
> > should be able to monitor the failed ftp logins or attempts right?
> >
> > Can someone help me about my problem on how I could fix this issue?
> > I'm starting to like sshguard and this is what I really need because
> > it has support for ipfilter.
> >
> > Thanks in advance!
> >
> > Regards,
> > alia
> >
> >
> >
> >
> >
> >

Re: [Sshguard-users] problem with first configuration - linux syslog-ng

[Mij <mi...@bi...>]

see http://sshguard.sourceforge.net/doc/setup/blockingiptables.html


On Feb 3, 2009, at 21:16 , Giurrero Giurrero wrote:

>
>
> From: mi...@bi...
> To: ssh...@li...
> Date: Tue, 3 Feb 2009 20:39:08 +0100
> Subject: Re: [Sshguard-users] problem with first configuration -  
> linux	syslog-ng
>
>
> On Feb 3, 2009, at 2:25 PM, Giurrero Giurrero wrote:
>
> Dear experts,
>  I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng  
> support following the standard istruction:http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html
>
> When I restart the syslog:
>
>   killall -HUP syslog-ng
>
> I can't find any sshguard process:
>
> ps ax | grep sshguard
>
>
> after the killall in my /var/logs/messages I've:
>
> Feb  3 13:53:21 sole sshguard[26718]: Started successfully  
> [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing  
> blocked addresses and exiting...
> Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/ 
> iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.
>
> AFAIR syslog-ng uses a lazy execution, where services for target X  
> are started only when the first log entry arrives for X. That is,  
> check with ps only
> after having produced some suitable log msgs.
>
>
> If I try to log in in my system with ssh using a name that doesn't  
> exist I find in my /var/logs/messages:
>
> Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
> Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
>
> any message in some other log file that explains why that broken  
> pipe? Syslog-ng can't start sshguard successfully, did you double  
> check the path
> sshguard is at in your system, when copy-pasting from the  
> documentation?
>
> the path are all ok. As root I can do: sshguard, iptable, ... but if  
> I do: /usr/sbin/iptables -F ssh, I got:
>
> iptables: No chain/target/match by that name
>
>
> Scoprilo insieme ai nuovi servizi Windows Live! Messenger 9: oltre  
> le parole.  
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] problem with first configuration - linux syslog-ng

[Giurrero G. <giu...@ho...>]

From: mi...@bi...
To: ssh...@li...
Date: Tue, 3 Feb 2009 20:39:08 +0100
Subject: Re: [Sshguard-users] problem with first configuration - linux	syslog-ng


On Feb 3, 2009, at 2:25 PM, Giurrero Giurrero wrote:Dear experts,
 I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng support following the standard istruction:http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html

When I restart the syslog:

  killall -HUP syslog-ng

I can't find any sshguard process:

ps ax | grep sshguard


after the killall in my /var/logs/messages I've:

Feb  3 13:53:21 sole sshguard[26718]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing blocked addresses and exiting...
Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.

AFAIR syslog-ng uses a lazy execution, where services for target X are started only when the first log entry arrives for X. That is, check with ps onlyafter having produced some suitable log msgs.

If I try to log in in my system with ssh using a name that doesn't exist I find in my /var/logs/messages:

Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
any message in some other log file that explains why that broken pipe? Syslog-ng can't start sshguard successfully, did you double check the pathsshguard is at in your system, when copy-pasting from the documentation?

the path are all ok. As root I can do: sshguard, iptable, ... but if I do: /usr/sbin/iptables -F ssh, I got:

iptables: No chain/target/match by that name


_________________________________________________________________
Quali sono le più cliccate della settimana?
http://livesearch.it.msn.com/

Re: [Sshguard-users] problem with first configuration - linux syslog-ng

[Mij <mi...@bi...>]

On Feb 3, 2009, at 2:25 PM, Giurrero Giurrero wrote:

> Dear experts,
>  I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng  
> support following the standard istruction:http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html
>
> When I restart the syslog:
>
>   killall -HUP syslog-ng
>
> I can't find any sshguard process:
>
> ps ax | grep sshguard
>
>
> after the killall in my /var/logs/messages I've:
>
> Feb  3 13:53:21 sole sshguard[26718]: Started successfully  
> [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing  
> blocked addresses and exiting...
> Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/ 
> iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.

AFAIR syslog-ng uses a lazy execution, where services for target X are  
started only when the first log entry arrives for X. That is, check  
with ps only
after having produced some suitable log msgs.


> If I try to log in in my system with ssh using a name that doesn't  
> exist I find in my /var/logs/messages:
>
> Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
> Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2
> Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while  
> writing; fd='14', error='Broken pipe (32)'
> Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the  
> underlying authentication module for illegal user xyz from 1
> 92.168.0.1
> Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam  
> for invalid user xyz from 192.168.0.1 port 56372 ssh2

any message in some other log file that explains why that broken pipe?  
Syslog-ng can't start sshguard successfully, did you double check the  
path
sshguard is at in your system, when copy-pasting from the documentation?

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[Mij <mi...@bi...>]

Please try with the SVN version, see

http://sshguard.sourceforge.net/svn.html


On Feb 3, 2009, at 7:30 AM, alia rapirap wrote:

> Hi,
>
> Thank you very much for replying. ~_~
>
> I did what you suggested me to do but I had problems while  
> reconfiguring sshguard. Here's the error:
>
> Making all in src
> make  all-recursive
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT  
> command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> mv -f .deps/command.Tpo .deps/command.Po
> rm -f libfwall.a
> ar cru libfwall.a command.o
> ranlib libfwall.a
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD - 
> MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
> /bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
> gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD - 
> MP -MF .deps/attack_scanner.Tpo -c -o attack_scanner.o  
> attack_scanner.c
> In file included from attack_scanner.c:2279:
> /usr/include/stdlib.h:109: error: conflicting types for 'strtol'
> attack_scanner.l:25: error: previous implicit declaration of  
> 'strtol' was here
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3/src.
> *** Error code 1
>
> Stop in /x/x/x/sshguard-1.3.
>
> I think it has something to do with the data type that is being  
> passed?
> Not sure though. Still trying to make it work.
>
> > Alia,
> >
> > please try this:
> > 1) cd sshguard/src/ and edit attack_scanner.c
> > 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> > {HOSTADDR}" ("[^\[]+"["
> > 3) run
> > flex attack_scanner.l
> > bison -vd attack_parser.y
> >
> > then recompile and use "sshguard -d" as you did for reporting.
> > Please report again if that does not fix.
> >
> >
> > On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
> >
> > Hello to everyone!
> >
> > Just started using sshguard. I've managed to configure it to monitor
> > SSH brute force attack. My problem now is to monitor the FTP brute
> > force attack. I'm using sshguard with ipfilter. I'm using proftpd
> > for FTP.
> >
> > I'm 100% sure that logging is working because I used the tail -f /
> > var/log/auth.log command to monitor if failed ftp logins are being
> > logged.
> >
> > I've used the debug command to check where the problem is and I
> > found these lines:
> >
> > Run command "grep -qE '^##sshguard-begin##
> > ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> > Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> > Starting parse
> > Entering state 0
> > Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> > sample proftpd[12194]:")
> > Next token is token SYSLOG_BANNER_PID ()
> > Shifting token SYSLOG_BANNER_PID ()
> > Entering state 1
> > Reading a token: --accepting rule at line 147 (" ")
> > --accepting rule at line 136 ("localhost")
> > Next token is token HOSTADDR ()
> > Error: popping token SYSLOG_BANNER_PID ()
> > Stack now 0
> > Cleanup: discarding lookahead token HOSTADDR ()
> > Stack now 0
> >
> > I think the problem lies in the accepting rule at line 147. It just
> > reads a blank character or line or a space. I've checked my auth.log
> > file and found these lines:
> >
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> > [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> > Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> > - FTP session closed.
> >
> > I've checked the attack_scanner.l file. I saw these lines:
> >
> > /* ProFTPd */
> > ({WORD}\.)+{WORD}" ("[^\[]
> > +"[" { BEGIN(proftpd_loginerr);
> > return PROFTPD_LOGINERR_PREF; }
> > <proftpd_loginerr>"]) -".*" no such user found ".+
> > { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
> >
> > I'm guessing it's reading the second line instead of the first line
> > (in the auth.log file). Cause if it's reading the first line, it
> > should be able to monitor the failed ftp logins or attempts right?
> >
> > Can someone help me about my problem on how I could fix this issue?
> > I'm starting to like sshguard and this is what I really need because
> > it has support for ipfilter.
> >
> > Thanks in advance!
> >
> > Regards,
> > alia
> >
> >
> >
> >
> >
> >  
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > SourcForge Community
> > SourceForge wants to tell your story.
> > http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> > Sshguard-users mailing list
> > Sshguard-users@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with  
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills  
> and code to
> build responsive, highly engaging applications that combine the  
> power of local
> resources and data with the reach of the web. Download the Adobe AIR  
> SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] problem with first configuration - linux syslog-ng

[Giurrero G. <giu...@ho...>]

Dear experts,
 I've installed sshguard 1.3 on my SuSE Linux 11.0 with syslog-ng support following the standard istruction: http://sshguard.sourceforge.net/doc/setup/loggingsyslog-ng.html

When I restart the syslog:

  killall -HUP syslog-ng

I can't find any sshguard process:

ps ax | grep sshguard


after the killall in my /var/logs/messages I've:

Feb  3 13:53:21 sole sshguard[26718]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Feb  3 13:53:23 sole sshguard[26718]: Got exit signal, flushing blocked addresses and exiting...
Feb  3 13:53:23 sole sshguard[26718]: Run command "/usr/sbin/iptables -F sshguard ; /usr/sbin/ip6tables -F sshguard": exited 1.


If I try to log in in my system with ssh using a name that doesn't exist I find in my /var/logs/messages:

Feb  3 14:20:55 sole sshd[18050]: Invalid user xyz from 192.168.0.1
Feb  3 14:20:55 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:56 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:56 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2
Feb  3 14:20:56 sole syslog-ng[2029]: I/O error occurred while writing; fd='14', error='Broken pipe (32)'
Feb  3 14:20:57 sole sshd[18050]: error: PAM: User not known to the underlying authentication module for illegal user xyz from 1
92.168.0.1
Feb  3 14:20:57 sole sshd[18050]: Failed keyboard-interactive/pam for invalid user xyz from 192.168.0.1 port 56372 ssh2




_________________________________________________________________
Vai oltre le parole, scarica Messenger 2009!
http://www.messenger.it

Re: [Sshguard-users] Blocking Failures

[Greg P. <gre...@hc...>]

Mij wrote:
> Hello Greg,
> 
> On Jan 20, 2009, at 15:34 , Greg Parrish wrote:
> 
>> I am having two issues with the 1.3 release as seen in the logs below.
>> This is on a Centos4 host using the auth.log method piped to sshguard
>> and not the syslog method.
>>
>> 1. Here the logs all have ffff in them and I am not sure why this is  
>> but
>> it seems normal from some other posts out there but it fails to  
>> block. I
>> have this running on a Centos3 host and it is working fine but there  
>> is
>> no ffff in the log entries which I assume is causing the failure.
>>
>> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification  
>> string
>> from ::ffff:192.168.122.234
>> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification  
>> string
>> from ::ffff:192.168.122.234
>> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures
>> over 0 seconds.
>> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed.  
>> Exited: -1

Hi Mij,

> 
> do you have the system utility ip6tables ?

No this package is not installed.

> This is what sshguard needs to block IPv6 addresses.

Ok, good to know and that makes sense.

>> 2. The above is an internal host so I am not concerned about him other
>> than the blocking is failing. From testing on an outside host it just
>> registers the failed login but never even reports a block attempt  
>> there
>> after I failed the login many times. Here are my params.
>>
>> 2 failures, in 30 minutes, block them for a month.
>> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800
> 
> 1) Do you have debug-level entries for when you tried this?

No I dont.

> 2) what kind of log messages do you expect to cause blocking? Did
> you try to inject them manually in "sshguard -d" and see if it detects
> them?

I expect it to stop normal brute attacks that I have tested on other 
hosts. I did not try and inject them.

> 3) "-p 25920000" : this is dangerous, use with care. If you want  
> blacklisting, have a look at sshguard 1.4 (from SVN) which has it out of the box

Sounds good and thanks. I am okay with this as ssh is limited to just a 
few users. I dont want the bad guys banging on our hosts more than once 
a week.

I was able to resolve this by disabling IPv6 in modules.conf and 
restarting the host so there are no IPv6 addresses on the interfaces and 
thus not in the logs.

-greg


> 
> 
>>
>>
>> Thanks,
>> greg
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[alia r. <ali...@gm...>]

Hi,

Thank you very much for replying. ~_~

I did what you suggested me to do but I had problems while reconfiguring
sshguard. Here's the error:

Making all in src
make  all-recursive
Making all in fwalls
gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -O2 -g -O2 -MT command.o
-MD -MP -MF .deps/command.Tpo -c -o command.o command.c
mv -f .deps/command.Tpo .deps/command.Po
rm -f libfwall.a
ar cru libfwall.a command.o
ranlib libfwall.a
gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_parser.o -MD -MP -MF
.deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
mv -f .deps/attack_parser.Tpo .deps/attack_parser.Po
/bin/sh ../ylwrap attack_scanner.l lex.yy.c attack_scanner.c -- flex
gcc -DHAVE_CONFIG_H -I.     -I. -O2 -g -O2 -MT attack_scanner.o -MD -MP -MF
.deps/attack_scanner.Tpo -c -o attack_scanner.o attack_scanner.c
In file included from attack_scanner.c:2279:
/usr/include/stdlib.h:109: error: conflicting types for 'strtol'
attack_scanner.l:25: error: previous implicit declaration of 'strtol' was
here
*** Error code 1

Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1

Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1

Stop in /x/x/x/sshguard-1.3/src.
*** Error code 1

Stop in /x/x/x/sshguard-1.3.

I think it has something to do with the data type that is being passed?
Not sure though. Still trying to make it work.

> Alia,
>
> please try this:
> 1) cd sshguard/src/ and edit attack_scanner.c
> 2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
> {HOSTADDR}" ("[^\[]+"["
> 3) run
> flex attack_scanner.l
> bison -vd attack_parser.y
>
> then recompile and use "sshguard -d" as you did for reporting.
> Please report again if that does not fix.
>
>
> On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:
>
> Hello to everyone!
>
> Just started using sshguard. I've managed to configure it to monitor
> SSH brute force attack. My problem now is to monitor the FTP brute
> force attack. I'm using sshguard with ipfilter. I'm using proftpd
> for FTP.
>
> I'm 100% sure that logging is working because I used the tail -f /
> var/log/auth.log command to monitor if failed ftp logins are being
> logged.
>
> I've used the debug command to check where the problem is and I
> found these lines:
>
> Run command "grep -qE '^##sshguard-begin##
> ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
>
> I think the problem lies in the accepting rule at line 147. It just
> reads a blank character or line or a space. I've checked my auth.log
> file and found these lines:
>
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx
> [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])
> - FTP session closed.
>
> I've checked the attack_scanner.l file. I saw these lines:
>
> /* ProFTPd */
> ({WORD}\.)+{WORD}" ("[^\[]
> +"[" { BEGIN(proftpd_loginerr);
> return PROFTPD_LOGINERR_PREF; }
> <proftpd_loginerr>"]) -".*" no such user found ".+
> { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
>
> I'm guessing it's reading the second line instead of the first line
> (in the auth.log file). Cause if it's reading the first line, it
> should be able to monitor the failed ftp logins or attempts right?
>
> Can someone help me about my problem on how I could fix this issue?
> I'm starting to like sshguard and this is what I really need because
> it has support for ipfilter.
>
> Thanks in advance!
>
> Regards,
> alia
>
>
>
>
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
>
http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Sshguard-users mailing list
> Sshguard-users@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Proftpd and ipfilter blocking failures

[Mij <mi...@bi...>]

Alia,

please try this:
1) cd sshguard/src/ and edit attack_scanner.c
2) change line "({WORD}\.)+{WORD}" ("[^\[]+"["" (for proftpd) to
{HOSTADDR}" ("[^\[]+"["
3) run
flex attack_scanner.l
bison -vd attack_parser.y

then recompile and use "sshguard -d" as you did for reporting.
Please report again if that does not fix.


On Jan 30, 2009, at 7:37 AM, alia rapirap wrote:

> Hello to everyone!
>
> Just started using sshguard. I've managed to configure it to monitor  
> SSH brute force attack. My problem now is to monitor the FTP brute  
> force attack. I'm using sshguard with ipfilter. I'm using proftpd  
> for FTP.
>
> I'm 100% sure that logging is working because I used the tail -f / 
> var/log/auth.log command to monitor if failed ftp logins are being  
> logged.
>
> I've used the debug command to check where the problem is and I  
> found these lines:
>
> Run command "grep -qE '^##sshguard-begin##
> ##sshguard-end##$' < /etc/ipf.rules": exited 0.
> Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34  
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34  
> sample proftpd[12194]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 147 (" ")
> --accepting rule at line 136 ("localhost")
> Next token is token HOSTADDR ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token HOSTADDR ()
> Stack now 0
>
> I think the problem lies in the accepting rule at line 147. It just  
> reads a blank character or line or a space. I've checked my auth.log  
> file and found these lines:
>
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])  
> - USER jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx  
> [xx.xx.xx.xxx] to xx.xx.xx.xxx:21
> Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x])  
> - FTP session closed.
>
> I've checked the attack_scanner.l file. I saw these lines:
>
>  /* ProFTPd */
> ({WORD}\.)+{WORD}" ("[^\[] 
> +"["                                  { BEGIN(proftpd_loginerr);  
> return PROFTPD_LOGINERR_PREF; }
> <proftpd_loginerr>"]) -".*" no such user found ".+               
> { BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
>
> I'm guessing it's reading the second line instead of the first line  
> (in the auth.log file). Cause if it's reading the first line, it  
> should be able to monitor the failed ftp logins or attempts right?
>
> Can someone help me about my problem on how I could fix this issue?  
> I'm starting to like sshguard and this is what I really need because  
> it has support for ipfilter.
>
> Thanks in advance!
>
> Regards,
> alia
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Blocking Failures

[Mij <mi...@bi...>]

Hello Greg,

On Jan 20, 2009, at 15:34 , Greg Parrish wrote:

> I am having two issues with the 1.3 release as seen in the logs below.
> This is on a Centos4 host using the auth.log method piped to sshguard
> and not the syslog method.
>
> 1. Here the logs all have ffff in them and I am not sure why this is  
> but
> it seems normal from some other posts out there but it fails to  
> block. I
> have this running on a Centos3 host and it is working fine but there  
> is
> no ffff in the log entries which I assume is causing the failure.
>
> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification  
> string
> from ::ffff:192.168.122.234
> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification  
> string
> from ::ffff:192.168.122.234
> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures
> over 0 seconds.
> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed.  
> Exited: -1

do you have the system utility ip6tables ?
This is what sshguard needs to block IPv6 addresses.


> 2. The above is an internal host so I am not concerned about him other
> than the blocking is failing. From testing on an outside host it just
> registers the failed login but never even reports a block attempt  
> there
> after I failed the login many times. Here are my params.
>
> 2 failures, in 30 minutes, block them for a month.
> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800

1) Do you have debug-level entries for when you tried this?
2) what kind of log messages do you expect to cause blocking? Did
you try to inject them manually in "sshguard -d" and see if it detects
them?
3) "-p 25920000" : this is dangerous, use with care. If you want  
blacklisting,
have a look at sshguard 1.4 (from SVN) which has it out of the box


>
>
>
> Thanks,
> greg
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard go to 100% cpu

[Mij <mi...@bi...>]

On Jan 20, 2009, at 9:43 , Michel wrote:

> Le samedi 17 janvier 2009, Mij a écrit :
>> If so, do they have the same parent and status? You can
>> derive this answer with this command:
>>
>> ps axjh | grep -E 'sshguard|syslog'
>>
>
> dedi2# ps axjh | grep -E 'sshguard|syslog'
> root       426     1   426   426    0 Ss    ??    3:30.50 /usr/sbin/ 
> syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198
> root       746     1   746   746    0 SsJ   ??    1:07.35 /usr/sbin/ 
> syslogd -s
> root      1302     1  1302  1302    0 IsJ   ??    1:03.50 /usr/sbin/ 
> syslogd -s
> root     78143     1 74878 74878    0 R     ??  1358:09.42 /usr/ 
> local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s  
> 1800
> root     82313     1 82313 82313    0 IsJ   ??    0:15.04 /usr/sbin/ 
> syslogd -s
> root     88115   426 88115 88115    0 Ss    ??    0:00.10 /usr/local/ 
> sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
> root     95765 95761 95764 95758    2 R+    p1    0:00.00 grep -E  
> sshguard|syslog

I see several instances of syslogd as well. I'm no jail expert, but as  
the "further" ones operate
in secure my intuition is that they are raised for the jails. Sshguard  
is not designed to run in multiple
instances, but technically, even after reviewing the code, I don't see  
a reason for the looping.

The problem is interesting. When you kill the program, the OS should  
dump a core file somewhere
(use "locate sshguard.core"): can you send it to me? That would be  
even more valuable if you can
1) use the current SVN version
mkdir sshguard && cd sshguard
svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard/ ./

2) compile with debug symbols and send the core of that version.
./configure --with-firewall=pf --enable-debug=yes
make
cp sshguard /usr/local/bin (do NOT use make install, which strips  
debug symbols)

michele


>> As a further curiosity: if you signal the "looped" instance with  
>> TSTP,
>> does it remain looping?
>> kill -s TSTP <pid_looped>
>> after this command, do you see anything in the log like "Got STOP
>> signal, suspending activity." ?
>>
>>
> kill -s TSTP 78143
> and it remain looping !
>
> and nothing in messages nor in debug :
>
> Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl - 
> Tadd -t sshguard $SSHG_ADDR": exited 0.
> Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment:  
> SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl - 
> Tdel -t sshguard $SSHG_ADDR": exited 0.
>
> only a kill -9 78143 stop the loop ...
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users