sshguard-users — User questions and answers, bugs, and general support

[Sshguard-users] More patches.

[Keven T. <byt...@sh...>]

Greetings to all.

I've attached a bunch of patches to sshguard as below. These consist  
of the following fixes/features:

1) Added support for snort IDS style syslog "alerts" (offending hosts)  
to sshguard_services.h, attack_parser.h, attack_parser.y, and  
attack_scanner.l. I think everything I've done here is valid, though  
I'm not familiar with Flex so the attack_scanner.l code might be  
slightly whacked. It does, however, compile and actually works. If  
anyone wants to run over the relevant code in attack_scanner.l, here's  
a sample Snort syslog output (IP addresses are just random numbers):

Jan 15 15:49:20 sensor snort[11588]: [1:402:8] ICMP Destination  
Unreachable Port Unreachable [Classification: Misc activity]  
[Priority: 3]: {ICMP} 212.79.65.90 -> 96.56.224.81

The format of it is pretty simple:

<syslog crap> [NUMBER:NUMBER:NUMBER] <more text> {WORD} SOURCE_IP ->  
DEST_IP

Where SOURCE_IP is the /only/ thing that should matter, since that is  
the originating IP that the detected attack came from. This is what I / 
tried/ to write the attack_scanner.l code to do, and it seems to work  
just fine.

2) Modified sshguard.c to properly support abuse thresholds of "1".  
This is primarily for the above Snort modifications (block-on-sight),  
though I believe it applies to parsing of any other logs. For whatever  
reason, sshguard_options.c was setup to accept -a 1, but sshguard.c  
effectively ignored the first abuse sighting regardless of what -a was  
set to. The fix basically involves removing one line and changing  
another, so that first-time abusers are blocked on sight if -a is set  
to 1 (block on 1st abuse).

3) Modified sshguard_options.c so that values < -p 2 are ignored and  
usage is printed. When -p is set to 1 (which really doesn't make  
sense, but whatever), sshguard_options.c accepted this and caused the  
line: sleep(1 + random() % (opts.pardon_threshold/2)) to immediately  
bomb out with a FP error. Limiting -p's minimum to 2 obviously solves  
this problem. Again, I don't know why -p would be set to such a low  
value, but it's a crash I came across regardless and fixed.

Patches are below.

-KT

*** ./sshguard_original/src/attack_parser.h	2009-01-15  
16:01:38.000000000 -0700
--- ./sshguard/src/attack_parser.h	2009-01-15 15:59:43.000000000 -0700
***************
*** 70,76 ****
        PROFTPD_LOGINERR_PREF = 286,
        PROFTPD_LOGINERR_SUFF = 287,
        PUREFTPD_LOGINERR_PREF = 288,
!      PUREFTPD_LOGINERR_SUFF = 289
      };
   #endif
   /* Tokens.  */
--- 70,78 ----
        PROFTPD_LOGINERR_PREF = 286,
        PROFTPD_LOGINERR_SUFF = 287,
        PUREFTPD_LOGINERR_PREF = 288,
!      PUREFTPD_LOGINERR_SUFF = 289,
!      SNORTIDS_ALERTERR_PREF = 290,
!      SNORTIDS_ALERTERR_SUFF = 291
      };
   #endif
   /* Tokens.  */
***************
*** 106,111 ****
--- 108,115 ----
   #define PROFTPD_LOGINERR_SUFF 287
   #define PUREFTPD_LOGINERR_PREF 288
   #define PUREFTPD_LOGINERR_SUFF 289
+ #define SNORTIDS_ALERTERR_PREF 290
+ #define SNORTIDS_ALERTERR_SUFF 291

*** ./sshguard_original/src/attack_parser.y	2009-01-15  
16:01:38.000000000 -0700
--- ./sshguard/src/attack_parser.y	2009-01-15 14:50:04.000000000 -0700
***************
*** 49,54 ****
--- 49,56 ----
   %token PROFTPD_LOGINERR_PREF PROFTPD_LOGINERR_SUFF
   /* PureFTPd */
   %token PUREFTPD_LOGINERR_PREF PUREFTPD_LOGINERR_SUFF
+ /* Snort IDS */
+ %token SNORTIDS_ALERTERR_PREF SNORTIDS_ALERTERR_SUFF

   %%

***************
*** 100,105 ****
--- 102,108 ----
       | freebsdftpdmsg    {   parsed_attack.service =  
SERVICES_FREEBSDFTPD; }
       | proftpdmsg        {   parsed_attack.service =  
SERVICES_PROFTPD; }
       | pureftpdmsg       {   parsed_attack.service =  
SERVICES_PUREFTPD; }
+     | snortidsmsg       {   parsed_attack.service =  
SERVICES_SNORTIDS; }
       ;

   /* an address */
***************
*** 212,217 ****
--- 215,225 ----
       PUREFTPD_LOGINERR_PREF addr PUREFTPD_LOGINERR_SUFF
       ;

+ /* attach rules for Snort IDS */
+ snortidsmsg:
+     SNORTIDS_ALERTERR_PREF addr SNORTIDS_ALERTERR_SUFF
+     ;
+
   %%

   void yyerror(char *msg) { /* do nothing */ }

*** ./sshguard_original/src/attack_scanner.l	2009-01-15  
16:01:38.000000000 -0700
--- ./sshguard/src/attack_scanner.l	2009-01-15 15:12:40.000000000 -0700
***************
*** 63,69 ****
   %option debug

   %array
! %s ssh_notallowed ssh_loginerr ssh_reversemap  dovecot_loginerr   
cyrusimap_loginerr  freebsdftpd_loginerr  proftpd_loginerr   
pureftpd_loginerr

   MONTH       (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
   DAYNO       [1-9][0-9]?
--- 63,69 ----
   %option debug

   %array
! %s ssh_notallowed ssh_loginerr ssh_reversemap  dovecot_loginerr   
cyrusimap_loginerr  freebsdftpd_loginerr  proftpd_loginerr   
pureftpd_loginerr snortids_alerterr

   MONTH       (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
   DAYNO       [1-9][0-9]?
***************
*** 146,151 ****
--- 146,155 ----
   "("[^@] 
+ 
"@"                                                     { BEGIN 
(pureftpd_loginerr); return PUREFTPD_LOGINERR_PREF; }
   <pureftpd_loginerr>") [WARNING] Authentication failed for user ".+   
{ BEGIN(INITIAL); return PUREFTPD_LOGINERR_SUFF; }

+  /* Snort IDS */
+  
"["{NUMBER 
}":"{NUMBER 
}":"{NUMBER 
}"]".*"{"{WORD}"}"                  { BEGIN(snortids_alerterr); return  
SNORTIDS_ALERTERR_PREF; }
+ <snortids_alerterr>"->".+                                            
{ BEGIN(INITIAL); return SNORTIDS_ALERTERR_SUFF; }
+

    /**         COMMON-USE TOKENS       do not touch these          **/
    /* an IPv4 address */

*** ./sshguard_original/src/sshguard_services.h	2009-01-15  
16:01:38.000000000 -0700
--- ./sshguard/src/sshguard_services.h	2009-01-15 15:59:42.000000000  
-0700
***************
*** 51,54 ****
--- 51,57 ----
   /* Pure-FTPd */
   #define SERVICES_PUREFTPD               320

+ /* Snort IDS */
+ #define SERVICES_SNORTIDS				330
+
   #endif

*** ./sshguard_original/src/sshguard.c	2009-01-15 16:01:38.000000000  
-0700
--- ./sshguard/src/sshguard.c	2009-01-15 16:08:24.000000000 -0700
***************
*** 287,294 ****
           tmpent = malloc(sizeof(attacker_t));
           attackerinit(tmpent, & attack);
           list_append(&limbo, tmpent);
-
-         return;
       }


--- 287,292 ----
***************
*** 395,401 ****
       ipe->attack.address.kind = attack->address.kind;
       ipe->attack.service = attack->service;
       ipe->whenfirst = ipe->whenlast = time(NULL);
!     ipe->numhits = 1;
   }

   void purge_limbo_stale(void) {
--- 393,399 ----
       ipe->attack.address.kind = attack->address.kind;
       ipe->attack.service = attack->service;
       ipe->whenfirst = ipe->whenlast = time(NULL);
!     ipe->numhits = 0;
   }

   void purge_limbo_stale(void) {


*** ./sshguard_original/src/sshguard_options.c	2009-01-15  
16:01:38.000000000 -0700
--- ./sshguard/src/sshguard_options.c	2009-01-15 15:49:12.000000000  
-0700
***************
*** 65,72 ****
                   break;
               case 'p':   /* pardon threshold interval */
                   opts.pardon_threshold = strtol(optarg, (char  
**)NULL, 10);
!                 if (opts.pardon_threshold < 1) {
!                     fprintf(stderr, "Doesn't make sense to have a  
pardon time lower than 1 second. Terminating.\n");
                       return -1;
                   }
                   break;
--- 65,72 ----
                   break;
               case 'p':   /* pardon threshold interval */
                   opts.pardon_threshold = strtol(optarg, (char  
**)NULL, 10);
!                 if (opts.pardon_threshold < 2) {
!                     fprintf(stderr, "Doesn't make sense to have a  
pardon time lower than 2 second. Terminating.\n");
                       return -1;
                   }
                   break;

Re: [Sshguard-users] sshguard go to 100% cpu

[Michel <mi...@do...>]

Le mercredi 14 janvier 2009, Mij a écrit :
> Hello Michel,
> 
> Sorry for overlooking this post, I'm actually very interested.
> To clarify your scenario: you have 2 instances of sshguard,
> one for the host, the other one for both jails. I guess both
> jails are logging to the same file, and you are monitoring that (?).
> 
> Is it always the "jails" process to show this behavior? Do you see
> anything strange ending up in logs? Can you report sshguard's more
> verbose messages (do you have debug.log or similar?)?
> 
> thanks
> 

No, I usualy have only one sshguard running :
ps -aux | grep sshguard \
       root     46873  0.0  0.1  1888  1132  ??  Is   10:00AM   0:00.05 /usr/local/sbin/sshguard -w

I use syslog in the jails to log all auth.log on the host and the syslog.conf of the host have the lines :
auth.info;authpriv.info                         /var/log/auth.log
auth.info;authpriv.info       |exec /usr/local/sbin/sshguard -w 82.225.216.24 -w 82.241.2.81 -a 3 -p 600 -s 1800

The last time the problem appear (from daily security mail) :

Jan 14 09:42:00 michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 michel sshd[28976]: Invalid user admin from 203.252.182.37


In the auth.log of the host (dedi2 is the host, dedi_? are the jails) :

Jan 14 05:21:00 dedi_raphael sshd[26881]: Did not receive identification string from 216.127.160.82
Jan 14 05:21:00 dedi2 sshguard[21669]: Blocking 216.127.160.82: 3 failures over 156 seconds.
Jan 14 05:30:21 dedi2 sshguard[21669]: Releasing 195.207.16.76 after 690 seconds.
Jan 14 08:41:06 dedi2 sshd[28485]: Did not receive identification string from 201.134.249.168
Jan 14 08:48:15 dedi2 sshd[28550]: reverse mapping checking getaddrinfo for customer-201-134-249-168.uninet-ide.com.mx [201.134.249.168] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 14 08:48:15 dedi2 sshd[28550]: Invalid user globus from 201.134.249.168
Jan 14 09:42:00 dedi_michel sshd[28968]: Invalid user lpd from 203.252.182.37
Jan 14 09:42:03 dedi_michel sshd[28970]: Invalid user lpa from 203.252.182.37
Jan 14 09:42:06 dedi_michel sshd[28972]: Invalid user admin from 203.252.182.37
Jan 14 09:42:08 dedi_michel sshd[28974]: Invalid user admin from 203.252.182.37
Jan 14 09:42:11 dedi_michel sshd[28976]: Invalid user admin from 203.252.182.37
....
a lot of lines : >600 (1 every 2-3 seconds)
....
Jan 14 10:02:53 dedi_michel sshd[31475]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi_michel sshd[31477]: Invalid user leslie from 203.252.182.37
Jan 14 10:02:56 dedi2 sshguard[31479]: Started successfully [(a,p,s)=(3, 600, 1800)], now ready to scan.
Jan 14 10:02:58 dedi_michel sshd[31480]: Invalid user leslie from 203.252.182.37
Jan 14 10:03:01 dedi_michel sshd[31482]: Invalid user leslie from 203.252.182.37


And debug.0.log :

Jan 14 05:30:21 dedi2 sshguard[21669]: Setting environment: \ 	     SSHG_ADDR=195.207.16.76;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 05:30:21 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.225.216.24' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.225.216.24.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add '82.241.2.81' as plain IPv4.
Jan 14 10:02:56 dedi2 sshguard: whitelist: add plain ip 82.241.2.81.
Jan 14 10:02:56 dedi2 sshguard[31479]: Matched IP address 203.252.182.37
Jan 14 10:03:01 dedi2 last message repeated 2 times
Jan 14 10:03:01 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Jan 14 10:03:01 dedi2 sshguard[31479]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0.
Jan 14 10:03:24 dedi2 sshguard[21669]: Run command "/sbin/pfctl -Tflush -t sshguard": exited 0.
Jan 14 10:13:24 dedi2 sshguard[31479]: Setting environment: \ SSHG_ADDR=203.252.182.37;SSHG_ADDRKIND=4;SSHG_SERVICE=100.

It look like sshguard is trarting twice on 10:02:56 ?

Re: [Sshguard-users] SSHguard constantly exiting under OpenBSD

[Mij <mi...@bi...>]

Committed, thanks.
Please report if the version currently in SVN still has this effect.

michele


On Jan 15, 2009, at 2:35 AM, Keven Tipping wrote:

> Found the problem.
>
> On some BSD's, fgets might be interrupted during read. This is
> different from sending the program a SIGINT (which is handled
> elsewhere and has nothing to do with this issue).
> When fgets is interrupted, it automatically returns NULL and sets
> errno to EINTR (interrupted). Since the main while loop of sshguard
> assumes that fgets doesn't return NULL so long as it's working
> properly and reading from stdin, the loop exits and shuts down
> sshguard. If sshguard is launched via syslogd, then it gets relaunched
> until fgets bombs out again, causing sshguard to shutdown. This seems
> to repeat indefinitely and there *are* cases of this happening on
> google (if you check the syslog time stamp, you can see sshguard is
> exiting at random times).
>
> I've included a patch that resolves this issue. It should be cross-
> platform compliant and basically acts as a drop-in replacement fgets
> wrapper (aptly called "safe_fgets"). It will handle EOF and error
> conditions properly, ignoring any spurious EINTR issues, since those
> are non-critical and do NOT impact the operation of the program (not
> anymore, at least).
>
> Since program signaling is handled elsewhere, sshguard will still
> properly exit and relaunch when logs are rotated via syslog/syslog-ng/
> whatever. This simply fixes the issue of sshguard exiting prematurely
> due to some weird behavior with fgets on other platforms (primarily
> BSD, it appears).
>
> I've confirmed sshguard has been running for more then ~4 hours on my
> OpenBSD box(s). It is blocking and releasing IP's properly without
> exiting inbetween. It has exited and relaunched /once/ exactly on the
> hour when authlog was rotated, but other then that it's 100% stable  
> now.
>
> -KT
>
> <------SNIP SNIP------>
> --- ./sshguard.c        Wed Jan 14 18:16:09 2009
> +++ /root/sshguard.c    Wed Jan 14 18:15:35 2009
> @@ -89,6 +89,8 @@ static inline void attackerinit(attacker_t  
> *restrict i
>  static void usage(void);
>  /* comparison operator for sorting offenders list */
>  static int lastAttackComparator(const void *a, const void *b);
> +/* safe fgets function */
> +char *safe_fgets(char *s, int size, FILE *stream);
>  /* handler for termination-related signals */
>  void sigfin_handler(int signo);
>  /* handler for suspension/resume signals */
> @@ -213,7 +215,7 @@ int main(int argc, char *argv[]) {
>              opts.abuse_threshold, (unsigned
> int)opts.pardon_threshold, (unsigned int)opts.stale_threshold);
>
>
> -    while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
> +    while (safe_fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
>          if (suspended) continue;
>
>          retv = parse_line(buf);
> @@ -233,6 +235,23 @@ int main(int argc, char *argv[]) {
>      exit(0);
>  }
>
> +char *safe_fgets(char *s, int size, FILE *stream) {
> +    for (;;) {
> +        if (fgets(s, size, stream))
> +            return s;
> +           if (feof(stream))
> +                   return NULL;
> +               if(!ferror(stream)) {
> +                   sshguard_log(LOG_ERR, "Error reading from stdin:
> unknown fgets error!");
> +                   exit(0);
> +               }
> +               if(errno != EINTR) {
> +                   sshguard_log(LOG_ERR, "Error reading from stdin:
> fgets returned %s", strerror(errno));
> +                       exit(0);
> +               }
> +               clearerr(stream);
> +       }
> +}
>
>  void report_address(attack_t attack) {
>      attacker_t *tmpent = NULL;
> <------SNIP SNIP------>
>
> On Jan 14, 2009, at 2:13 PM, Keven Tipping wrote:
>
>> Nope, that's not it.
>>
>> Cron is setup to run newsyslog every hour, but SSHguard terminates
>> randomly "whenever".
>>
>> As I've said, for whatever reason fgets is returning NULL and  
>> breaking
>> out of the main loop. The signal handler for sigint/sigfin isn't  
>> being
>> called here as it would be if syslogd or some other program was
>> sending sshguard a sigint. I'm not sure if this is a bug with fgets,
>> OpenBSD, or syslogd, but I'll try and do some debugging today and
>> figure it out.
>>
>> -KT
>>
>> On Jan 14, 2009, at 12:01 PM, Mij wrote:
>>
>>> Hello Keven,
>>>
>>> Do you have log rotation? Log rotation causes processes to be
>>> signaled
>>> for opening the new log files. This is often the case causing those
>>> message
>>> in log files.
>>>
>>>
>>> On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote:
>>>
>>>> Okay, I just did some quick debugging here.
>>>>
>>>> It appears like SSHguard is exiting the main loop in sshguard.c.  
>>>> For
>>>> whatever reason, on OpenBSD 4.4, the line:
>>>> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)
>>>>
>>>> Is indeed returning NULL. This causes the loop to break and exit(0)
>>>> is
>>>> called, resulting in the "Got exit signal" message. According to
>>>> google (and I'm not a programmer), this is caused either by fgets
>>>> encountering EOF or some other error.
>>>>
>>>> Any ideas to as why this is occurring?
>>>>
>>>> -KT
>>>>
>>>> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:
>>>>
>>>>> Greetings to all.
>>>>>
>>>>> I've been trying to get SSHguard running *reliably* on several
>>>>> OpenBSD
>>>>> 4.4 boxes. They all exhibit the same problem.
>>>>>
>>>>> I've installed sshguard (both 1.4-rc2 and svn) and have it
>>>>> currently
>>>>> running as root (though I doubt this has anything to do with the
>>>>> problem) via Syslog. The relevant syslog.conf line is:
>>>>> auth.info;auth.priv	|exec /usr/sbin/sshguard
>>>>>
>>>>> SSHguard launches as expected when there's authlog traffic, and
>>>>> works
>>>>> just fine. I can hammer the box from the LAN and SSHguard adds the
>>>>> IP
>>>>> addresses to the pf table. That's all fine and great.
>>>>>
>>>>> The problem is, that SSHguard constantly "exits". I'm not sure if
>>>>> this
>>>>> is a SSHguard problem or something OpenBSD related, because I  
>>>>> can't
>>>>> find anything in syslog's man page about this and there's nothing
>>>>> in
>>>>> my crontabs that would otherwise interfere with SSHguard.
>>>>>
>>>>> What happens is that every ~5-20 minutes (it seems completely
>>>>> random?), SSHguard prints the following in authlog:
>>>>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after  
>>>>> 488
>>>>> seconds."
>>>>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing
>>>>> blocked
>>>>> addresses and exiting..."
>>>>>
>>>>> 10.0.1.140 is one of /several/ systems I used to test SSHguard-
>>>>> there
>>>>> were about ~10 IP's in the blocklist in this case, the latest one
>>>>> was
>>>>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once
>>>>> again
>>>>> exited for no apparent reason. Obviously, when SSHguard exited,  
>>>>> the
>>>>> entire table was flushed. There's no way the last IP that was
>>>>> blocked
>>>>> had exceeded 420 seconds prior to SSHguard "getting an exit
>>>>> signal".
>>>>>
>>>>> I'm not sure why it does this. Once SSHguard cleanly exits (due to
>>>>> the
>>>>> above "signal"), syslogd restarts it as soon as there's authlog
>>>>> traffic again and SSHguard runs anywhere from 5-20 minutes before
>>>>> exiting. Rinse, repeat. It will do this all day, basically.
>>>>>
>>>>> I have no idea if this is by design, or what is going on here. Any
>>>>> ideas?
>>>>>
>>>>> Cheers,
>>>>> -KT
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by:
>>>>> SourcForge Community
>>>>> SourceForge wants to tell your story.
>>>>> http://p.sf.net/sfu/sf-spreadtheword
>>>>> _______________________________________________
>>>>> Sshguard-users mailing list
>>>>> Ssh...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by:
>>>> SourcForge Community
>>>> SourceForge wants to tell your story.
>>>> http://p.sf.net/sfu/sf-spreadtheword
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> SourcForge Community
>>> SourceForge wants to tell your story.
>>> http://p.sf.net/sfu/sf-spreadtheword
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHguard constantly exiting under OpenBSD

[Keven T. <byt...@sh...>]

Found the problem.

On some BSD's, fgets might be interrupted during read. This is  
different from sending the program a SIGINT (which is handled  
elsewhere and has nothing to do with this issue).
When fgets is interrupted, it automatically returns NULL and sets  
errno to EINTR (interrupted). Since the main while loop of sshguard  
assumes that fgets doesn't return NULL so long as it's working  
properly and reading from stdin, the loop exits and shuts down  
sshguard. If sshguard is launched via syslogd, then it gets relaunched  
until fgets bombs out again, causing sshguard to shutdown. This seems  
to repeat indefinitely and there *are* cases of this happening on  
google (if you check the syslog time stamp, you can see sshguard is  
exiting at random times).

I've included a patch that resolves this issue. It should be cross- 
platform compliant and basically acts as a drop-in replacement fgets  
wrapper (aptly called "safe_fgets"). It will handle EOF and error  
conditions properly, ignoring any spurious EINTR issues, since those  
are non-critical and do NOT impact the operation of the program (not  
anymore, at least).

Since program signaling is handled elsewhere, sshguard will still  
properly exit and relaunch when logs are rotated via syslog/syslog-ng/ 
whatever. This simply fixes the issue of sshguard exiting prematurely  
due to some weird behavior with fgets on other platforms (primarily  
BSD, it appears).

I've confirmed sshguard has been running for more then ~4 hours on my  
OpenBSD box(s). It is blocking and releasing IP's properly without  
exiting inbetween. It has exited and relaunched /once/ exactly on the  
hour when authlog was rotated, but other then that it's 100% stable now.

-KT

<------SNIP SNIP------>
--- ./sshguard.c        Wed Jan 14 18:16:09 2009
+++ /root/sshguard.c    Wed Jan 14 18:15:35 2009
@@ -89,6 +89,8 @@ static inline void attackerinit(attacker_t *restrict i
  static void usage(void);
  /* comparison operator for sorting offenders list */
  static int lastAttackComparator(const void *a, const void *b);
+/* safe fgets function */
+char *safe_fgets(char *s, int size, FILE *stream);
  /* handler for termination-related signals */
  void sigfin_handler(int signo);
  /* handler for suspension/resume signals */
@@ -213,7 +215,7 @@ int main(int argc, char *argv[]) {
              opts.abuse_threshold, (unsigned  
int)opts.pardon_threshold, (unsigned int)opts.stale_threshold);


-    while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
+    while (safe_fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL) {
          if (suspended) continue;

          retv = parse_line(buf);
@@ -233,6 +235,23 @@ int main(int argc, char *argv[]) {
      exit(0);
  }

+char *safe_fgets(char *s, int size, FILE *stream) {
+    for (;;) {
+        if (fgets(s, size, stream))
+            return s;
+           if (feof(stream))
+                   return NULL;
+               if(!ferror(stream)) {
+                   sshguard_log(LOG_ERR, "Error reading from stdin:  
unknown fgets error!");
+                   exit(0);
+               }
+               if(errno != EINTR) {
+                   sshguard_log(LOG_ERR, "Error reading from stdin:  
fgets returned %s", strerror(errno));
+                       exit(0);
+               }
+               clearerr(stream);
+       }
+}

  void report_address(attack_t attack) {
      attacker_t *tmpent = NULL;
<------SNIP SNIP------>

On Jan 14, 2009, at 2:13 PM, Keven Tipping wrote:

> Nope, that's not it.
>
> Cron is setup to run newsyslog every hour, but SSHguard terminates
> randomly "whenever".
>
> As I've said, for whatever reason fgets is returning NULL and breaking
> out of the main loop. The signal handler for sigint/sigfin isn't being
> called here as it would be if syslogd or some other program was
> sending sshguard a sigint. I'm not sure if this is a bug with fgets,
> OpenBSD, or syslogd, but I'll try and do some debugging today and
> figure it out.
>
> -KT
>
> On Jan 14, 2009, at 12:01 PM, Mij wrote:
>
>> Hello Keven,
>>
>> Do you have log rotation? Log rotation causes processes to be  
>> signaled
>> for opening the new log files. This is often the case causing those
>> message
>> in log files.
>>
>>
>> On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote:
>>
>>> Okay, I just did some quick debugging here.
>>>
>>> It appears like SSHguard is exiting the main loop in sshguard.c. For
>>> whatever reason, on OpenBSD 4.4, the line:
>>> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)
>>>
>>> Is indeed returning NULL. This causes the loop to break and exit(0)
>>> is
>>> called, resulting in the "Got exit signal" message. According to
>>> google (and I'm not a programmer), this is caused either by fgets
>>> encountering EOF or some other error.
>>>
>>> Any ideas to as why this is occurring?
>>>
>>> -KT
>>>
>>> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:
>>>
>>>> Greetings to all.
>>>>
>>>> I've been trying to get SSHguard running *reliably* on several
>>>> OpenBSD
>>>> 4.4 boxes. They all exhibit the same problem.
>>>>
>>>> I've installed sshguard (both 1.4-rc2 and svn) and have it  
>>>> currently
>>>> running as root (though I doubt this has anything to do with the
>>>> problem) via Syslog. The relevant syslog.conf line is:
>>>> auth.info;auth.priv	|exec /usr/sbin/sshguard
>>>>
>>>> SSHguard launches as expected when there's authlog traffic, and
>>>> works
>>>> just fine. I can hammer the box from the LAN and SSHguard adds the
>>>> IP
>>>> addresses to the pf table. That's all fine and great.
>>>>
>>>> The problem is, that SSHguard constantly "exits". I'm not sure if
>>>> this
>>>> is a SSHguard problem or something OpenBSD related, because I can't
>>>> find anything in syslog's man page about this and there's nothing  
>>>> in
>>>> my crontabs that would otherwise interfere with SSHguard.
>>>>
>>>> What happens is that every ~5-20 minutes (it seems completely
>>>> random?), SSHguard prints the following in authlog:
>>>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488
>>>> seconds."
>>>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing
>>>> blocked
>>>> addresses and exiting..."
>>>>
>>>> 10.0.1.140 is one of /several/ systems I used to test SSHguard-
>>>> there
>>>> were about ~10 IP's in the blocklist in this case, the latest one
>>>> was
>>>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once
>>>> again
>>>> exited for no apparent reason. Obviously, when SSHguard exited, the
>>>> entire table was flushed. There's no way the last IP that was
>>>> blocked
>>>> had exceeded 420 seconds prior to SSHguard "getting an exit  
>>>> signal".
>>>>
>>>> I'm not sure why it does this. Once SSHguard cleanly exits (due to
>>>> the
>>>> above "signal"), syslogd restarts it as soon as there's authlog
>>>> traffic again and SSHguard runs anywhere from 5-20 minutes before
>>>> exiting. Rinse, repeat. It will do this all day, basically.
>>>>
>>>> I have no idea if this is by design, or what is going on here. Any
>>>> ideas?
>>>>
>>>> Cheers,
>>>> -KT
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by:
>>>> SourcForge Community
>>>> SourceForge wants to tell your story.
>>>> http://p.sf.net/sfu/sf-spreadtheword
>>>> _______________________________________________
>>>> Sshguard-users mailing list
>>>> Ssh...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> SourcForge Community
>>> SourceForge wants to tell your story.
>>> http://p.sf.net/sfu/sf-spreadtheword
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHguard constantly exiting under OpenBSD

[Keven T. <byt...@sh...>]

Nope, that's not it.

Cron is setup to run newsyslog every hour, but SSHguard terminates  
randomly "whenever".

As I've said, for whatever reason fgets is returning NULL and breaking  
out of the main loop. The signal handler for sigint/sigfin isn't being  
called here as it would be if syslogd or some other program was  
sending sshguard a sigint. I'm not sure if this is a bug with fgets,  
OpenBSD, or syslogd, but I'll try and do some debugging today and  
figure it out.

-KT

On Jan 14, 2009, at 12:01 PM, Mij wrote:

> Hello Keven,
>
> Do you have log rotation? Log rotation causes processes to be signaled
> for opening the new log files. This is often the case causing those
> message
> in log files.
>
>
> On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote:
>
>> Okay, I just did some quick debugging here.
>>
>> It appears like SSHguard is exiting the main loop in sshguard.c. For
>> whatever reason, on OpenBSD 4.4, the line:
>> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)
>>
>> Is indeed returning NULL. This causes the loop to break and exit(0)  
>> is
>> called, resulting in the "Got exit signal" message. According to
>> google (and I'm not a programmer), this is caused either by fgets
>> encountering EOF or some other error.
>>
>> Any ideas to as why this is occurring?
>>
>> -KT
>>
>> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:
>>
>>> Greetings to all.
>>>
>>> I've been trying to get SSHguard running *reliably* on several
>>> OpenBSD
>>> 4.4 boxes. They all exhibit the same problem.
>>>
>>> I've installed sshguard (both 1.4-rc2 and svn) and have it currently
>>> running as root (though I doubt this has anything to do with the
>>> problem) via Syslog. The relevant syslog.conf line is:
>>> auth.info;auth.priv	|exec /usr/sbin/sshguard
>>>
>>> SSHguard launches as expected when there's authlog traffic, and  
>>> works
>>> just fine. I can hammer the box from the LAN and SSHguard adds the  
>>> IP
>>> addresses to the pf table. That's all fine and great.
>>>
>>> The problem is, that SSHguard constantly "exits". I'm not sure if
>>> this
>>> is a SSHguard problem or something OpenBSD related, because I can't
>>> find anything in syslog's man page about this and there's nothing in
>>> my crontabs that would otherwise interfere with SSHguard.
>>>
>>> What happens is that every ~5-20 minutes (it seems completely
>>> random?), SSHguard prints the following in authlog:
>>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488
>>> seconds."
>>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing
>>> blocked
>>> addresses and exiting..."
>>>
>>> 10.0.1.140 is one of /several/ systems I used to test SSHguard-  
>>> there
>>> were about ~10 IP's in the blocklist in this case, the latest one  
>>> was
>>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once
>>> again
>>> exited for no apparent reason. Obviously, when SSHguard exited, the
>>> entire table was flushed. There's no way the last IP that was  
>>> blocked
>>> had exceeded 420 seconds prior to SSHguard "getting an exit signal".
>>>
>>> I'm not sure why it does this. Once SSHguard cleanly exits (due to
>>> the
>>> above "signal"), syslogd restarts it as soon as there's authlog
>>> traffic again and SSHguard runs anywhere from 5-20 minutes before
>>> exiting. Rinse, repeat. It will do this all day, basically.
>>>
>>> I have no idea if this is by design, or what is going on here. Any
>>> ideas?
>>>
>>> Cheers,
>>> -KT
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> SourcForge Community
>>> SourceForge wants to tell your story.
>>> http://p.sf.net/sfu/sf-spreadtheword
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHguard constantly exiting under OpenBSD

[Mij <mi...@bi...>]

Hello Keven,

Do you have log rotation? Log rotation causes processes to be signaled
for opening the new log files. This is often the case causing those  
message
in log files.


On Jan 14, 2009, at 11:09 AM, Keven Tipping wrote:

> Okay, I just did some quick debugging here.
>
> It appears like SSHguard is exiting the main loop in sshguard.c. For
> whatever reason, on OpenBSD 4.4, the line:
> while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)
>
> Is indeed returning NULL. This causes the loop to break and exit(0) is
> called, resulting in the "Got exit signal" message. According to
> google (and I'm not a programmer), this is caused either by fgets
> encountering EOF or some other error.
>
> Any ideas to as why this is occurring?
>
> -KT
>
> On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:
>
>> Greetings to all.
>>
>> I've been trying to get SSHguard running *reliably* on several  
>> OpenBSD
>> 4.4 boxes. They all exhibit the same problem.
>>
>> I've installed sshguard (both 1.4-rc2 and svn) and have it currently
>> running as root (though I doubt this has anything to do with the
>> problem) via Syslog. The relevant syslog.conf line is:
>> auth.info;auth.priv	|exec /usr/sbin/sshguard
>>
>> SSHguard launches as expected when there's authlog traffic, and works
>> just fine. I can hammer the box from the LAN and SSHguard adds the IP
>> addresses to the pf table. That's all fine and great.
>>
>> The problem is, that SSHguard constantly "exits". I'm not sure if  
>> this
>> is a SSHguard problem or something OpenBSD related, because I can't
>> find anything in syslog's man page about this and there's nothing in
>> my crontabs that would otherwise interfere with SSHguard.
>>
>> What happens is that every ~5-20 minutes (it seems completely
>> random?), SSHguard prints the following in authlog:
>> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488
>> seconds."
>> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing  
>> blocked
>> addresses and exiting..."
>>
>> 10.0.1.140 is one of /several/ systems I used to test SSHguard- there
>> were about ~10 IP's in the blocklist in this case, the latest one was
>> blocked/added at 02:33:07, only ~16 seconds before SSHguard once  
>> again
>> exited for no apparent reason. Obviously, when SSHguard exited, the
>> entire table was flushed. There's no way the last IP that was blocked
>> had exceeded 420 seconds prior to SSHguard "getting an exit signal".
>>
>> I'm not sure why it does this. Once SSHguard cleanly exits (due to  
>> the
>> above "signal"), syslogd restarts it as soon as there's authlog
>> traffic again and SSHguard runs anywhere from 5-20 minutes before
>> exiting. Rinse, repeat. It will do this all day, basically.
>>
>> I have no idea if this is by design, or what is going on here. Any
>> ideas?
>>
>> Cheers,
>> -KT
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard go to 100% cpu

[Mij <mi...@bi...>]

Hello Michel,

Sorry for overlooking this post, I'm actually very interested.
To clarify your scenario: you have 2 instances of sshguard,
one for the host, the other one for both jails. I guess both
jails are logging to the same file, and you are monitoring that (?).

Is it always the "jails" process to show this behavior? Do you see
anything strange ending up in logs? Can you report sshguard's more
verbose messages (do you have debug.log or similar?)?

thanks


On Dec 20, 2008, at 5:55 PM, Michel wrote:

> Hello,
>
> I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from  
> time to time sshguard go to 100% cpu.
>
> PID JID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME   WCPU  
> COMMAND
>  240    0  root                  1     132    0     1936K  1188K  
> RUN     31:03     98.34% sshguard
> .......
> .......
> 13756  0  root                  4       20    0     1936K  1212K  
> kserel   0:01      0.00% sshguard
> ......
>
>
> When this occur sshguard continue to protect the host :
>
> Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3  
> failures over 1 seconds.
> Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3  
> failures over 2 seconds.
> Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3  
> failures over 163 seconds.
> Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3  
> failures over 3 seconds.
> Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3  
> failures over 2 seconds.
> Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3  
> failures over 3 seconds.
>
> but dont protect the jails any more :
>
> Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from  
> 121.134.8.168
> Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from  
> 121.134.8.168
> Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from  
> 121.134.8.168
> Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from  
> 121.134.8.168
> Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from  
> 121.134.8.168
> Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from  
> 121.134.8.168
> Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from  
> 121.134.8.168
> Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from  
> 121.134.8.168
> Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from  
> 121.134.8.168
>
> I have to kill the 100% sshguard to return to "normal" behaviour.
>
> Any help ?
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHguard constantly exiting under OpenBSD

[Keven T. <byt...@sh...>]

Okay, I just did some quick debugging here.

It appears like SSHguard is exiting the main loop in sshguard.c. For  
whatever reason, on OpenBSD 4.4, the line:
while (fgets(buf, MAX_LOGLINE_LEN, stdin) != NULL)

Is indeed returning NULL. This causes the loop to break and exit(0) is  
called, resulting in the "Got exit signal" message. According to  
google (and I'm not a programmer), this is caused either by fgets  
encountering EOF or some other error.

Any ideas to as why this is occurring?

-KT

On Jan 14, 2009, at 2:47 AM, Keven Tipping wrote:

> Greetings to all.
>
> I've been trying to get SSHguard running *reliably* on several OpenBSD
> 4.4 boxes. They all exhibit the same problem.
>
> I've installed sshguard (both 1.4-rc2 and svn) and have it currently
> running as root (though I doubt this has anything to do with the
> problem) via Syslog. The relevant syslog.conf line is:
> auth.info;auth.priv	|exec /usr/sbin/sshguard
>
> SSHguard launches as expected when there's authlog traffic, and works
> just fine. I can hammer the box from the LAN and SSHguard adds the IP
> addresses to the pf table. That's all fine and great.
>
> The problem is, that SSHguard constantly "exits". I'm not sure if this
> is a SSHguard problem or something OpenBSD related, because I can't
> find anything in syslog's man page about this and there's nothing in
> my crontabs that would otherwise interfere with SSHguard.
>
> What happens is that every ~5-20 minutes (it seems completely
> random?), SSHguard prints the following in authlog:
> "Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488
> seconds."
> "Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing blocked
> addresses and exiting..."
>
> 10.0.1.140 is one of /several/ systems I used to test SSHguard- there
> were about ~10 IP's in the blocklist in this case, the latest one was
> blocked/added at 02:33:07, only ~16 seconds before SSHguard once again
> exited for no apparent reason. Obviously, when SSHguard exited, the
> entire table was flushed. There's no way the last IP that was blocked
> had exceeded 420 seconds prior to SSHguard "getting an exit signal".
>
> I'm not sure why it does this. Once SSHguard cleanly exits (due to the
> above "signal"), syslogd restarts it as soon as there's authlog
> traffic again and SSHguard runs anywhere from 5-20 minutes before
> exiting. Rinse, repeat. It will do this all day, basically.
>
> I have no idea if this is by design, or what is going on here. Any
> ideas?
>
> Cheers,
> -KT
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] SSHguard constantly exiting under OpenBSD

[Keven T. <byt...@sh...>]

Greetings to all.

I've been trying to get SSHguard running *reliably* on several OpenBSD  
4.4 boxes. They all exhibit the same problem.

I've installed sshguard (both 1.4-rc2 and svn) and have it currently  
running as root (though I doubt this has anything to do with the  
problem) via Syslog. The relevant syslog.conf line is:
auth.info;auth.priv	|exec /usr/sbin/sshguard

SSHguard launches as expected when there's authlog traffic, and works  
just fine. I can hammer the box from the LAN and SSHguard adds the IP  
addresses to the pf table. That's all fine and great.

The problem is, that SSHguard constantly "exits". I'm not sure if this  
is a SSHguard problem or something OpenBSD related, because I can't  
find anything in syslog's man page about this and there's nothing in  
my crontabs that would otherwise interfere with SSHguard.

What happens is that every ~5-20 minutes (it seems completely  
random?), SSHguard prints the following in authlog:
"Jan 14 02:33:23 gw sshguard[28260]: Releasing 10.0.1.140 after 488  
seconds."
"Jan 14 02:33:23 gw sshguard[28260]: Got exit signal, flushing blocked  
addresses and exiting..."

10.0.1.140 is one of /several/ systems I used to test SSHguard- there  
were about ~10 IP's in the blocklist in this case, the latest one was  
blocked/added at 02:33:07, only ~16 seconds before SSHguard once again  
exited for no apparent reason. Obviously, when SSHguard exited, the  
entire table was flushed. There's no way the last IP that was blocked  
had exceeded 420 seconds prior to SSHguard "getting an exit signal".

I'm not sure why it does this. Once SSHguard cleanly exits (due to the  
above "signal"), syslogd restarts it as soon as there's authlog  
traffic again and SSHguard runs anywhere from 5-20 minutes before  
exiting. Rinse, repeat. It will do this all day, basically.

I have no idea if this is by design, or what is going on here. Any  
ideas?

Cheers,
-KT

Re: [Sshguard-users] [PATCH] OpenBSD does not have EPROTO

[Mij <mi...@bi...>]

Thanks Meethune, that's been commited to the SVN.

michele


On Jan 5, 2009, at 0:00 , Meethune Bhowmick wrote:

> Signed-off-by: Meethune Bhowmick <mee...@gm...>
> ---
> src/simclist.c |    5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/src/simclist.c b/src/simclist.c
> index e9061bd..0bfc2c0 100755
> --- a/src/simclist.c
> +++ b/src/simclist.c
> @@ -52,6 +52,11 @@
> /* convert 64bit integers from network to host format */
> #define ntoh64(x)       (hton64(x))
>
> +/* OpenBSD does not have EPROTO */
> +#ifndef EPROTO
> +#define EPROTO EINTR
> +#endif
> +
> /* disable asserts */
> #ifndef SIMCLIST_DEBUG
> #define NDEBUG
> -- 
> 1.6.1
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] [PATCH] OpenBSD does not have EPROTO

[Meethune B. <mee...@gm...>]

Signed-off-by: Meethune Bhowmick <mee...@gm...>
---
 src/simclist.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/simclist.c b/src/simclist.c
index e9061bd..0bfc2c0 100755
--- a/src/simclist.c
+++ b/src/simclist.c
@@ -52,6 +52,11 @@
 /* convert 64bit integers from network to host format */
 #define ntoh64(x)       (hton64(x))
 
+/* OpenBSD does not have EPROTO */
+#ifndef EPROTO
+#define EPROTO EINTR
+#endif
+
 /* disable asserts */
 #ifndef SIMCLIST_DEBUG
 #define NDEBUG
-- 
1.6.1

[Sshguard-users] sshguard go to 100% cpu

[Michel <mi...@do...>]

Hello,

I use sshguard-pf-1.3 on a FreeBSD 6.3-RELEASE with 2 jails and from time to time sshguard go to 100% cpu.

 PID JID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
  240    0  root                  1     132    0     1936K  1188K RUN     31:03     98.34% sshguard
.......
.......
13756  0  root                  4       20    0     1936K  1212K kserel   0:01      0.00% sshguard
......


When this occur sshguard continue to protect the host :

Dec 19 08:47:11 yyyy sshguard[95523]: Blocking 89.188.34.150: 3 failures over 1 seconds.
Dec 19 09:08:23 yyyy sshguard[95523]: Blocking 89.145.245.192: 3 failures over 2 seconds.
Dec 19 09:26:06 yyyy sshguard[95523]: Blocking 122.166.15.47: 3 failures over 163 seconds.
Dec 19 09:47:16 yyyy sshguard[5822]: Blocking 75.125.177.242: 3 failures over 3 seconds.
Dec 19 09:47:17 yyyy sshguard[5822]: Blocking 121.134.8.168: 3 failures over 2 seconds.
Dec 19 10:13:30 yyyy sshguard[5822]: Blocking 89.145.245.192: 3 failures over 3 seconds.

but dont protect the jails any more :

Dec 19 09:40:05 zzzzzz sshd[4120]: Invalid user dominic from 121.134.8.168
Dec 19 09:40:07 zzzzzz sshd[4126]: Invalid user edgar from 121.134.8.168
Dec 19 09:40:09 zzzzzz sshd[4132]: Invalid user omar from 121.134.8.168
Dec 19 09:40:12 zzzzzz sshd[4138]: Invalid user derrick from 121.134.8.168
Dec 19 09:40:14 zzzzzz sshd[4144]: Invalid user hector from 121.134.8.168
Dec 19 09:40:17 zzzzzz sshd[4150]: Invalid user douglas from 121.134.8.168
Dec 19 09:40:19 zzzzzz sshd[4156]: Invalid user frank from 121.134.8.168
Dec 19 09:40:22 zzzzzz sshd[4162]: Invalid user tristan from 121.134.8.168
Dec 19 09:40:24 zzzzzz sshd[4168]: Invalid user collin from 121.134.8.168

I have to kill the 100% sshguard to return to "normal" behaviour.

Any help ?

Re: [Sshguard-users] ProFTPd login attempts ipfw freebsd

[Mij <mi...@bi...>]

Hello ospito,

- did you check with what user sshguard is running?
- did you try to run sshguard in interactive testing mode (-d)?

michele


On Dec 15, 2008, at 2:33 PM, ssh...@os... wrote:

>
> Citeren "Hans F. Nordhaug" <Han...@hi...>:
>
>> * ssh...@os... <ssh...@os...> [2008-12-15]:
>>>
>>> Citeren "Hans F. Nordhaug" <Han...@hi...>:
>>>
>>>> * ssh...@os... <ssh...@os...> [2008-12-15]:
>>>>> Hello,
>>>>> I'm using SSHGuard for a few weeks now and all looks very nice.  
>>>>> At my
>>>>> tests all went fine, but last day there was a brute force going  
>>>>> on at
>>>>> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in
>>>>> action wasn't what I expected, it looks like there's something  
>>>>> wrong,
>>>>> but I've no idea what it is. Please look at my logs and see for
>>>>> yourself what I mean.
>>>>>
>>>>> Dec 12 10:11:37 servername sshguard[88506]: Blocking  
>>>>> 12.34.56.78: 7
>>>>> failures over 0 seconds.
>>>> [...]
>>>>> Dec 12 10:11:37 servername sshguard[88506]: Blocking  
>>>>> 12.34.56.78: 7
>>>>> failures over 0 seconds.
>>>> [...]
>>>>> Dec 12 10:11:38 servername sshguard[88506]: Blocking  
>>>>> 12.34.56.78: 7
>>>>> failures over 1 seconds.
>>>> [...]
>>>>> Dec 12 10:11:38 servername sshguard[88506]: Blocking  
>>>>> 12.34.56.78: 7
>>>>> failures over 0 seconds.
>>>> [...]
>>>>> Dec 12 10:11:38 servername sshguard[88506]: Blocking  
>>>>> 12.34.56.78: 7
>>>>> failures over 0 seconds.
>>>>> Dec 12 10:11:38 servername last message repeated 3 times
>>>>> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw
>>> delete 55031" exited 69
>>>>> Dec 12 10:28:46 servername sshguard[88506]: Release command  
>>>>> failed.
>>>>> Exited: -1
>>>> [cut]
>>>>
>>>> The two last lines are the important ones. Apperently you haven't
>>>> allowed sshguard to interact with ipfw -  see
>>>> <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html>
>>>> I can't help you with the specific details for ipfw since I  
>>>> prefer to
>>>> use sshguard together with pf (on FreeBSD).
>>>>
>>>> Hans
>>>>
>>>> PS! Have you installed sshguard through ports? See
>>>>    <http://www.freshports.org/security/sshguard-ipfw/>
>>>
>>> I installed SSHGuard through ports indeed
>>> (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my  
>>> whole
>>> firewall is based on it, all my accept rules start at 60000, below  
>>> are
>>> only some blocks and ICMP accepts. The 50000 till 60000 are unused  
>>> and
>>> reserved for SSHGuard.
>>> I don't thing this is the problem, as you can see it works when I  
>>> try
>>> it myself. Thanks for your input.
>>
>> The reason sshguard is blocking 12.34.56.78 several times in a row is
>> because it's not able to add the blocking rules to ipfw. This is the
>> problem whether you believe it or not. Maybe ask on the freebsd/ipfw
>> mailing list?
>>
>> Hans
>>
>> PS! I didn't mean that you should switch from ipfw to pf.
>>
>> ------------------------------------------------------------------------------
>> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas,  
>> Nevada.
>> The future of the web can't happen without you.  Join us at MIX09  
>> to help
>> pave the way to the Next Web now. Learn more and register at
>> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
> Hello Hans,
> Thanks you for your answer. It sounds like a possibility, but why
> can't SSHGuard add a rule to ipfw? When I login to ProFTPd with wrong
> credentials I'll be blocked and it works nicely. But in the brute
> force yesterday ipfw commands didn't work from SSHGuard. Can you think
> of an explanation? I think sshguard can't handle this amount of
> requests an it's not because of ipfw, that works perfectly. I also can
> manually add and delete rules to my ipfw table.
>
> Thanks again.
>
>
> ------------------------------------------------------------------------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas,  
> Nevada.
> The future of the web can't happen without you.  Join us at MIX09 to  
> help
> pave the way to the Next Web now. Learn more and register at
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] ProFTPd login attempts ipfw freebsd

[<ssh...@os...>]

Citeren "Hans F. Nordhaug" <Han...@hi...>:

> * ssh...@os... <ssh...@os...> [2008-12-15]:
>>
>> Citeren "Hans F. Nordhaug" <Han...@hi...>:
>>
>> > * ssh...@os... <ssh...@os...> [2008-12-15]:
>> >> Hello,
>> >> I'm using SSHGuard for a few weeks now and all looks very nice. At my
>> >> tests all went fine, but last day there was a brute force going on at
>> >> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in
>> >> action wasn't what I expected, it looks like there's something wrong,
>> >> but I've no idea what it is. Please look at my logs and see for
>> >> yourself what I mean.
>> >>
>> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> >> failures over 0 seconds.
>> > [...]
>> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> >> failures over 0 seconds.
>> > [...]
>> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> >> failures over 1 seconds.
>> > [...]
>> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> >> failures over 0 seconds.
>> > [...]
>> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> >> failures over 0 seconds.
>> >> Dec 12 10:11:38 servername last message repeated 3 times
>> >> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw  
>> delete 55031" exited 69
>> >> Dec 12 10:28:46 servername sshguard[88506]: Release command failed.
>> >> Exited: -1
>> > [cut]
>> >
>> > The two last lines are the important ones. Apperently you haven't
>> > allowed sshguard to interact with ipfw -  see
>> > <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html>
>> > I can't help you with the specific details for ipfw since I prefer to
>> > use sshguard together with pf (on FreeBSD).
>> >
>> > Hans
>> >
>> > PS! Have you installed sshguard through ports? See
>> >     <http://www.freshports.org/security/sshguard-ipfw/>
>>
>> I installed SSHGuard through ports indeed
>> (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my whole
>> firewall is based on it, all my accept rules start at 60000, below are
>> only some blocks and ICMP accepts. The 50000 till 60000 are unused and
>> reserved for SSHGuard.
>> I don't thing this is the problem, as you can see it works when I try
>> it myself. Thanks for your input.
>
> The reason sshguard is blocking 12.34.56.78 several times in a row is
> because it's not able to add the blocking rules to ipfw. This is the
> problem whether you believe it or not. Maybe ask on the freebsd/ipfw
> mailing list?
>
> Hans
>
> PS! I didn't mean that you should switch from ipfw to pf.
>
> ------------------------------------------------------------------------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
> The future of the web can't happen without you.  Join us at MIX09 to help
> pave the way to the Next Web now. Learn more and register at
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

Hello Hans,
Thanks you for your answer. It sounds like a possibility, but why  
can't SSHGuard add a rule to ipfw? When I login to ProFTPd with wrong  
credentials I'll be blocked and it works nicely. But in the brute  
force yesterday ipfw commands didn't work from SSHGuard. Can you think  
of an explanation? I think sshguard can't handle this amount of  
requests an it's not because of ipfw, that works perfectly. I also can  
manually add and delete rules to my ipfw table.

Thanks again.

Re: [Sshguard-users] ProFTPd login attempts ipfw freebsd

[Hans F. N. <Han...@hi...>]

* ssh...@os... <ssh...@os...> [2008-12-15]:
> 
> Citeren "Hans F. Nordhaug" <Han...@hi...>:
> 
> > * ssh...@os... <ssh...@os...> [2008-12-15]:
> >> Hello,
> >> I'm using SSHGuard for a few weeks now and all looks very nice. At my
> >> tests all went fine, but last day there was a brute force going on at
> >> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in
> >> action wasn't what I expected, it looks like there's something wrong,
> >> but I've no idea what it is. Please look at my logs and see for
> >> yourself what I mean.
> >>
> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7
> >> failures over 0 seconds.
> > [...]
> >> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7
> >> failures over 0 seconds.
> > [...]
> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
> >> failures over 1 seconds.
> > [...]
> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
> >> failures over 0 seconds.
> > [...]
> >> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
> >> failures over 0 seconds.
> >> Dec 12 10:11:38 servername last message repeated 3 times
> >> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69
> >> Dec 12 10:28:46 servername sshguard[88506]: Release command failed.  
> >> Exited: -1
> > [cut]
> >
> > The two last lines are the important ones. Apperently you haven't
> > allowed sshguard to interact with ipfw -  see
> > <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html>
> > I can't help you with the specific details for ipfw since I prefer to
> > use sshguard together with pf (on FreeBSD).
> >
> > Hans
> >
> > PS! Have you installed sshguard through ports? See
> >     <http://www.freshports.org/security/sshguard-ipfw/>
>
> I installed SSHGuard through ports indeed  
> (/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my whole  
> firewall is based on it, all my accept rules start at 60000, below are  
> only some blocks and ICMP accepts. The 50000 till 60000 are unused and  
> reserved for SSHGuard.
> I don't thing this is the problem, as you can see it works when I try  
> it myself. Thanks for your input.

The reason sshguard is blocking 12.34.56.78 several times in a row is
because it's not able to add the blocking rules to ipfw. This is the
problem whether you believe it or not. Maybe ask on the freebsd/ipfw
mailing list?

Hans

PS! I didn't mean that you should switch from ipfw to pf.

Re: [Sshguard-users] ProFTPd login attempts ipfw freebsd

[<ssh...@os...>]

Citeren "Hans F. Nordhaug" <Han...@hi...>:

> * ssh...@os... <ssh...@os...> [2008-12-15]:
>> Hello,
>> I'm using SSHGuard for a few weeks now and all looks very nice. At my
>> tests all went fine, but last day there was a brute force going on at
>> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in
>> action wasn't what I expected, it looks like there's something wrong,
>> but I've no idea what it is. Please look at my logs and see for
>> yourself what I mean.
>>
>> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> failures over 0 seconds.
> [...]
>> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> failures over 0 seconds.
> [...]
>> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> failures over 1 seconds.
> [...]
>> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> failures over 0 seconds.
> [...]
>> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7
>> failures over 0 seconds.
>> Dec 12 10:11:38 servername last message repeated 3 times
>> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw  
>> delete 55031" exited 69
>> Dec 12 10:28:46 servername sshguard[88506]: Release command failed.  
>> Exited: -1
> [cut]
>
> The two last lines are the important ones. Apperently you haven't
> allowed sshguard to interact with ipfw -  see
> <http://sshguard.sourceforge.net/doc/setup/blockingipfw.html>
> I can't help you with the specific details for ipfw since I prefer to
> use sshguard together with pf (on FreeBSD).
>
> Hans
>
> PS! Have you installed sshguard through ports? See
>     <http://www.freshports.org/security/sshguard-ipfw/>
>
> ------------------------------------------------------------------------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
> The future of the web can't happen without you.  Join us at MIX09 to help
> pave the way to the Next Web now. Learn more and register at
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

I installed SSHGuard through ports indeed  
(/usr/ports/security/sshguard-ipfw). I've chosen ipfw because my whole  
firewall is based on it, all my accept rules start at 60000, below are  
only some blocks and ICMP accepts. The 50000 till 60000 are unused and  
reserved for SSHGuard.
I don't thing this is the problem, as you can see it works when I try  
it myself. Thanks for your input.

Re: [Sshguard-users] ProFTPd login attempts ipfw freebsd

[Hans F. N. <Han...@hi...>]

* ssh...@os... <ssh...@os...> [2008-12-15]:
> Hello,
> I'm using SSHGuard for a few weeks now and all looks very nice. At my  
> tests all went fine, but last day there was a brute force going on at  
> my ProFTPd. Nothing spectacular, happened before, but SSHGuard in  
> action wasn't what I expected, it looks like there's something wrong,  
> but I've no idea what it is. Please look at my logs and see for  
> yourself what I mean.
> 
> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7  
> failures over 0 seconds.
[...]
> Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7  
> failures over 0 seconds.
[...]
> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7  
> failures over 1 seconds.
[...]
> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7  
> failures over 0 seconds.
[...]
> Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7  
> failures over 0 seconds.
> Dec 12 10:11:38 servername last message repeated 3 times
> Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete 55031" exited 69
> Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1
[cut]

The two last lines are the important ones. Apperently you haven't
allowed sshguard to interact with ipfw -  see
<http://sshguard.sourceforge.net/doc/setup/blockingipfw.html>
I can't help you with the specific details for ipfw since I prefer to
use sshguard together with pf (on FreeBSD).

Hans

PS! Have you installed sshguard through ports? See
    <http://www.freshports.org/security/sshguard-ipfw/>

[Sshguard-users] ProFTPd login attempts ipfw freebsd

[<ssh...@os...>]

Hello,
I'm using SSHGuard for a few weeks now and all looks very nice. At my  
tests all went fine, but last day there was a brute force going on at  
my ProFTPd. Nothing spectacular, happened before, but SSHGuard in  
action wasn't what I expected, it looks like there's something wrong,  
but I've no idea what it is. Please look at my logs and see for  
yourself what I mean.

Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7  
failures over 0 seconds.
Dec 12 10:11:37 servername proftpd[95672]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:37 servername proftpd[95673]: 999.888.777.24  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:37 servername proftpd[95674]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:37 servername proftpd[95675]: anotherdomainiown.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:37 servername sshguard[88506]: Blocking 12.34.56.78: 7  
failures over 0 seconds.
Dec 12 10:11:37 servername proftpd[95676]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:38 servername proftpd[95678]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7  
failures over 1 seconds.
Dec 12 10:11:38 servername proftpd[95659]: yetanotherdomainiown.nl  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:38 servername proftpd[95679]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:38 servername proftpd[95680]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7  
failures over 0 seconds.
Dec 12 10:11:38 servername proftpd[95682]: serverxy.mydomain.com  
(12.34.56.78[12.34.56.78]) - no such user 'anonymous'
Dec 12 10:11:38 servername sshguard[88506]: Blocking 12.34.56.78: 7  
failures over 0 seconds.
Dec 12 10:11:38 servername last message repeated 3 times
Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete  
55031" exited 69
Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1
Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete  
55031" exited 69
Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1
Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete  
55031" exited 69
Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1
Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete  
55031" exited 69
Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1
Dec 12 10:28:46 servername sshguard[88506]: Command "/sbin/ipfw delete  
55031" exited 69
Dec 12 10:28:46 servername sshguard[88506]: Release command failed. Exited: -1
Dec 12 10:56:08 servername proftpd[486]: anotherdomainiown.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername proftpd[487]: domain925835.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername proftpd[488]: domain9876543.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername proftpd[489]: domain1234567.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername proftpd[491]: serverxy.mydomain.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername proftpd[490]: 999.888.777.24  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername proftpd[492]: serverxy.mydomain.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 10:56:08 servername sshguard[88506]: Blocking 12.34.56.68: 7  
failures over 0 seconds.
Dec 12 10:56:08 servername proftpd[494]: serverxy.mydomain.com  
(12.34.56.68[12.34.56.68]) - no such user 'anonymous'
Dec 12 11:00:02 servername sshguard[88506]: Command "/sbin/ipfw delete  
55031" exited 69
Dec 12 12:05:22 servername su: hans to root on /dev/ttyp0
Dec 12 13:21:37 servername proftpd[17900]: domain63857.com  
(12.34.56.67[12.34.56.67]) - no such user 'anonymous'
Dec 12 13:21:37 servername proftpd[17901]: domain845713.com  
(12.34.56.67[12.34.56.67]) - no such user 'anonymous'
Dec 12 13:21:37 servername proftpd[17902]: anotherdomainiown.com  
(12.34.56.67[12.34.56.67]) - no such user 'anonymous'
Dec 14 15:41:31 servername sshguard[92245]: Blocking 12.34.56.69: 7  
failures over 0 seconds.
Dec 14 15:41:31 servername proftpd[6223]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:31 servername proftpd[6226]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:31 servername proftpd[6225]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:32 servername sshguard[92245]: Blocking 12.34.56.69: 7  
failures over 1 seconds.
Dec 14 15:41:32 servername sshguard[92245]: Blocking 12.34.56.69: 7  
failures over 0 seconds.
Dec 14 15:41:32 servername proftpd[6216]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6237]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6240]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6236]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6235]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6234]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername sshguard[92245]: Blocking 12.34.56.69: 7  
failures over 2 seconds.
Dec 14 15:41:34 servername proftpd[6247]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6239]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6241]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'
Dec 14 15:41:34 servername proftpd[6243]: serverxy.mydomain.com  
(12.34.56.69[12.34.56.69]) - no such user 'possibleuser'

And many many more. IP's starting with 12.34.56. are from the 'user'  
who tries to login :-) I've the strong feeling that these IP's didn't  
get blocked, because the attempts were going on, although SSHGuard  
sais the ip is in the firewall. At this point I tried to login with  
non existing users and see the results.
Dec 15 10:29:52 servername proftpd[20469]: servername.mydomain.com  
(my.own.ip.address[my.own.ip.address]) - no such user 'sdfsdfsdf'
Dec 15 10:30:09 servername proftpd[20546]: servername.mydomain.com  
(my.own.ip.address[my.own.ip.address]) - no such user 'fdkgjhkdjghjkdf'
Dec 15 10:30:24 servername proftpd[20553]: servername.mydomain.com  
(my.own.ip.address[my.own.ip.address]) - no such user 'dfkjghdkjgh'
Dec 15 10:30:38 servername proftpd[20572]: servername.mydomain.com  
(my.own.ip.address[my.own.ip.address]) - no such user 'jkfjhskjghfg'
Dec 15 10:30:38 servername sshguard[17492]: Blocking  
my.own.ip.address: 7 failures over 46 seconds.

That looks great!

Does anyone know what this log behaviour explains? Maybe SSHGuard  
can't handle the load?

Thanks in advance.

[Sshguard-users] Source RPM for version 1.3

[Hans F. N. <Han...@hi...>]

Hi!

Has someone made a source RPM for the latest version (1.3) of
sshguard? I think there was one for 1.0.1 - ref
<http://sshguard.sourceforge.net/packages/> and
<http://sshguard.sourceforge.net/packages/linux-rpm/installing.txt>.

Thx for listening ;-)

Hans

Re: [Sshguard-users] Problems with ProFTPD

[Mij <mi...@bi...>]

On 29 Sep 2008, at 19:51, Andy Berkvam wrote:

>   I updated to the SCM version this morning.  I can confirm that the
> authpriv.info/daemon.info issue and the autoconf issue are  
> resolved.  As
> you mentioned, the wrong service is still being blocked.

This requires some further twiddling. The idea is, for all the  
backends the
address is either blocked (at the network level) or free. For the  
"hosts" backend,
this happens at the application layer, so the rule chain needs to be  
blasted
by service type to indicate the relevant application name for  
blocking. This
name is required to be known inside that backend as well then.

There is another business that I'm thinking of that might match well  
with this,
that is, making these lists of blocked addresses available in the API,  
and
accompanying them with a more thorough information, eg on service names
and blocking history. At the same time, I'm thinking of making this  
history
possibly consistent on disk, so that "bad guys" are still known even  
after reboots
of the server.

The bottom line is, I'll stream this modification in a bigger design;  
this'll take
some weeks. In the meantime, if you principally use sshguard for non- 
ssh services,
I can advice as a workaround using another backend working at the  
network level.

thanks for your feedback


> Thank you,
>
> Andy
>
> On Sat, 27 Sep 2008, Mij wrote:
>
>> Thanks for this report.
>> The bug of blocking the wrong service will be fixed later. The
>> sensitivity to
>> auth messages instead of other ones is the idea -- unfortunately I
>> have few
>> means of inferring where the messages submitted by the users on
>>
>> http://sshguard.sourceforge.net/newattackpatt.php
>>
>> appear on.
>>
>> Please try the version in the SCM, it should be sensitive to the line
>> you reported
>> appearing with auth facility. Moreover, you shouldn't find anymore  
>> the
>> problem with
>> autoconf incompatibility that you reported before.
>>
>> mkdir sshguard
>> cd sshguard
>> svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard .
>>
>> then compile and test as usual.
>>
>> michele
>>
>>
>> On 24 Sep 2008, at 20:33, Andy Berkvam wrote:
>>
>>>  I have a server running ProFTPD 1.3.0a running in inetd mode.  I
>>> have
>>> found that sshguard is not blocking FTP attacks.  I have found two
>>> causes
>>> for this.
>>>
>>>  First, in a default install of sshguard, sshguard never gets the  
>>> log
>>> messages that it's looking for.  ProFTPD sends multiple messages to
>>> multiple syslog facilities.  sshguard seems to be looking for  
>>> logfile
>>> entries like this:
>>>
>>> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com
>>> (66.170.1.11[66.170.1.11]) - no such user 'andyb'
>>>
>>>  Messages of that form are being sent to daemon.info and normally
>>> sshguard only watches auth.info and authpriv.info.  I have  
>>> modified my
>>> installation to watch daemon.info as well and it detects the attack
>>> now.
>>>
>>>  It would be more convenient if sshguard matched the log message  
>>> that
>>> gets sent to the authpriv.info facility.  Then sshguard would match
>>> it by
>>> default.  That message is in the form:
>>>
>>> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com
>>> (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from
>>> 66.170.1.11 [66.170.1.11] to 192.168.0.100:21
>>>
>>>  Second, sshguard is blocking the wrong service.  When I simulate
>>> an FTP
>>> attack the following entry gets put in my hosts.allow file:
>>>
>>> ###sshguard###
>>> sshd : 66.170.1.11 : DENY
>>> ###sshguard###
>>>
>>>  Obviously this should start with "proftpd", not "sshd".
>>>
>>> Thank you,
>>>
>>> Andy
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK & win
>>> great prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in
>>> the world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Sshguard-users mailing list
>>> Ssh...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's  
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win  
>> great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in  
>> the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Problems with ProFTPD

[Andy B. <abe...@be...>]

   I updated to the SCM version this morning.  I can confirm that the 
authpriv.info/daemon.info issue and the autoconf issue are resolved.  As 
you mentioned, the wrong service is still being blocked.

Thank you,

Andy

On Sat, 27 Sep 2008, Mij wrote:

> Thanks for this report.
> The bug of blocking the wrong service will be fixed later. The
> sensitivity to
> auth messages instead of other ones is the idea -- unfortunately I
> have few
> means of inferring where the messages submitted by the users on
>
> http://sshguard.sourceforge.net/newattackpatt.php
>
> appear on.
>
> Please try the version in the SCM, it should be sensitive to the line
> you reported
> appearing with auth facility. Moreover, you shouldn't find anymore the
> problem with
> autoconf incompatibility that you reported before.
>
> mkdir sshguard
> cd sshguard
> svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard .
>
> then compile and test as usual.
>
> michele
>
>
> On 24 Sep 2008, at 20:33, Andy Berkvam wrote:
>
>>   I have a server running ProFTPD 1.3.0a running in inetd mode.  I
>> have
>> found that sshguard is not blocking FTP attacks.  I have found two
>> causes
>> for this.
>>
>>   First, in a default install of sshguard, sshguard never gets the log
>> messages that it's looking for.  ProFTPD sends multiple messages to
>> multiple syslog facilities.  sshguard seems to be looking for logfile
>> entries like this:
>>
>> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com
>> (66.170.1.11[66.170.1.11]) - no such user 'andyb'
>>
>>   Messages of that form are being sent to daemon.info and normally
>> sshguard only watches auth.info and authpriv.info.  I have modified my
>> installation to watch daemon.info as well and it detects the attack
>> now.
>>
>>   It would be more convenient if sshguard matched the log message that
>> gets sent to the authpriv.info facility.  Then sshguard would match
>> it by
>> default.  That message is in the form:
>>
>> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com
>> (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from
>> 66.170.1.11 [66.170.1.11] to 192.168.0.100:21
>>
>>   Second, sshguard is blocking the wrong service.  When I simulate
>> an FTP
>> attack the following entry gets put in my hosts.allow file:
>>
>> ###sshguard###
>> sshd : 66.170.1.11 : DENY
>> ###sshguard###
>>
>>   Obviously this should start with "proftpd", not "sshd".
>>
>> Thank you,
>>
>> Andy
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win
>> great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in
>> the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

Re: [Sshguard-users] adding new patterns

[Mij <mi...@bi...>]

Sem,

you're welcome to submit patterns to

http://sshguard.sourceforge.net/newattackpatt.php

from release to release we go over the submissions and integrate things.
The more precise/complete is your submission (possible variants of the
message, events of its occurrence, syslog targets etc) the lower the  
time
it will take to get included.

michele


On 22 Sep 2008, at 12:59, Sergey Matveychuk wrote:

> Hi!
>
> I start using sshguard. It works and looks good. But I'd like to add
> more patterns to block. But looks like it's not so easy to do (lex/ 
> yacc).
>
> May be it will better if rules will be dynamical, not compiled in? May
> be as regexps? I think it would decrease code too.
>
> Thanks for your work.
> -- 
> Sem.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Problems with ProFTPD

[Mij <mi...@bi...>]

Thanks for this report.
The bug of blocking the wrong service will be fixed later. The  
sensitivity to
auth messages instead of other ones is the idea -- unfortunately I  
have few
means of inferring where the messages submitted by the users on

http://sshguard.sourceforge.net/newattackpatt.php

appear on.

Please try the version in the SCM, it should be sensitive to the line  
you reported
appearing with auth facility. Moreover, you shouldn't find anymore the  
problem with
autoconf incompatibility that you reported before.

mkdir sshguard
cd sshguard
svn co https://sshguard.svn.sourceforge.net/svnroot/sshguard .

then compile and test as usual.

michele


On 24 Sep 2008, at 20:33, Andy Berkvam wrote:

>   I have a server running ProFTPD 1.3.0a running in inetd mode.  I  
> have
> found that sshguard is not blocking FTP attacks.  I have found two  
> causes
> for this.
>
>   First, in a default install of sshguard, sshguard never gets the log
> messages that it's looking for.  ProFTPD sends multiple messages to
> multiple syslog facilities.  sshguard seems to be looking for logfile
> entries like this:
>
> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com
> (66.170.1.11[66.170.1.11]) - no such user 'andyb'
>
>   Messages of that form are being sent to daemon.info and normally
> sshguard only watches auth.info and authpriv.info.  I have modified my
> installation to watch daemon.info as well and it detects the attack  
> now.
>
>   It would be more convenient if sshguard matched the log message that
> gets sent to the authpriv.info facility.  Then sshguard would match  
> it by
> default.  That message is in the form:
>
> Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com
> (66.170.1.11[66.170.1.11]) - USER andyb: no such user found from
> 66.170.1.11 [66.170.1.11] to 192.168.0.100:21
>
>   Second, sshguard is blocking the wrong service.  When I simulate  
> an FTP
> attack the following entry gets put in my hosts.allow file:
>
> ###sshguard###
> sshd : 66.170.1.11 : DENY
> ###sshguard###
>
>   Obviously this should start with "proftpd", not "sshd".
>
> Thank you,
>
> Andy
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Problems with ProFTPD

[Andy B. <abe...@be...>]

   I have a server running ProFTPD 1.3.0a running in inetd mode.  I have 
found that sshguard is not blocking FTP attacks.  I have found two causes 
for this.

   First, in a default install of sshguard, sshguard never gets the log 
messages that it's looking for.  ProFTPD sends multiple messages to 
multiple syslog facilities.  sshguard seems to be looking for logfile 
entries like this:

Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com 
(66.170.1.11[66.170.1.11]) - no such user 'andyb'

   Messages of that form are being sent to daemon.info and normally 
sshguard only watches auth.info and authpriv.info.  I have modified my 
installation to watch daemon.info as well and it detects the attack now.

   It would be more convenient if sshguard matched the log message that 
gets sent to the authpriv.info facility.  Then sshguard would match it by 
default.  That message is in the form:

Sep 24 13:36:16 noir proftpd[9380]: noir.berque.com 
(66.170.1.11[66.170.1.11]) - USER andyb: no such user found from 
66.170.1.11 [66.170.1.11] to 192.168.0.100:21

   Second, sshguard is blocking the wrong service.  When I simulate an FTP 
attack the following entry gets put in my hosts.allow file:

###sshguard###
sshd : 66.170.1.11 : DENY
###sshguard###

   Obviously this should start with "proftpd", not "sshd".

Thank you,

Andy

Re: [Sshguard-users] Can't compile sshguard 1.2

[Andy B. <abe...@be...>]

On Wed, 24 Sep 2008, David Horn wrote:

> On Wed, Sep 24, 2008 at 11:53 AM, Andy Berkvam <abe...@be...> wrote:
>>   I just noticed that sshguard-1.2 was released.  I downloaded it and was
>> unable to compile it.  The error is:
>>
>> aclocal.m4:17: error: this file was generated for autoconf 2.61.
>> You have another version of autoconf.  If you want to use that,
>> you should regenerate the build system entirely.
>
> The error message should probably say something along the lines of:
>
> this file was generated for autoconf 2.61.
> You have another version of autoconf.  It may work, but is not guaranteed to.
> If you have problems, you may need to regenerate the build system entirely.
> To do so, use the procedure documented by the package, typically `autoreconf'.
>
>
> In other words, just run autoreconf (part of the gnu autoconf
> utilities package), then you can re-run your ./configure and make as
> you normally would.   You may want to ensure you have at LEAST version
> 2.61 or higher of autoconf installed (autoconf --version).  If not, it
> is time to upgrade your gnu build tools.
>
>
   That did the trick.  I have GNU autoconf 2.59 so I am guessing that the 
newer format confused it.  I ran autoreconf and then the configure/make 
process worked as expected.

Thank you,

Andy