Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
(6) |
Oct
|
Nov
|
Dec
|
|
From: alia r. <ali...@gm...> - 2009-01-30 06:37:10
|
Hello to everyone!
Just started using sshguard. I've managed to configure it to monitor SSH
brute force attack. My problem now is to monitor the FTP brute force attack.
I'm using sshguard with ipfilter. I'm using proftpd for FTP.
I'm 100% sure that logging is working because I used the tail -f
/var/log/auth.log command to monitor if failed ftp logins are being logged.
I've used the debug command to check where the problem is and I found these
lines:
Run command "grep -qE '^##sshguard-begin##
##sshguard-end##$' < /etc/ipf.rules": exited 0.
Started successfully [(a,p,s)=(2, 60, 1200)], now ready to scan.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 sample
proftpd[12194]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 147 (" ")
--accepting rule at line 136 ("localhost")
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0
Starting parse
Entering state 0
Reading a token: --accepting rule at line 74 ("Jan 29 14:30:34 sample
proftpd[12194]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 147 (" ")
--accepting rule at line 136 ("localhost")
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0
I think the problem lies in the accepting rule at line 147. It just reads a
blank character or line or a space. I've checked my auth.log file and found
these lines:
Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) - USER
jkhfjkasdhfjd: no such user found from xx.xx.xx.xxx [xx.xx.xx.xxx] to
xx.xx.xx.xxx:21
Jan 29 14:30:34 sample proftpd[12194]: localhost (x.x.x.x[x.x.x.x]) - FTP
session closed.
I've checked the attack_scanner.l file. I saw these lines:
/* ProFTPd */
({WORD}\.)+{WORD}" ("[^\[]+"[" {
BEGIN(proftpd_loginerr); return PROFTPD_LOGINERR_PREF; }
<proftpd_loginerr>"]) -".*" no such user found ".+ {
BEGIN(INITIAL); return PROFTPD_LOGINERR_SUFF; }
I'm guessing it's reading the second line instead of the first line (in the
auth.log file). Cause if it's reading the first line, it should be able to
monitor the failed ftp logins or attempts right?
Can someone help me about my problem on how I could fix this issue? I'm
starting to like sshguard and this is what I really need because it has
support for ipfilter.
Thanks in advance!
Regards,
alia
|
|
From: Greg P. <gre...@hc...> - 2009-01-25 19:51:48
|
I am having two issues with the 1.3 release as seen in the logs below. This is on a Centos4 host using the auth.log method piped to sshguard and not the syslog method. 1. Here the logs all have ffff in them and I am not sure why this is but it seems normal from some other posts out there but it fails to block. I have this running on a Centos3 host and it is working fine but there is no ffff in the log entries which I assume is causing the failure. Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification string from ::ffff:192.168.122.234 Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification string from ::ffff:192.168.122.234 Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures over 0 seconds. Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed. Exited: -1 2. The above is an internal host so I am not concerned about him other than the blocking is failing. From testing on an outside host it just registers the failed login but never even reports a block attempt there after I failed the login many times. Here are my params. 2 failures, in 30 minutes, block them for a month. /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 Thanks, greg |
|
From: Michel <mi...@do...> - 2009-01-20 08:44:20
|
Le samedi 17 janvier 2009, Mij a écrit : > Hello Michel, > > On Jan 15, 2009, at 13:31 , Michel wrote: > > > Le mercredi 14 janvier 2009, Mij a écrit : > >> Hello Michel, > >> > >> Sorry for overlooking this post, I'm actually very interested. > >> To clarify your scenario: you have 2 instances of sshguard, > >> one for the host, the other one for both jails. I guess both > >> jails are logging to the same file, and you are monitoring that (?). > >> > >> Is it always the "jails" process to show this behavior? Do you see > >> anything strange ending up in logs? Can you report sshguard's more > >> verbose messages (do you have debug.log or similar?)? > >> > >> thanks > >> > > > > No, I usualy have only one sshguard running : > > ps -aux | grep sshguard \ > > root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM > > 0:00.05 /usr/local/sbin/sshguard -w > > > > I use syslog in the jails to log all auth.log on the host and the > > syslog.conf of the host have the lines : > > auth.info;authpriv.info /var/log/auth.log > > auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w > > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 > > so you're saying: > 1) there is one syslog running in your system, collecting everything > from host+jails to auth.log Yes > 2) one sshguard is configured to be given these auth.log lines and > blocks through PF for everything Yes > > > The last time the problem appear (from daily security mail) : > > > > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from > > 203.252.182.37 > > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from > > 203.252.182.37 > > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from > > 203.252.182.37 > > here you don't mean that after these lines sshguard loops, do you? > > > > In the auth.log of the host (dedi2 is the host, dedi_? are the > > jails) : > > > > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive > > identification string from 216.127.160.82 > > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 > > failures over 156 seconds. > > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after > > 690 seconds. > > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification > > string from 201.134.249.168 > > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking > > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx > > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT! > > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from > > 201.134.249.168 > > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from > > 203.252.182.37 > > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from > > 203.252.182.37 > > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from > > 203.252.182.37 > > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from > > 203.252.182.37 > > .... > > a lot of lines : >600 (1 every 2-3 seconds) > > .... > > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully > > [(a,p,s)=(3, 600, 1800)], now ready to scan. > > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from > > 203.252.182.37 > > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from > > 203.252.182.37 > > > > > > And debug.0.log : > > > > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ > > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > > Tdel -t sshguard $SSHG_ADDR": exited 0. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as > > plain IPv4. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as > > plain IPv4. > > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81. > > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address > > 203.252.182.37 > > Jan 14 10:03:01 dedi2 last message repeated 2 times > > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ > > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - > > Tadd -t sshguard $SSHG_ADDR": exited 0. > > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > > Tflush -t sshguard": exited 0. > > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ > > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > > > It look like sshguard is trarting twice on 10:02:56 ? > > When that message occurs, sshguard is actually starting. This happens > frequently for a restart (e.g. > for log rotation) but there I don't see a "Got exit signal" message > before. Do you see two instances > at that point? Yes > If so, do they have the same parent and status? You can > derive this answer with this command: > > ps axjh | grep -E 'sshguard|syslog' > dedi2# ps axjh | grep -E 'sshguard|syslog' root 426 1 426 426 0 Ss ?? 3:30.50 /usr/sbin/syslogd -a 88.191.206.196 -a 88.191.206.197 -a 88.191.206.198 root 746 1 746 746 0 SsJ ?? 1:07.35 /usr/sbin/syslogd -s root 1302 1 1302 1302 0 IsJ ?? 1:03.50 /usr/sbin/syslogd -s root 78143 1 74878 74878 0 R ?? 1358:09.42 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 root 82313 1 82313 82313 0 IsJ ?? 0:15.04 /usr/sbin/syslogd -s root 88115 426 88115 88115 0 Ss ?? 0:00.10 /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 root 95765 95761 95764 95758 2 R+ p1 0:00.00 grep -E sshguard|syslog > As a further curiosity: if you signal the "looped" instance with TSTP, > does it remain looping? > kill -s TSTP <pid_looped> > after this command, do you see anything in the log like "Got STOP > signal, suspending activity." ? > > kill -s TSTP 78143 and it remain looping ! and nothing in messages nor in debug : Jan 20 09:17:56 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0. Jan 20 09:31:04 dedi2 sshguard[88115]: Setting environment: SSHG_ADDR=85.25.73.69;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Jan 20 09:31:04 dedi2 sshguard[88115]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. only a kill -9 78143 stop the loop ... |
|
From: Mij <mi...@bi...> - 2009-01-17 10:57:44
|
Hello Michel, On Jan 15, 2009, at 13:31 , Michel wrote: > Le mercredi 14 janvier 2009, Mij a écrit : >> Hello Michel, >> >> Sorry for overlooking this post, I'm actually very interested. >> To clarify your scenario: you have 2 instances of sshguard, >> one for the host, the other one for both jails. I guess both >> jails are logging to the same file, and you are monitoring that (?). >> >> Is it always the "jails" process to show this behavior? Do you see >> anything strange ending up in logs? Can you report sshguard's more >> verbose messages (do you have debug.log or similar?)? >> >> thanks >> > > No, I usualy have only one sshguard running : > ps -aux | grep sshguard \ > root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM > 0:00.05 /usr/local/sbin/sshguard -w > > I use syslog in the jails to log all auth.log on the host and the > syslog.conf of the host have the lines : > auth.info;authpriv.info /var/log/auth.log > auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w > 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800 so you're saying: 1) there is one syslog running in your system, collecting everything from host+jails to auth.log 2) one sshguard is configured to be given these auth.log lines and blocks through PF for everything > The last time the problem appear (from daily security mail) : > > Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from > 203.252.182.37 > Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from > 203.252.182.37 > Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from > 203.252.182.37 here you don't mean that after these lines sshguard loops, do you? > In the auth.log of the host (dedi2 is the host, dedi_? are the > jails) : > > Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive > identification string from 216.127.160.82 > Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 > failures over 156 seconds. > Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after > 690 seconds. > Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification > string from 201.134.249.168 > Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking > getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx > [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT! > Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from > 201.134.249.168 > Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from > 203.252.182.37 > Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from > 203.252.182.37 > Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from > 203.252.182.37 > Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from > 203.252.182.37 > .... > a lot of lines : >600 (1 every 2-3 seconds) > .... > Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully > [(a,p,s)=(3, 600, 1800)], now ready to scan. > Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from > 203.252.182.37 > Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from > 203.252.182.37 > > > And debug.0.log : > > Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ > SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > Tdel -t sshguard $SSHG_ADDR": exited 0. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as > plain IPv4. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as > plain IPv4. > Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81. > Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address > 203.252.182.37 > Jan 14 10:03:01 dedi2 last message repeated 2 times > Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl - > Tadd -t sshguard $SSHG_ADDR": exited 0. > Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl - > Tflush -t sshguard": exited 0. > Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ > SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > > It look like sshguard is trarting twice on 10:02:56 ? When that message occurs, sshguard is actually starting. This happens frequently for a restart (e.g. for log rotation) but there I don't see a "Got exit signal" message before. Do you see two instances at that point? If so, do they have the same parent and status? You can derive this answer with this command: ps axjh | grep -E 'sshguard|syslog' As a further curiosity: if you signal the "looped" instance with TSTP, does it remain looping? kill -s TSTP <pid_looped> after this command, do you see anything in the log like "Got STOP signal, suspending activity." ? > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@bi...> - 2009-01-17 10:23:24
|
Hello Greg, This is a problem with non-POSIX compliant libc implementations, where getopt() stuff is not defined in unistd.h but in getopt.h . Nobuhiro Iwamatsu has reported the same problem some days ago, and support for these settings has been added in the SVN version. You can either download and compile that, or wait a some days for 1.4 to be released. michele On Jan 16, 2009, at 17:45 , Greg Parrish wrote: > > I am having an issue compiling the 1.4RC2 on my system. Here are the > OS > details and the tail of the error. Any ideas on this make error, the > configure ran fine. > > CentOS release 3.9 (Final) > 2.4.21-53.EL #1 Mon Dec 3 13:43:24 EST 2007 i686 athlon i386 GNU/Linux > > ./configure --with-firewall=iptables > > make: > > > make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src/fwalls' > make[3]: Entering directory `/home/software/sshguard-1.4rc2/src' > gcc -DHAVE_CONFIG_H -I. -I. -O2 -std=c99 -Wall -g -O2 -MT > sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o > sshguard_options.o sshguard_options.c > sshguard_options.c: In function `get_options_cmdline': > sshguard_options.c:44: warning: implicit declaration of function > `getopt' > sshguard_options.c:47: `optarg' undeclared (first use in this > function) > sshguard_options.c:47: (Each undeclared identifier is reported only > once > sshguard_options.c:47: for each function it appears in.) > make[3]: *** [sshguard_options.o] Error 1 > make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/home/software/sshguard-1.4rc2/src' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/home/software/sshguard-1.4rc2/src' > make: *** [all-recursive] Error 1 > > Thanks, > greg > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Greg P. <gre...@hc...> - 2009-01-16 18:54:26
|
I am having an issue compiling the 1.4RC2 on my system. Here are the OS details and the tail of the error. Any ideas on this make error, the configure ran fine. CentOS release 3.9 (Final) 2.4.21-53.EL #1 Mon Dec 3 13:43:24 EST 2007 i686 athlon i386 GNU/Linux ./configure --with-firewall=iptables make: make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src/fwalls' make[3]: Entering directory `/home/software/sshguard-1.4rc2/src' gcc -DHAVE_CONFIG_H -I. -I. -O2 -std=c99 -Wall -g -O2 -MT sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o sshguard_options.o sshguard_options.c sshguard_options.c: In function `get_options_cmdline': sshguard_options.c:44: warning: implicit declaration of function `getopt' sshguard_options.c:47: `optarg' undeclared (first use in this function) sshguard_options.c:47: (Each undeclared identifier is reported only once sshguard_options.c:47: for each function it appears in.) make[3]: *** [sshguard_options.o] Error 1 make[3]: Leaving directory `/home/software/sshguard-1.4rc2/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/software/sshguard-1.4rc2/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/software/sshguard-1.4rc2/src' make: *** [all-recursive] Error 1 Thanks, greg |
|
From: Keven T. <byt...@sh...> - 2009-01-15 23:11:11
|
Greetings to all.
I've attached a bunch of patches to sshguard as below. These consist
of the following fixes/features:
1) Added support for snort IDS style syslog "alerts" (offending hosts)
to sshguard_services.h, attack_parser.h, attack_parser.y, and
attack_scanner.l. I think everything I've done here is valid, though
I'm not familiar with Flex so the attack_scanner.l code might be
slightly whacked. It does, however, compile and actually works. If
anyone wants to run over the relevant code in attack_scanner.l, here's
a sample Snort syslog output (IP addresses are just random numbers):
Jan 15 15:49:20 sensor snort[11588]: [1:402:8] ICMP Destination
Unreachable Port Unreachable [Classification: Misc activity]
[Priority: 3]: {ICMP} 212.79.65.90 -> 96.56.224.81
The format of it is pretty simple:
<syslog crap> [NUMBER:NUMBER:NUMBER] <more text> {WORD} SOURCE_IP ->
DEST_IP
Where SOURCE_IP is the /only/ thing that should matter, since that is
the originating IP that the detected attack came from. This is what I /
tried/ to write the attack_scanner.l code to do, and it seems to work
just fine.
2) Modified sshguard.c to properly support abuse thresholds of "1".
This is primarily for the above Snort modifications (block-on-sight),
though I believe it applies to parsing of any other logs. For whatever
reason, sshguard_options.c was setup to accept -a 1, but sshguard.c
effectively ignored the first abuse sighting regardless of what -a was
set to. The fix basically involves removing one line and changing
another, so that first-time abusers are blocked on sight if -a is set
to 1 (block on 1st abuse).
3) Modified sshguard_options.c so that values < -p 2 are ignored and
usage is printed. When -p is set to 1 (which really doesn't make
sense, but whatever), sshguard_options.c accepted this and caused the
line: sleep(1 + random() % (opts.pardon_threshold/2)) to immediately
bomb out with a FP error. Limiting -p's minimum to 2 obviously solves
this problem. Again, I don't know why -p would be set to such a low
value, but it's a crash I came across regardless and fixed.
Patches are below.
-KT
*** ./sshguard_original/src/attack_parser.h 2009-01-15
16:01:38.000000000 -0700
--- ./sshguard/src/attack_parser.h 2009-01-15 15:59:43.000000000 -0700
***************
*** 70,76 ****
PROFTPD_LOGINERR_PREF = 286,
PROFTPD_LOGINERR_SUFF = 287,
PUREFTPD_LOGINERR_PREF = 288,
! PUREFTPD_LOGINERR_SUFF = 289
};
#endif
/* Tokens. */
--- 70,78 ----
PROFTPD_LOGINERR_PREF = 286,
PROFTPD_LOGINERR_SUFF = 287,
PUREFTPD_LOGINERR_PREF = 288,
! PUREFTPD_LOGINERR_SUFF = 289,
! SNORTIDS_ALERTERR_PREF = 290,
! SNORTIDS_ALERTERR_SUFF = 291
};
#endif
/* Tokens. */
***************
*** 106,111 ****
--- 108,115 ----
#define PROFTPD_LOGINERR_SUFF 287
#define PUREFTPD_LOGINERR_PREF 288
#define PUREFTPD_LOGINERR_SUFF 289
+ #define SNORTIDS_ALERTERR_PREF 290
+ #define SNORTIDS_ALERTERR_SUFF 291
*** ./sshguard_original/src/attack_parser.y 2009-01-15
16:01:38.000000000 -0700
--- ./sshguard/src/attack_parser.y 2009-01-15 14:50:04.000000000 -0700
***************
*** 49,54 ****
--- 49,56 ----
%token PROFTPD_LOGINERR_PREF PROFTPD_LOGINERR_SUFF
/* PureFTPd */
%token PUREFTPD_LOGINERR_PREF PUREFTPD_LOGINERR_SUFF
+ /* Snort IDS */
+ %token SNORTIDS_ALERTERR_PREF SNORTIDS_ALERTERR_SUFF
%%
***************
*** 100,105 ****
--- 102,108 ----
| freebsdftpdmsg { parsed_attack.service =
SERVICES_FREEBSDFTPD; }
| proftpdmsg { parsed_attack.service =
SERVICES_PROFTPD; }
| pureftpdmsg { parsed_attack.service =
SERVICES_PUREFTPD; }
+ | snortidsmsg { parsed_attack.service =
SERVICES_SNORTIDS; }
;
/* an address */
***************
*** 212,217 ****
--- 215,225 ----
PUREFTPD_LOGINERR_PREF addr PUREFTPD_LOGINERR_SUFF
;
+ /* attach rules for Snort IDS */
+ snortidsmsg:
+ SNORTIDS_ALERTERR_PREF addr SNORTIDS_ALERTERR_SUFF
+ ;
+
%%
void yyerror(char *msg) { /* do nothing */ }
*** ./sshguard_original/src/attack_scanner.l 2009-01-15
16:01:38.000000000 -0700
--- ./sshguard/src/attack_scanner.l 2009-01-15 15:12:40.000000000 -0700
***************
*** 63,69 ****
%option debug
%array
! %s ssh_notallowed ssh_loginerr ssh_reversemap dovecot_loginerr
cyrusimap_loginerr freebsdftpd_loginerr proftpd_loginerr
pureftpd_loginerr
MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
DAYNO [1-9][0-9]?
--- 63,69 ----
%option debug
%array
! %s ssh_notallowed ssh_loginerr ssh_reversemap dovecot_loginerr
cyrusimap_loginerr freebsdftpd_loginerr proftpd_loginerr
pureftpd_loginerr snortids_alerterr
MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
DAYNO [1-9][0-9]?
***************
*** 146,151 ****
--- 146,155 ----
"("[^@]
+
"@" { BEGIN
(pureftpd_loginerr); return PUREFTPD_LOGINERR_PREF; }
<pureftpd_loginerr>") [WARNING] Authentication failed for user ".+
{ BEGIN(INITIAL); return PUREFTPD_LOGINERR_SUFF; }
+ /* Snort IDS */
+
"["{NUMBER
}":"{NUMBER
}":"{NUMBER
}"]".*"{"{WORD}"}" { BEGIN(snortids_alerterr); return
SNORTIDS_ALERTERR_PREF; }
+ <snortids_alerterr>"->".+
{ BEGIN(INITIAL); return SNORTIDS_ALERTERR_SUFF; }
+
/** COMMON-USE TOKENS do not touch these **/
/* an IPv4 address */
*** ./sshguard_original/src/sshguard_services.h 2009-01-15
16:01:38.000000000 -0700
--- ./sshguard/src/sshguard_services.h 2009-01-15 15:59:42.000000000
-0700
***************
*** 51,54 ****
--- 51,57 ----
/* Pure-FTPd */
#define SERVICES_PUREFTPD 320
+ /* Snort IDS */
+ #define SERVICES_SNORTIDS 330
+
#endif
*** ./sshguard_original/src/sshguard.c 2009-01-15 16:01:38.000000000
-0700
--- ./sshguard/src/sshguard.c 2009-01-15 16:08:24.000000000 -0700
***************
*** 287,294 ****
tmpent = malloc(sizeof(attacker_t));
attackerinit(tmpent, & attack);
list_append(&limbo, tmpent);
-
- return;
}
--- 287,292 ----
***************
*** 395,401 ****
ipe->attack.address.kind = attack->address.kind;
ipe->attack.service = attack->service;
ipe->whenfirst = ipe->whenlast = time(NULL);
! ipe->numhits = 1;
}
void purge_limbo_stale(void) {
--- 393,399 ----
ipe->attack.address.kind = attack->address.kind;
ipe->attack.service = attack->service;
ipe->whenfirst = ipe->whenlast = time(NULL);
! ipe->numhits = 0;
}
void purge_limbo_stale(void) {
*** ./sshguard_original/src/sshguard_options.c 2009-01-15
16:01:38.000000000 -0700
--- ./sshguard/src/sshguard_options.c 2009-01-15 15:49:12.000000000
-0700
***************
*** 65,72 ****
break;
case 'p': /* pardon threshold interval */
opts.pardon_threshold = strtol(optarg, (char
**)NULL, 10);
! if (opts.pardon_threshold < 1) {
! fprintf(stderr, "Doesn't make sense to have a
pardon time lower than 1 second. Terminating.\n");
return -1;
}
break;
--- 65,72 ----
break;
case 'p': /* pardon threshold interval */
opts.pardon_threshold = strtol(optarg, (char
**)NULL, 10);
! if (opts.pardon_threshold < 2) {
! fprintf(stderr, "Doesn't make sense to have a
pardon time lower than 2 second. Terminating.\n");
return -1;
}
break;
|
|
From: Michel <mi...@do...> - 2009-01-15 13:10:14
|
Le mercredi 14 janvier 2009, Mij a écrit :
> Hello Michel,
>
> Sorry for overlooking this post, I'm actually very interested.
> To clarify your scenario: you have 2 instances of sshguard,
> one for the host, the other one for both jails. I guess both
> jails are logging to the same file, and you are monitoring that (?).
>
> Is it always the "jails" process to show this behavior? Do you see
> anything strange ending up in logs? Can you report sshguard's more
> verbose messages (do you have debug.log or similar?)?
>
> thanks
>
No, I usualy have only one sshguard running :
ps -aux | grep sshguard \
root 46873 0.0 0.1 1888 1132 ?? Is 10:00AM 0:00.05 /usr/local/sbin/sshguard -w
I use syslog in the jails to log all auth.log on the host and the syslog.conf of the host have the lines :
auth.info;authpriv.info /var/log/auth.log
auth.info;authpriv.info |exec /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800
The last time the problem appear (from daily security mail) :
Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from 203.252.182.37
In the auth.log of the host (dedi2 is the host, dedi_? are the jails) :
Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive identification string from 216.127.160.82
Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 failures over 156 seconds.
Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after 690 seconds.
Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification string from 201.134.249.168
Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from 201.134.249.168
Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from 203.252.182.37
....
a lot of lines : >600 (1 every 2-3 seconds)
....
Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully [(a,p,s)=(3, 600, 1800)], now ready to scan.
Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from 203.252.182.37
Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from 203.252.182.37
And debug.0.log :
Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81.
Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address 203.252.182.37
Jan 14 10:03:01 dedi2 last message repeated 2 times
Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tflush -t sshguard": exited 0.
Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
It look like sshguard is trarting twice on 10:02:56 ?
|
|
From: Mij <mi...@bi...> - 2009-01-15 09:49:10
|
Committed, thanks.
Please report if the version currently in SVN still has this effect.
michele
On Jan 15, 2009, at 2:35 AM, Keven Tipping wrote:
> Found the problem.
>
> On some BSD's, fgets might be interrupted during read. This is
> different from sending the program a SIGINT (which is handled
> elsewhere and has nothing to do with this issue).
> When fgets is interrupted, it automatically returns NULL and sets
> errno to EINTR (interrupted). Since the main while loop of sshguard
> assumes that fgets doesn't return NULL so long as it's working
> properly and reading from stdin, the loop exits and shuts down
> sshguard. If sshguard is launched via syslogd, then it gets relaunched
> until fgets bombs out again, causing sshguard to shutdown. This seems
> to repeat indefinitely and there *are* cases of this happening on
> google (if you check the syslog time stamp, you can see sshguard is
> exiting at random times).
>
> I've included a patch that resolves this issue. It should be cross-
> platform compliant and basically acts as a drop-in replacement fgets
> wrapper (aptly called "safe_fgets"). It will handle EOF and error
> conditions properly, ignoring any spurious EINTR issues, since those
> are non-critical and do NOT impact the operation of the program (not
> anymore, at least).
>
> Since program signaling is handled elsewhere, sshguard will still
> properly exit and relaunch when logs are rotated via syslog/syslog-ng/
> whatever. This simply fixes the issue of sshguard exiting prematurely
> due to some weird behavior with fgets on other platforms (primarily
> BSD, it appears).
>
> I've confirmed sshguard has been running for more then ~4 hours on my
> OpenBSD box(s). It is blocking and releasing IP's properly without
> exiting inbetween. It has exited and relaunched /once/ exactly on the
> hour when authlog was rotated, but other then that it's 100% stable
> now.
>
> -KT
>
> <------SNIP SNIP------>
> --- ./sshguard.c Wed Jan 14 18:16:09 2009
> +++ /root/sshguard.c Wed Jan 14 18:15:35 2009
> @@ -89,6 +89,8 @@ static inline void attackerinit(attacker_t
> *restrict i
> static void usage(void);
> /* comparison operator for sorting offenders list */
> static int lastAttackComparator(const void *a, const void *b);
> +/* safe fgets function */
> +char *safe_fgets(char *s, int size, FILE *stream);
> /* handler for termination-related signals */
> void sigfin_handler(int signo);
> /* handler for suspension/resume signals */
> @@ -213,7 +215,7 @@ int main(int argc, char *argv[]) {
> opts.abuse_threshold, (unsigned
> int)opts.pardon_threshold, (unsigned int)opts.stale_threshold);
>
>
> - while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
> + while (safe_fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
> if (suspended) continue;
>
> retv = parse_line(buf);
> @@ -233,6 +235,23 @@ int main(int argc, char *argv[]) {
> exit(0);
> }
>
> +char *safe_fgets(char *s, int size, FILE *stream) {
> + for (;;) {
> + if (fgets(s, size, stream))
> + return s;
> + if (feof(stream))
> + return NULL;
> + if(!ferror(stream)) {
> + sshguard_log(LOG_ERR, "Error reading from stdin:
> unknown fgets error!");
> + exit(0);
> + }
> + if(errno != EINTR) {
> + sshguard_log(LOG_ERR, "Error reading from stdin:
> fgets returned %s", strerror(errno));
> + exit(0);
> + }
> + clearerr(stream);
> + }
> +}
>
> void report_address(attack_t attack) {
> attacker_t *tmpent = NULL;
> <------SNIP SNIP------>
>
> On Jan 14, 2009, at 2:13 PM, Keven Tipping wrote:
>
>> Nope, that's not it.
>>
>> Cron is setup to run newsyslog every hour, but SSHguard terminates
>> randomly "whenever".
>>
>> As I've said, for whatever reason fgets is returning NULL and
>> breaking
>> out of the main loop. The signal handler for sigint/sigfin isn't
>> being
>> called here as it would be if syslogd or some other program was
>> sending sshguard a sigint. I'm not sure if this is a bug with fgets,
>> OpenBSD, or syslogd, but I'll try and do some debugging today and
>> figure it out.
>>
>> -KT
>>
>> On Jan 14, 2009, at 12:01 PM, Mij wrote:
>>
>>> Hello Keven,
>>>
>>> Do you have log rotation? Log rotation causes processes to be
>>> signaled
>>> for opening the new log files. This is often the case causing those
>>> message
>>> in log files.
>>>
>>>
>>> On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote:
>>>
>>>> Okay, I just did some quick debugging here.
>>>>
>>>> It appears like SSHguard is exiting the main loop in sshguard.c.
>>>> For
>>>> whatever reason, on OpenBSD 4.4, the line:
>>>> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)
>>>>
>>>> Is indeed returning NULL. This causes the loop to break and exit(0)
>>>> is
>>>> called, resulting in the "Got exit signal" message. According to
>>>> google (and I'm not a programmer), this is caused either by fgets
>>>> encountering EOF or some other error.
>>>>
>>>> Any ideas to as why this is occurring?
>>>>
>>>> -KT
>>>>
>>>> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:
>>>>
>>>>> Greetings to all.
>>>>>
>>>>> I've been trying to get SSHguard running *reliably* on several
>>>>> OpenBSD
>>>>> 4.4 boxes. They all exhibit the same problem.
>>>>>
>>>>> I've installed sshguard (both 1.4-rc2 and svn) and have it
>>>>> currently
>>>>> running as root (though I doubt this has anything to do with the
>>>>> problem) via Syslog. The relevant syslog.conf line is:
>>>>> auth.info;auth.priv |exec /usr/sbin/sshguard
>>>>>
>>>>> SSHguard launches as expected when there's authlog traffic, and
>>>>> works
>>>>> just fine. I can hammer the box from the LAN and SSHguard adds the
>>>>> IP
>>>>> addresses to the pf table. That's all fine and great.
>>>>>
>>>>> The problem is, that SSHguard constantly "exits". I'm not sure if
>>>>> this
>>>>> is a SSHguard problem or something OpenBSD related, because I
>>>>> can't
>>>>> find anything in syslog's man page about this and there's nothing
>>>>> in
>>>>> my crontabs that would otherwise interfere with SSHguard.
>>>>>
>>>>> What happens is that every ~5-20 minutes (it seems completely
>>>>> random?), SSHguard prints the following in authlog:
>>>>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after
>>>>> 488
>>>>> seconds."
>>>>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing
>>>>> blocked
>>>>> addresses and exiting..."
>>>>>
>>>>> 10.0.1.140 is one of /several/ systems I used to test SSHguard-
>>>>> there
>>>>> were about ~10 IP's in the blocklist in this case, the latest one
>>>>> was
>>>>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once
>>>>> again
>>>>> exited for no apparent reason. Obviously, when SSHguard exited,
>>>>> the
>>>>> entire table was flushed. There's no way the last IP that was
>>>>> blocked
>>>>> had exceeded 420 seconds prior to SSHguard "getting an exit
>>>>> signal".
>>>>>
>>>>> I'm not sure why it does this. Once SSHguard cleanly exits (due to
>>>>> the
>>>>> above "signal"), syslogd restarts it as soon as there's authlog
>>>>> traffic again and SSHguard runs anywhere from 5-20 minutes before
>>>>> exiting. Rinse, repeat. It will do this all day, basically.
>>>>>
>>>>> I have no idea if this is by design, or what is going on here. Any
>>>>> ideas?
>>>>>
>>>>> Cheers,
>>>>> -KT
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by:
>>>>> SourcForge Community
>>>>> SourceForge wants to tell your story.
>>>>> http://p.sf.net/sfu/sf-spreadtheword
>>>>> _______________________________________________
>>>>> Sshguard-users mailing list
>>>>> Ssh...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by:
>>>> SourcForge Community
>>>> SourceForge wants to tell your story.
>>>> http://p.sf.net/sfu/sf-spreadtheword
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> SourcForge Community
>>> SourceForge wants to tell your story.
>>> http://p.sf.net/sfu/sf-spreadtheword
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Keven T. <byt...@sh...> - 2009-01-15 02:35:52
|
Found the problem.
On some BSD's, fgets might be interrupted during read. This is
different from sending the program a SIGINT (which is handled
elsewhere and has nothing to do with this issue).
When fgets is interrupted, it automatically returns NULL and sets
errno to EINTR (interrupted). Since the main while loop of sshguard
assumes that fgets doesn't return NULL so long as it's working
properly and reading from stdin, the loop exits and shuts down
sshguard. If sshguard is launched via syslogd, then it gets relaunched
until fgets bombs out again, causing sshguard to shutdown. This seems
to repeat indefinitely and there *are* cases of this happening on
google (if you check the syslog time stamp, you can see sshguard is
exiting at random times).
I've included a patch that resolves this issue. It should be cross-
platform compliant and basically acts as a drop-in replacement fgets
wrapper (aptly called "safe_fgets"). It will handle EOF and error
conditions properly, ignoring any spurious EINTR issues, since those
are non-critical and do NOT impact the operation of the program (not
anymore, at least).
Since program signaling is handled elsewhere, sshguard will still
properly exit and relaunch when logs are rotated via syslog/syslog-ng/
whatever. This simply fixes the issue of sshguard exiting prematurely
due to some weird behavior with fgets on other platforms (primarily
BSD, it appears).
I've confirmed sshguard has been running for more then ~4 hours on my
OpenBSD box(s). It is blocking and releasing IP's properly without
exiting inbetween. It has exited and relaunched /once/ exactly on the
hour when authlog was rotated, but other then that it's 100% stable now.
-KT
<------SNIP SNIP------>
--- ./sshguard.c Wed Jan 14 18:16:09 2009
+++ /root/sshguard.c Wed Jan 14 18:15:35 2009
@@ -89,6 +89,8 @@ static inline void attackerinit(attacker_t *restrict i
static void usage(void);
/* comparison operator for sorting offenders list */
static int lastAttackComparator(const void *a, const void *b);
+/* safe fgets function */
+char *safe_fgets(char *s, int size, FILE *stream);
/* handler for termination-related signals */
void sigfin_handler(int signo);
/* handler for suspension/resume signals */
@@ -213,7 +215,7 @@ int main(int argc, char *argv[]) {
opts.abuse_threshold, (unsigned
int)opts.pardon_threshold, (unsigned int)opts.stale_threshold);
- while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
+ while (safe_fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
if (suspended) continue;
retv = parse_line(buf);
@@ -233,6 +235,23 @@ int main(int argc, char *argv[]) {
exit(0);
}
+char *safe_fgets(char *s, int size, FILE *stream) {
+ for (;;) {
+ if (fgets(s, size, stream))
+ return s;
+ if (feof(stream))
+ return NULL;
+ if(!ferror(stream)) {
+ sshguard_log(LOG_ERR, "Error reading from stdin:
unknown fgets error!");
+ exit(0);
+ }
+ if(errno != EINTR) {
+ sshguard_log(LOG_ERR, "Error reading from stdin:
fgets returned %s", strerror(errno));
+ exit(0);
+ }
+ clearerr(stream);
+ }
+}
void report_address(attack_t attack) {
attacker_t *tmpent = NULL;
<------SNIP SNIP------>
On Jan 14, 2009, at 2:13 PM, Keven Tipping wrote:
> Nope, that's not it.
>
> Cron is setup to run newsyslog every hour, but SSHguard terminates
> randomly "whenever".
>
> As I've said, for whatever reason fgets is returning NULL and breaking
> out of the main loop. The signal handler for sigint/sigfin isn't being
> called here as it would be if syslogd or some other program was
> sending sshguard a sigint. I'm not sure if this is a bug with fgets,
> OpenBSD, or syslogd, but I'll try and do some debugging today and
> figure it out.
>
> -KT
>
> On Jan 14, 2009, at 12:01 PM, Mij wrote:
>
>> Hello Keven,
>>
>> Do you have log rotation? Log rotation causes processes to be
>> signaled
>> for opening the new log files. This is often the case causing those
>> message
>> in log files.
>>
>>
>> On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote:
>>
>>> Okay, I just did some quick debugging here.
>>>
>>> It appears like SSHguard is exiting the main loop in sshguard.c. For
>>> whatever reason, on OpenBSD 4.4, the line:
>>> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)
>>>
>>> Is indeed returning NULL. This causes the loop to break and exit(0)
>>> is
>>> called, resulting in the "Got exit signal" message. According to
>>> google (and I'm not a programmer), this is caused either by fgets
>>> encountering EOF or some other error.
>>>
>>> Any ideas to as why this is occurring?
>>>
>>> -KT
>>>
>>> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:
>>>
>>>> Greetings to all.
>>>>
>>>> I've been trying to get SSHguard running *reliably* on several
>>>> OpenBSD
>>>> 4.4 boxes. They all exhibit the same problem.
>>>>
>>>> I've installed sshguard (both 1.4-rc2 and svn) and have it
>>>> currently
>>>> running as root (though I doubt this has anything to do with the
>>>> problem) via Syslog. The relevant syslog.conf line is:
>>>> auth.info;auth.priv |exec /usr/sbin/sshguard
>>>>
>>>> SSHguard launches as expected when there's authlog traffic, and
>>>> works
>>>> just fine. I can hammer the box from the LAN and SSHguard adds the
>>>> IP
>>>> addresses to the pf table. That's all fine and great.
>>>>
>>>> The problem is, that SSHguard constantly "exits". I'm not sure if
>>>> this
>>>> is a SSHguard problem or something OpenBSD related, because I can't
>>>> find anything in syslog's man page about this and there's nothing
>>>> in
>>>> my crontabs that would otherwise interfere with SSHguard.
>>>>
>>>> What happens is that every ~5-20 minutes (it seems completely
>>>> random?), SSHguard prints the following in authlog:
>>>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488
>>>> seconds."
>>>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing
>>>> blocked
>>>> addresses and exiting..."
>>>>
>>>> 10.0.1.140 is one of /several/ systems I used to test SSHguard-
>>>> there
>>>> were about ~10 IP's in the blocklist in this case, the latest one
>>>> was
>>>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once
>>>> again
>>>> exited for no apparent reason. Obviously, when SSHguard exited, the
>>>> entire table was flushed. There's no way the last IP that was
>>>> blocked
>>>> had exceeded 420 seconds prior to SSHguard "getting an exit
>>>> signal".
>>>>
>>>> I'm not sure why it does this. Once SSHguard cleanly exits (due to
>>>> the
>>>> above "signal"), syslogd restarts it as soon as there's authlog
>>>> traffic again and SSHguard runs anywhere from 5-20 minutes before
>>>> exiting. Rinse, repeat. It will do this all day, basically.
>>>>
>>>> I have no idea if this is by design, or what is going on here. Any
>>>> ideas?
>>>>
>>>> Cheers,
>>>> -KT
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by:
>>>> SourcForge Community
>>>> SourceForge wants to tell your story.
>>>> http://p.sf.net/sfu/sf-spreadtheword
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> SourcForge Community
>>> SourceForge wants to tell your story.
>>> http://p.sf.net/sfu/sf-spreadtheword
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Keven T. <byt...@sh...> - 2009-01-14 21:13:35
|
Nope, that's not it. Cron is setup to run newsyslog every hour, but SSHguard terminates randomly "whenever". As I've said, for whatever reason fgets is returning NULL and breaking out of the main loop. The signal handler for sigint/sigfin isn't being called here as it would be if syslogd or some other program was sending sshguard a sigint. I'm not sure if this is a bug with fgets, OpenBSD, or syslogd, but I'll try and do some debugging today and figure it out. -KT On Jan 14, 2009, at 12:01 PM, Mij wrote: > Hello Keven, > > Do you have log rotation? Log rotation causes processes to be signaled > for opening the new log files. This is often the case causing those > message > in log files. > > > On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote: > >> Okay, I just did some quick debugging here. >> >> It appears like SSHguard is exiting the main loop in sshguard.c. For >> whatever reason, on OpenBSD 4.4, the line: >> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) >> >> Is indeed returning NULL. This causes the loop to break and exit(0) >> is >> called, resulting in the "Got exit signal" message. According to >> google (and I'm not a programmer), this is caused either by fgets >> encountering EOF or some other error. >> >> Any ideas to as why this is occurring? >> >> -KT >> >> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote: >> >>> Greetings to all. >>> >>> I've been trying to get SSHguard running *reliably* on several >>> OpenBSD >>> 4.4 boxes. They all exhibit the same problem. >>> >>> I've installed sshguard (both 1.4-rc2 and svn) and have it currently >>> running as root (though I doubt this has anything to do with the >>> problem) via Syslog. The relevant syslog.conf line is: >>> auth.info;auth.priv |exec /usr/sbin/sshguard >>> >>> SSHguard launches as expected when there's authlog traffic, and >>> works >>> just fine. I can hammer the box from the LAN and SSHguard adds the >>> IP >>> addresses to the pf table. That's all fine and great. >>> >>> The problem is, that SSHguard constantly "exits". I'm not sure if >>> this >>> is a SSHguard problem or something OpenBSD related, because I can't >>> find anything in syslog's man page about this and there's nothing in >>> my crontabs that would otherwise interfere with SSHguard. >>> >>> What happens is that every ~5-20 minutes (it seems completely >>> random?), SSHguard prints the following in authlog: >>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488 >>> seconds." >>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing >>> blocked >>> addresses and exiting..." >>> >>> 10.0.1.140 is one of /several/ systems I used to test SSHguard- >>> there >>> were about ~10 IP's in the blocklist in this case, the latest one >>> was >>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once >>> again >>> exited for no apparent reason. Obviously, when SSHguard exited, the >>> entire table was flushed. There's no way the last IP that was >>> blocked >>> had exceeded 420 seconds prior to SSHguard "getting an exit signal". >>> >>> I'm not sure why it does this. Once SSHguard cleanly exits (due to >>> the >>> above "signal"), syslogd restarts it as soon as there's authlog >>> traffic again and SSHguard runs anywhere from 5-20 minutes before >>> exiting. Rinse, repeat. It will do this all day, basically. >>> >>> I have no idea if this is by design, or what is going on here. Any >>> ideas? >>> >>> Cheers, >>> -KT >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by: >>> SourcForge Community >>> SourceForge wants to tell your story. >>> http://p.sf.net/sfu/sf-spreadtheword >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by: >> SourcForge Community >> SourceForge wants to tell your story. >> http://p.sf.net/sfu/sf-spreadtheword >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@bi...> - 2009-01-14 19:01:13
|
Hello Keven, Do you have log rotation? Log rotation causes processes to be signaled for opening the new log files. This is often the case causing those message in log files. On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote: > Okay, I just did some quick debugging here. > > It appears like SSHguard is exiting the main loop in sshguard.c. For > whatever reason, on OpenBSD 4.4, the line: > while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) > > Is indeed returning NULL. This causes the loop to break and exit(0) is > called, resulting in the "Got exit signal" message. According to > google (and I'm not a programmer), this is caused either by fgets > encountering EOF or some other error. > > Any ideas to as why this is occurring? > > -KT > > On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote: > >> Greetings to all. >> >> I've been trying to get SSHguard running *reliably* on several >> OpenBSD >> 4.4 boxes. They all exhibit the same problem. >> >> I've installed sshguard (both 1.4-rc2 and svn) and have it currently >> running as root (though I doubt this has anything to do with the >> problem) via Syslog. The relevant syslog.conf line is: >> auth.info;auth.priv |exec /usr/sbin/sshguard >> >> SSHguard launches as expected when there's authlog traffic, and works >> just fine. I can hammer the box from the LAN and SSHguard adds the IP >> addresses to the pf table. That's all fine and great. >> >> The problem is, that SSHguard constantly "exits". I'm not sure if >> this >> is a SSHguard problem or something OpenBSD related, because I can't >> find anything in syslog's man page about this and there's nothing in >> my crontabs that would otherwise interfere with SSHguard. >> >> What happens is that every ~5-20 minutes (it seems completely >> random?), SSHguard prints the following in authlog: >> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488 >> seconds." >> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing >> blocked >> addresses and exiting..." >> >> 10.0.1.140 is one of /several/ systems I used to test SSHguard- there >> were about ~10 IP's in the blocklist in this case, the latest one was >> blocked/added at 02:33:07, only ~16 seconds before SSHguard once >> again >> exited for no apparent reason. Obviously, when SSHguard exited, the >> entire table was flushed. There's no way the last IP that was blocked >> had exceeded 420 seconds prior to SSHguard "getting an exit signal". >> >> I'm not sure why it does this. Once SSHguard cleanly exits (due to >> the >> above "signal"), syslogd restarts it as soon as there's authlog >> traffic again and SSHguard runs anywhere from 5-20 minutes before >> exiting. Rinse, repeat. It will do this all day, basically. >> >> I have no idea if this is by design, or what is going on here. Any >> ideas? >> >> Cheers, >> -KT >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by: >> SourcForge Community >> SourceForge wants to tell your story. >> http://p.sf.net/sfu/sf-spreadtheword >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Mij <mi...@bi...> - 2009-01-14 18:58:57
|
Hello Michel, Sorry for overlooking this post, I'm actually very interested. To clarify your scenario: you have 2 instances of sshguard, one for the host, the other one for both jails. I guess both jails are logging to the same file, and you are monitoring that (?). Is it always the "jails" process to show this behavior? Do you see anything strange ending up in logs? Can you report sshguard's more verbose messages (do you have debug.log or similar?)? thanks On Dec 20, 2008, at 5:55 PM, Michel wrote: > Hello, > > I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from > time to time sshguard go to 100% cpu. > > PID JID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU > COMMAND > 240 0 root 1 132 0 1936K 1188K > RUN 31:03 98.34% sshguard > ....... > ....... > 13756 0 root 4 20 0 1936K 1212K > kserel 0:01 0.00% sshguard > ...... > > > When this occur sshguard continue to protect the host : > > Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3 > failures over 1 seconds. > Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3 > failures over 2 seconds. > Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3 > failures over 163 seconds. > Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3 > failures over 3 seconds. > Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3 > failures over 2 seconds. > Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3 > failures over 3 seconds. > > but dont protect the jails any more : > > Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from > 121.134.8.168 > Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from > 121.134.8.168 > Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from > 121.134.8.168 > Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from > 121.134.8.168 > Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from > 121.134.8.168 > Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from > 121.134.8.168 > Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from > 121.134.8.168 > Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from > 121.134.8.168 > Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from > 121.134.8.168 > > I have to kill the 100% sshguard to return to "normal" behaviour. > > Any help ? > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Keven T. <byt...@sh...> - 2009-01-14 10:09:16
|
Okay, I just did some quick debugging here. It appears like SSHguard is exiting the main loop in sshguard.c. For whatever reason, on OpenBSD 4.4, the line: while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) Is indeed returning NULL. This causes the loop to break and exit(0) is called, resulting in the "Got exit signal" message. According to google (and I'm not a programmer), this is caused either by fgets encountering EOF or some other error. Any ideas to as why this is occurring? -KT On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote: > Greetings to all. > > I've been trying to get SSHguard running *reliably* on several OpenBSD > 4.4 boxes. They all exhibit the same problem. > > I've installed sshguard (both 1.4-rc2 and svn) and have it currently > running as root (though I doubt this has anything to do with the > problem) via Syslog. The relevant syslog.conf line is: > auth.info;auth.priv |exec /usr/sbin/sshguard > > SSHguard launches as expected when there's authlog traffic, and works > just fine. I can hammer the box from the LAN and SSHguard adds the IP > addresses to the pf table. That's all fine and great. > > The problem is, that SSHguard constantly "exits". I'm not sure if this > is a SSHguard problem or something OpenBSD related, because I can't > find anything in syslog's man page about this and there's nothing in > my crontabs that would otherwise interfere with SSHguard. > > What happens is that every ~5-20 minutes (it seems completely > random?), SSHguard prints the following in authlog: > "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488 > seconds." > "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing blocked > addresses and exiting..." > > 10.0.1.140 is one of /several/ systems I used to test SSHguard- there > were about ~10 IP's in the blocklist in this case, the latest one was > blocked/added at 02:33:07, only ~16 seconds before SSHguard once again > exited for no apparent reason. Obviously, when SSHguard exited, the > entire table was flushed. There's no way the last IP that was blocked > had exceeded 420 seconds prior to SSHguard "getting an exit signal". > > I'm not sure why it does this. Once SSHguard cleanly exits (due to the > above "signal"), syslogd restarts it as soon as there's authlog > traffic again and SSHguard runs anywhere from 5-20 minutes before > exiting. Rinse, repeat. It will do this all day, basically. > > I have no idea if this is by design, or what is going on here. Any > ideas? > > Cheers, > -KT > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Keven T. <byt...@sh...> - 2009-01-14 09:47:19
|
Greetings to all. I've been trying to get SSHguard running *reliably* on several OpenBSD 4.4 boxes. They all exhibit the same problem. I've installed sshguard (both 1.4-rc2 and svn) and have it currently running as root (though I doubt this has anything to do with the problem) via Syslog. The relevant syslog.conf line is: auth.info;auth.priv |exec /usr/sbin/sshguard SSHguard launches as expected when there's authlog traffic, and works just fine. I can hammer the box from the LAN and SSHguard adds the IP addresses to the pf table. That's all fine and great. The problem is, that SSHguard constantly "exits". I'm not sure if this is a SSHguard problem or something OpenBSD related, because I can't find anything in syslog's man page about this and there's nothing in my crontabs that would otherwise interfere with SSHguard. What happens is that every ~5-20 minutes (it seems completely random?), SSHguard prints the following in authlog: "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488 seconds." "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing blocked addresses and exiting..." 10.0.1.140 is one of /several/ systems I used to test SSHguard- there were about ~10 IP's in the blocklist in this case, the latest one was blocked/added at 02:33:07, only ~16 seconds before SSHguard once again exited for no apparent reason. Obviously, when SSHguard exited, the entire table was flushed. There's no way the last IP that was blocked had exceeded 420 seconds prior to SSHguard "getting an exit signal". I'm not sure why it does this. Once SSHguard cleanly exits (due to the above "signal"), syslogd restarts it as soon as there's authlog traffic again and SSHguard runs anywhere from 5-20 minutes before exiting. Rinse, repeat. It will do this all day, basically. I have no idea if this is by design, or what is going on here. Any ideas? Cheers, -KT |
|
From: Mij <mi...@bi...> - 2009-01-05 12:48:22
|
Thanks Meethune, that's been commited to the SVN. michele On Jan 5, 2009, at 0:00 , Meethune Bhowmick wrote: > Signed-off-by: Meethune Bhowmick <mee...@gm...> > --- > src/simclist.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/src/simclist.c b/src/simclist.c > index e9061bd..0bfc2c0 100755 > --- a/src/simclist.c > +++ b/src/simclist.c > @@ -52,6 +52,11 @@ > /* convert 64bit integers from network to host format */ > #define ntoh64(x) (hton64(x)) > > +/* OpenBSD does not have EPROTO */ > +#ifndef EPROTO > +#define EPROTO EINTR > +#endif > + > /* disable asserts */ > #ifndef SIMCLIST_DEBUG > #define NDEBUG > -- > 1.6.1 > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Meethune B. <mee...@gm...> - 2009-01-04 23:01:15
|
Signed-off-by: Meethune Bhowmick <mee...@gm...> --- src/simclist.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/src/simclist.c b/src/simclist.c index e9061bd..0bfc2c0 100755 --- a/src/simclist.c +++ b/src/simclist.c @@ -52,6 +52,11 @@ /* convert 64bit integers from network to host format */ #define ntoh64(x) (hton64(x)) +/* OpenBSD does not have EPROTO */ +#ifndef EPROTO +#define EPROTO EINTR +#endif + /* disable asserts */ #ifndef SIMCLIST_DEBUG #define NDEBUG -- 1.6.1 |
|
From: Michel <mi...@do...> - 2008-12-20 16:55:27
|
Hello, I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from time to time sshguard go to 100% cpu. PID JID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 240 0 root 1 132 0 1936K 1188K RUN 31:03 98.34% sshguard ....... ....... 13756 0 root 4 20 0 1936K 1212K kserel 0:01 0.00% sshguard ...... When this occur sshguard continue to protect the host : Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3 failures over 1 seconds. Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3 failures over 2 seconds. Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3 failures over 163 seconds. Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3 failures over 3 seconds. Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3 failures over 2 seconds. Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3 failures over 3 seconds. but dont protect the jails any more : Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from 121.134.8.168 Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from 121.134.8.168 Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from 121.134.8.168 Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from 121.134.8.168 Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from 121.134.8.168 Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from 121.134.8.168 Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from 121.134.8.168 Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from 121.134.8.168 Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from 121.134.8.168 I have to kill the 100% sshguard to return to "normal" behaviour. Any help ? |
|
From: Mij <mi...@bi...> - 2008-12-18 09:31:35
|
Hello ospito, - did you check with what user sshguard is running? - did you try to run sshguard in interactive testing mode (-d)? michele On Dec 15, 2008, at 2:33 PM, ssh...@os... wrote: > > Citeren "Hans F. Nordhaug" <Han...@hi...>: > >> * ssh...@os... <ssh...@os...> [2008-12-15]: >>> >>> Citeren "Hans F. Nordhaug" <Han...@hi...>: >>> >>>> * ssh...@os... <ssh...@os...> [2008-12-15]: >>>>> Hello, >>>>> I'm using SSHGuard for a few weeks now and all looks very nice. >>>>> At my >>>>> tests all went fine, but last day there was a brute force going >>>>> on at >>>>> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in >>>>> action wasn't what I expected, it looks like there's something >>>>> wrong, >>>>> but I've no idea what it is. Please look at my logs and see for >>>>> yourself what I mean. >>>>> >>>>> Dec 12 10:11:37 servername sshguard[88506]: Blocking >>>>> 12.34.56.78: 7 >>>>> failures over 0 seconds. >>>> [...] >>>>> Dec 12 10:11:37 servername sshguard[88506]: Blocking >>>>> 12.34.56.78: 7 >>>>> failures over 0 seconds. >>>> [...] >>>>> Dec 12 10:11:38 servername sshguard[88506]: Blocking >>>>> 12.34.56.78: 7 >>>>> failures over 1 seconds. >>>> [...] >>>>> Dec 12 10:11:38 servername sshguard[88506]: Blocking >>>>> 12.34.56.78: 7 >>>>> failures over 0 seconds. >>>> [...] >>>>> Dec 12 10:11:38 servername sshguard[88506]: Blocking >>>>> 12.34.56.78: 7 >>>>> failures over 0 seconds. >>>>> Dec 12 10:11:38 servername last message repeated 3 times >>>>> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw >>> delete 55031" exited 69 >>>>> Dec 12 10:28:46 servername sshguard[88506]: Release command >>>>> failed. >>>>> Exited: -1 >>>> [cut] >>>> >>>> The two last lines are the important ones. Apperently you haven't >>>> allowed sshguard to interact with ipfw - see >>>> <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html> >>>> I can't help you with the specific details for ipfw since I >>>> prefer to >>>> use sshguard together with pf (on FreeBSD). >>>> >>>> Hans >>>> >>>> PS! Have you installed sshguard through ports? See >>>> <http://www.freshports.org/security/sshguard-ipfw/> >>> >>> I installed SSHGuard through ports indeed >>> (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my >>> whole >>> firewall is based on it, all my accept rules start at 60000, below >>> are >>> only some blocks and ICMP accepts. The 50000 till 60000 are unused >>> and >>> reserved for SSHGuard. >>> I don't thing this is the problem, as you can see it works when I >>> try >>> it myself. Thanks for your input. >> >> The reason sshguard is blocking 12.34.56.78 several times in a row is >> because it's not able to add the blocking rules to ipfw. This is the >> problem whether you believe it or not. Maybe ask on the freebsd/ipfw >> mailing list? >> >> Hans >> >> PS! I didn't mean that you should switch from ipfw to pf. >> >> ------------------------------------------------------------------------------ >> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, >> Nevada. >> The future of the web can't happen without you. Join us at MIX09 >> to help >> pave the way to the Next Web now. Learn more and register at >> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > Hello Hans, > Thanks you for your answer. It sounds like a possibility, but why > can't SSHGuard add a rule to ipfw? When I login to ProFTPd with wrong > credentials I'll be blocked and it works nicely. But in the brute > force yesterday ipfw commands didn't work from SSHGuard. Can you think > of an explanation? I think sshguard can't handle this amount of > requests an it's not because of ipfw, that works perfectly. I also can > manually add and delete rules to my ipfw table. > > Thanks again. > > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, > Nevada. > The future of the web can't happen without you. Join us at MIX09 to > help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: <ssh...@os...> - 2008-12-15 13:34:04
|
Citeren "Hans F. Nordhaug" <Han...@hi...>: > * ssh...@os... <ssh...@os...> [2008-12-15]: >> >> Citeren "Hans F. Nordhaug" <Han...@hi...>: >> >> > * ssh...@os... <ssh...@os...> [2008-12-15]: >> >> Hello, >> >> I'm using SSHGuard for a few weeks now and all looks very nice. At my >> >> tests all went fine, but last day there was a brute force going on at >> >> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in >> >> action wasn't what I expected, it looks like there's something wrong, >> >> but I've no idea what it is. Please look at my logs and see for >> >> yourself what I mean. >> >> >> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> >> failures over 0 seconds. >> > [...] >> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> >> failures over 0 seconds. >> > [...] >> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> >> failures over 1 seconds. >> > [...] >> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> >> failures over 0 seconds. >> > [...] >> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> >> failures over 0 seconds. >> >> Dec 12 10:11:38 servername last message repeated 3 times >> >> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw >> delete 55031" exited 69 >> >> Dec 12 10:28:46 servername sshguard[88506]: Release command failed. >> >> Exited: -1 >> > [cut] >> > >> > The two last lines are the important ones. Apperently you haven't >> > allowed sshguard to interact with ipfw - see >> > <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html> >> > I can't help you with the specific details for ipfw since I prefer to >> > use sshguard together with pf (on FreeBSD). >> > >> > Hans >> > >> > PS! Have you installed sshguard through ports? See >> > <http://www.freshports.org/security/sshguard-ipfw/> >> >> I installed SSHGuard through ports indeed >> (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my whole >> firewall is based on it, all my accept rules start at 60000, below are >> only some blocks and ICMP accepts. The 50000 till 60000 are unused and >> reserved for SSHGuard. >> I don't thing this is the problem, as you can see it works when I try >> it myself. Thanks for your input. > > The reason sshguard is blocking 12.34.56.78 several times in a row is > because it's not able to add the blocking rules to ipfw. This is the > problem whether you believe it or not. Maybe ask on the freebsd/ipfw > mailing list? > > Hans > > PS! I didn't mean that you should switch from ipfw to pf. > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > Hello Hans, Thanks you for your answer. It sounds like a possibility, but why can't SSHGuard add a rule to ipfw? When I login to ProFTPd with wrong credentials I'll be blocked and it works nicely. But in the brute force yesterday ipfw commands didn't work from SSHGuard. Can you think of an explanation? I think sshguard can't handle this amount of requests an it's not because of ipfw, that works perfectly. I also can manually add and delete rules to my ipfw table. Thanks again. |
|
From: Hans F. N. <Han...@hi...> - 2008-12-15 13:12:22
|
* ssh...@os... <ssh...@os...> [2008-12-15]: > > Citeren "Hans F. Nordhaug" <Han...@hi...>: > > > * ssh...@os... <ssh...@os...> [2008-12-15]: > >> Hello, > >> I'm using SSHGuard for a few weeks now and all looks very nice. At my > >> tests all went fine, but last day there was a brute force going on at > >> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in > >> action wasn't what I expected, it looks like there's something wrong, > >> but I've no idea what it is. Please look at my logs and see for > >> yourself what I mean. > >> > >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 > >> failures over 0 seconds. > > [...] > >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 > >> failures over 0 seconds. > > [...] > >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 > >> failures over 1 seconds. > > [...] > >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 > >> failures over 0 seconds. > > [...] > >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 > >> failures over 0 seconds. > >> Dec 12 10:11:38 servername last message repeated 3 times > >> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 > >> Dec 12 10:28:46 servername sshguard[88506]: Release command failed. > >> Exited: -1 > > [cut] > > > > The two last lines are the important ones. Apperently you haven't > > allowed sshguard to interact with ipfw - see > > <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html> > > I can't help you with the specific details for ipfw since I prefer to > > use sshguard together with pf (on FreeBSD). > > > > Hans > > > > PS! Have you installed sshguard through ports? See > > <http://www.freshports.org/security/sshguard-ipfw/> > > I installed SSHGuard through ports indeed > (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my whole > firewall is based on it, all my accept rules start at 60000, below are > only some blocks and ICMP accepts. The 50000 till 60000 are unused and > reserved for SSHGuard. > I don't thing this is the problem, as you can see it works when I try > it myself. Thanks for your input. The reason sshguard is blocking 12.34.56.78 several times in a row is because it's not able to add the blocking rules to ipfw. This is the problem whether you believe it or not. Maybe ask on the freebsd/ipfw mailing list? Hans PS! I didn't mean that you should switch from ipfw to pf. |
|
From: <ssh...@os...> - 2008-12-15 13:00:08
|
Citeren "Hans F. Nordhaug" <Han...@hi...>: > * ssh...@os... <ssh...@os...> [2008-12-15]: >> Hello, >> I'm using SSHGuard for a few weeks now and all looks very nice. At my >> tests all went fine, but last day there was a brute force going on at >> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in >> action wasn't what I expected, it looks like there's something wrong, >> but I've no idea what it is. Please look at my logs and see for >> yourself what I mean. >> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> failures over 0 seconds. > [...] >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> failures over 0 seconds. > [...] >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> failures over 1 seconds. > [...] >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> failures over 0 seconds. > [...] >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 >> failures over 0 seconds. >> Dec 12 10:11:38 servername last message repeated 3 times >> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw >> delete 55031" exited 69 >> Dec 12 10:28:46 servername sshguard[88506]: Release command failed. >> Exited: -1 > [cut] > > The two last lines are the important ones. Apperently you haven't > allowed sshguard to interact with ipfw - see > <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html> > I can't help you with the specific details for ipfw since I prefer to > use sshguard together with pf (on FreeBSD). > > Hans > > PS! Have you installed sshguard through ports? See > <http://www.freshports.org/security/sshguard-ipfw/> > > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can't happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > I installed SSHGuard through ports indeed (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my whole firewall is based on it, all my accept rules start at 60000, below are only some blocks and ICMP accepts. The 50000 till 60000 are unused and reserved for SSHGuard. I don't thing this is the problem, as you can see it works when I try it myself. Thanks for your input. |
|
From: Hans F. N. <Han...@hi...> - 2008-12-15 11:08:33
|
* ssh...@os... <ssh...@os...> [2008-12-15]: > Hello, > I'm using SSHGuard for a few weeks now and all looks very nice. At my > tests all went fine, but last day there was a brute force going on at > my ProFTPd. Nothing spectacular, happened before, but SSHGuard in > action wasn't what I expected, it looks like there's something wrong, > but I've no idea what it is. Please look at my logs and see for > yourself what I mean. > > Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 > failures over 0 seconds. [...] > Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 > failures over 0 seconds. [...] > Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 > failures over 1 seconds. [...] > Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 > failures over 0 seconds. [...] > Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 > failures over 0 seconds. > Dec 12 10:11:38 servername last message repeated 3 times > Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 > Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1 [cut] The two last lines are the important ones. Apperently you haven't allowed sshguard to interact with ipfw - see <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html> I can't help you with the specific details for ipfw since I prefer to use sshguard together with pf (on FreeBSD). Hans PS! Have you installed sshguard through ports? See <http://www.freshports.org/security/sshguard-ipfw/> |
|
From: <ssh...@os...> - 2008-12-15 10:00:17
|
Hello, I'm using SSHGuard for a few weeks now and all looks very nice. At my tests all went fine, but last day there was a brute force going on at my ProFTPd. Nothing spectacular, happened before, but SSHGuard in action wasn't what I expected, it looks like there's something wrong, but I've no idea what it is. Please look at my logs and see for yourself what I mean. Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 failures over 0 seconds. Dec 12 10:11:37 servername proftpd[95672]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:37 servername proftpd[95673]: 999.888.777.24 (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:37 servername proftpd[95674]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:37 servername proftpd[95675]: anotherdomainiown.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7 failures over 0 seconds. Dec 12 10:11:37 servername proftpd[95676]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:38 servername proftpd[95678]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 failures over 1 seconds. Dec 12 10:11:38 servername proftpd[95659]: yetanotherdomainiown.nl (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:38 servername proftpd[95679]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:38 servername proftpd[95680]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 failures over 0 seconds. Dec 12 10:11:38 servername proftpd[95682]: serverxy.mydomain.com (12.34.56.78[12.34.56.78]) - no such user 'anonymous' Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7 failures over 0 seconds. Dec 12 10:11:38 servername last message repeated 3 times Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1 Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1 Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1 Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1 Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1 Dec 12 10:56:08 servername proftpd[486]: anotherdomainiown.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername proftpd[487]: domain925835.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername proftpd[488]: domain9876543.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername proftpd[489]: domain1234567.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername proftpd[491]: serverxy.mydomain.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername proftpd[490]: 999.888.777.24 (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername proftpd[492]: serverxy.mydomain.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 10:56:08 servername sshguard[88506]: Blocking 12.34.56.68: 7 failures over 0 seconds. Dec 12 10:56:08 servername proftpd[494]: serverxy.mydomain.com (12.34.56.68[12.34.56.68]) - no such user 'anonymous' Dec 12 11:00:02 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69 Dec 12 12:05:22 servername su: hans to root on /dev/ttyp0 Dec 12 13:21:37 servername proftpd[17900]: domain63857.com (12.34.56.67[12.34.56.67]) - no such user 'anonymous' Dec 12 13:21:37 servername proftpd[17901]: domain845713.com (12.34.56.67[12.34.56.67]) - no such user 'anonymous' Dec 12 13:21:37 servername proftpd[17902]: anotherdomainiown.com (12.34.56.67[12.34.56.67]) - no such user 'anonymous' Dec 14 15:41:31 servername sshguard[92245]: Blocking 12.34.56.69: 7 failures over 0 seconds. Dec 14 15:41:31 servername proftpd[6223]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:31 servername proftpd[6226]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:31 servername proftpd[6225]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:32 servername sshguard[92245]: Blocking 12.34.56.69: 7 failures over 1 seconds. Dec 14 15:41:32 servername sshguard[92245]: Blocking 12.34.56.69: 7 failures over 0 seconds. Dec 14 15:41:32 servername proftpd[6216]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6237]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6240]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6236]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6235]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6234]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername sshguard[92245]: Blocking 12.34.56.69: 7 failures over 2 seconds. Dec 14 15:41:34 servername proftpd[6247]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6239]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6241]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' Dec 14 15:41:34 servername proftpd[6243]: serverxy.mydomain.com (12.34.56.69[12.34.56.69]) - no such user 'possibleuser' And many many more. IP's starting with 12.34.56. are from the 'user' who tries to login :-) I've the strong feeling that these IP's didn't get blocked, because the attempts were going on, although SSHGuard sais the ip is in the firewall. At this point I tried to login with non existing users and see the results. Dec 15 10:29:52 servername proftpd[20469]: servername.mydomain.com (my.own.ip.address[my.own.ip.address]) - no such user 'sdfsdfsdf' Dec 15 10:30:09 servername proftpd[20546]: servername.mydomain.com (my.own.ip.address[my.own.ip.address]) - no such user 'fdkgjhkdjghjkdf' Dec 15 10:30:24 servername proftpd[20553]: servername.mydomain.com (my.own.ip.address[my.own.ip.address]) - no such user 'dfkjghdkjgh' Dec 15 10:30:38 servername proftpd[20572]: servername.mydomain.com (my.own.ip.address[my.own.ip.address]) - no such user 'jkfjhskjghfg' Dec 15 10:30:38 servername sshguard[17492]: Blocking my.own.ip.address: 7 failures over 46 seconds. That looks great! Does anyone know what this log behaviour explains? Maybe SSHGuard can't handle the load? Thanks in advance. |
|
From: Hans F. N. <Han...@hi...> - 2008-11-26 10:53:30
|
Hi! Has someone made a source RPM for the latest version (1.3) of sshguard? I think there was one for 1.0.1 - ref <http://sshguard.sourceforge.net/packages/> and <http://sshguard.sourceforge.net/packages/linux-rpm/installing.txt>. Thx for listening ;-) Hans |
2 messages has been excluded from this view by a project administrator.
