Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ha...@la...> - 2007-06-24 09:09:16
|
Hi all, I hope coredumping on 'syslogd reload' is not intended behaviour. System: FreeBSD 6.2-RELEASE, IPFW, sshguard-ipfw-1.0_1, syslog line : auth.info;authpriv.info | exec /usr/local/sbin/sshguard -a 1 ps axgwww | grep sshguard 51586 ?? Ss 0:00.01 /usr/local/sbin/sshguard -a 1 /etc/rc.d/syslogd reload Reloading syslogd config files. 10:36:45 sshguard[51586]: Got exit signal, flushing blocked addresses and exiting... 10:36:45 kernel: pid 51586 (sshguard), uid 0: exited on signal 6 (core dumped) 10:36:45 sshguard[55614]: Started successfully [(a,p,s)=(1, 420, 1200)], now ready to scan. So the old sshguard dumps core, and the new one starts fine (and works too: 01:30:32 sshguard[55614]: Blocking 221.204.251.32: 2 failures over 4 seconds. 01:30:32 sshguard[55614]: running: '/sbin/ipfw add 55021 drop ip from 221.204.251.32 to me' 01:39:27 sshguard[55614]: Releasing 221.204.251.32 after 535 seconds. 01:39:27 sshguard[55614]: running: '/sbin/ipfw delete 55021' ) Here's a backtrace of one of sshguard's coredumps: gdb /usr/local/sbin/sshguard /sshguard.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)... Core was generated by `sshguard'. Program terminated with signal 6, Aborted. Reading symbols from /lib/libpthread.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libpthread.so.2 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x280a7537 in pthread_testcancel () from /lib/libpthread.so.2 [New Thread 0x805a400 (sleeping)] [New Thread 0x805a200 (LWP 100231)] [New Thread 0x805a000 (LWP 100234)] (gdb) bt #0 0x280a7537 in pthread_testcancel () from /lib/libpthread.so.2 #1 0x2809689a in sigaction () from /lib/libpthread.so.2 #2 0x2809088d in pthread_kill () from /lib/libpthread.so.2 #3 0x28090256 in raise () from /lib/libpthread.so.2 #4 0x28169b78 in abort () from /lib/libc.so.6 #5 0x28106fdb in _UTF8_init () from /lib/libc.so.6 #6 0xbfbfef58 in ?? () #7 0x28170dd3 in sys_nsig () from /lib/libc.so.6 #8 0x28170cd3 in sys_nsig () from /lib/libc.so.6 #9 0x28170d30 in sys_nsig () from /lib/libc.so.6 #10 0x00000000 in ?? () #11 0x2817bd80 in ?? () from /lib/libc.so.6 #12 0xbfbfed18 in ?? () #13 0x28107009 in _UTF8_init () from /lib/libc.so.6 #14 0x2817bd80 in ?? () from /lib/libc.so.6 #15 0x08050bb0 in optarg () #16 0xbfbfedc8 in ?? () #17 0x28107d69 in _UTF8_init () from /lib/libc.so.6 #18 0x00000000 in ?? () #19 0xbfbfed64 in ?? () #20 0x2807b200 in ?? () #21 0x0104887f in ?? () #22 0x0bea6495 in ?? () #23 0x280bef6a in ?? () from /lib/libc.so.6 #24 0x28074558 in ?? () from /libexec/ld-elf.so.1 #25 0x280aa4b4 in ?? () from /lib/libpthread.so.2 #26 0x08052800 in ?? () #27 0x00000000 in ?? () #28 0x00000000 in ?? () #29 0x00000000 in ?? () #30 0x28170dc5 in sys_nsig () from /lib/libc.so.6 #31 0x00000001 in ?? () #32 0xbfbfed9c in ?? () #33 0x280a83d1 in __error () from /lib/libpthread.so.2 Previous frame inner to this frame (corrupt stack?) I hope this is enough info, I can make a debug build if needed. So, is coredumping on 'syslogd reload' intended or is this a bug, or am I doing something wrong ? regards, Hans Lambermont |
|
From: Akis M. <ph...@at...> - 2007-06-18 17:10:30
|
O/H Mij έγραψε: > hello akis > > > >> Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address >> 194.24.158.16 >> Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 >> failures over 12 seconds. >> > > good to see helpful debugging messages in your report, bravo. > These pair of lines tells you that sshguard correctly resolved the > hostname to address 194.24.158.16, > and then blocked this IP. > > > >> iptables -L: >> >> Chain sshguard (0 references) >> target prot opt source destination >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> >> >> >> The strange thing, is that the DROP Rule, contains the hostname of the >> "attacker", and NOT the IP address. >> > > this is iptables reversing addresses for better readability: with > "iptables -Ln" you should > get 194.24.158.16 . > > sshguard did its job in putting the blocking rule in the "sshguard" > chain, so I guess > this address is not blocked because you have not demanded the INPUT > chain to this one, > possible? > > "iptables -Ln" should give you > > Chain INPUT (policy ACCEPT) > target prot opt source destination > sshguard tcp -- anywhere anywhere tcp dpt:ssh > > [...] > > if this is missing, follow the commands in > http://sshguard.sourceforge.net/doc/setup/blockingiptables.html > > bye > > >> Running an nslookup in lime-gw16.one.at gives: >> >> Server: 193.92.150.3 >> Address: 193.92.150.3#53 >> >> Non-authoritative answer: >> Name: lime-gw16.one.at >> Address: 194.24.158.16 >> >> Which successfully resolves to the "attacker' s" IP. But does not >> block >> the attacker.. >> What is going wrong? I guess it has something to do with the hostname >> and not the IP in the drop Rule. >> >> >> >> >> P.S. >> I should point out, that the detected "attacker's" IP is a friend of >> mine, trying to test the behavior of sshguard, not an actual attacker. >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> --- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > oops, I forgot to input this command: iptables -A INPUT -p tcp --dport 22 -j sshguard Works like a charm now ! You were correct Thank you Mij :) |
|
From: Mij <mi...@bi...> - 2007-06-17 21:58:50
|
hello akis > Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address > 194.24.158.16 > Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 > failures over 12 seconds. good to see helpful debugging messages in your report, bravo. These pair of lines tells you that sshguard correctly resolved the hostname to address 194.24.158.16, and then blocked this IP. > iptables -L: > > Chain sshguard (0 references) > target prot opt source destination > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > > > > The strange thing, is that the DROP Rule, contains the hostname of the > "attacker", and NOT the IP address. this is iptables reversing addresses for better readability: with "iptables -Ln" you should get 194.24.158.16 . sshguard did its job in putting the blocking rule in the "sshguard" chain, so I guess this address is not blocked because you have not demanded the INPUT chain to this one, possible? "iptables -Ln" should give you Chain INPUT (policy ACCEPT) target prot opt source destination sshguard tcp -- anywhere anywhere tcp dpt:ssh [...] if this is missing, follow the commands in http://sshguard.sourceforge.net/doc/setup/blockingiptables.html bye > Running an nslookup in lime-gw16.one.at gives: > > Server: 193.92.150.3 > Address: 193.92.150.3#53 > > Non-authoritative answer: > Name: lime-gw16.one.at > Address: 194.24.158.16 > > Which successfully resolves to the "attacker' s" IP. But does not > block > the attacker.. > What is going wrong? I guess it has something to do with the hostname > and not the IP in the drop Rule. > > > > > P.S. > I should point out, that the detected "attacker's" IP is a friend of > mine, trying to test the behavior of sshguard, not an actual attacker. > > > > > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Akis M. <ph...@at...> - 2007-06-17 21:18:37
|
Hello,
Trying to get sshguard to work, I've come to a strange problem.
Testing it from LAN environment, sshguard successfully blocks the LAN
attacker.
In the case the attacker is from an non LAN IP, it detects the attack
and applies the IPTABLE rule
/var/log/auth.log:
Jun 17 23:46:48 sextus sshd[4590]: Invalid user avl from 194.24.158.16
Jun 17 23:46:48 sextus sshd[4590]: Failed none for invalid user avl from
194.24.158.16 port 28446 ssh2
Jun 17 23:46:49 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:46:49 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:47:49 sextus sshd(pam_unix)[4590]: check pass; user unknown
Jun 17 23:47:49 sextus sshd(pam_unix)[4590]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=194.24.158.16
Jun 17 23:47:51 sextus sshd[4590]: Failed password for invalid user avl
from 194.24.158.16 port 28446 ssh2
Jun 17 23:47:52 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:47:52 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 63 seconds.
Jun 17 23:47:52 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:49:07 sextus sshd[4609]: Invalid user avl from 194.24.158.16
Jun 17 23:49:07 sextus sshd[4609]: Failed none for invalid user avl from
194.24.158.16 port 28723 ssh2
Jun 17 23:49:08 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:08 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:44 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:49:44 sextus sshd(pam_unix)[4609]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:49:46 sextus sshd[4609]: Failed password for invalid user avl
from 194.24.158.16 port 28723 ssh2
Jun 17 23:49:47 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:47 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 39 seconds.
Jun 17 23:49:47 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:49:57 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:49:58 sextus sshd[4609]: Failed password for invalid user avl
from 194.24.158.16 port 28723 ssh2
Jun 17 23:49:59 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:10 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:50:13 sextus sshd[4609]: Failed password for invalid user avl
from 194.24.158.16 port 28723 ssh2
Jun 17 23:50:14 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:29 sextus sshd[4631]: Invalid user avl from 194.24.158.16
Jun 17 23:50:29 sextus sshd[4631]: Failed none for invalid user avl from
194.24.158.16 port 28926 ssh2
Jun 17 23:50:30 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:30 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 31 seconds.
Jun 17 23:50:30 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:50:30 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:34 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:34 sextus sshd(pam_unix)[4631]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:50:36 sextus sshd[4631]: Failed password for invalid user avl
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:37 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:43 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:45 sextus sshd[4631]: Failed password for invalid user avl
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:46 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:46 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 16 seconds.
Jun 17 23:50:46 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:50:50 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:52 sextus sshd[4631]: Failed password for invalid user avl
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:53 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshd[4636]: Invalid user avl from 194.24.158.16
Jun 17 23:51:02 sextus sshd[4636]: Failed none for invalid user avl from
194.24.158.16 port 28995 ssh2
Jun 17 23:51:02 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 9 seconds.
Jun 17 23:51:02 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:51:06 sextus sshd(pam_unix)[4636]: check pass; user unknown
Jun 17 23:51:06 sextus sshd(pam_unix)[4636]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:51:08 sextus sshd[4636]: Failed password for invalid user avl
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:09 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:10 sextus sshd[4636]: Failed password for invalid user avl
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:11 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:14 sextus sshd(pam_unix)[4636]: check pass; user unknown
Jun 17 23:51:16 sextus sshd[4636]: Failed password for invalid user avl
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:17 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:17 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 8 seconds.
Jun 17 23:51:17 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:51:40 sextus sshd[4650]: Invalid user \316\261\316\262\316\273
from 194.24.158.16
Jun 17 23:51:40 sextus sshd[4650]: Failed none for invalid user
\316\261\316\262\316\273 from 194.24.158.16 port 29166 ssh2
Jun 17 23:51:41 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:41 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:52 sextus sshd(pam_unix)[4650]: bad username [αβλ]
Jun 17 23:51:52 sextus sshd[4650]: Failed password for invalid user
\316\261\316\262\316\273 from 194.24.158.16 port 29166 ssh2
Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 12 seconds.
iptables -L:
Chain sshguard (0 references)
target prot opt source destination
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
The strange thing, is that the DROP Rule, contains the hostname of the
"attacker", and NOT the IP address.
Running an nslookup in lime-gw16.one.at gives:
Server: 193.92.150.3
Address: 193.92.150.3#53
Non-authoritative answer:
Name: lime-gw16.one.at
Address: 194.24.158.16
Which successfully resolves to the "attacker' s" IP. But does not block
the attacker..
What is going wrong? I guess it has something to do with the hostname
and not the IP in the drop Rule.
P.S.
I should point out, that the detected "attacker's" IP is a friend of
mine, trying to test the behavior of sshguard, not an actual attacker.
|
|
From: Mij <mi...@bi...> - 2007-06-05 12:27:43
|
I have finally released sshguard 1.0 stable. This major version has a lot of new features with respect to 0.9, notably support for IPv6, address whitelisting and a powerful parser that supports several logging formats (like multilog) and automatically recognizes and translates host names in log messages. The relevant hooks for more informations are wrapped here: http://sourceforge.net/forum/forum.php?forum_id=701923 The source code is available here: http://downloads.sourceforge.net/sshguard/sshguard-1.0.tar.bz2 bye |
|
From: Mij <mi...@bi...> - 2007-05-22 12:02:38
|
On 22/mag/07, at 05:36, Truffe Champagne wrote:
> Hi Mij
>
> I have solved the message loop problem specifying in the
> /etc/syslog-ng/syslog-ng.conf,
>
> filter sshlogs { facility(auth, authpriv) and match('^sshd\['); };
> destination sshguardproc { program("/usr/local/sbin/sshguard"
> template("$DATE $FULLHOST $MESSAGE\n")); };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
>
> "match('^sshd\[')" can solve the problem. If this is not specified,
> message containing
> "sshd" in any position in the log can be parsed into sshguard.
This is correct because the parsing result logging includes the original
string, which contained sshd and is then passed again in a loop.
Sorry for having missed that.
> I think it's better to include this instruction for README/manuals.
> Otherwise,
> some people could get huge log files and use up disk quota :-)
I have chosen to remove that parser result logging, which is definitely
excessive even for DEBUG. This is simpler, cleaner and spares some
load to the logging system. This will appear in beta3, along with a
slighlty
modified backend for iptables.
If you like to apply this modification immediately, you can remove the
sshguard_log() line in src/sshguard.c, line 142 and recompile the app.
thanks for your trials and reports
> Thanks,
> truffe.
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Truffe C. <tru...@gm...> - 2007-05-22 03:37:01
|
Hi Mij
I have solved the message loop problem specifying in the
/etc/syslog-ng/syslog-ng.conf,
filter sshlogs { facility(auth, authpriv) and match('^sshd\['); };
destination sshguardproc { program("/usr/local/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n")); };
log { source(src); filter(sshlogs); destination(sshguardproc); };
"match('^sshd\[')" can solve the problem. If this is not specified,
message containing
"sshd" in any position in the log can be parsed into sshguard.
I think it's better to include this instruction for README/manuals. Otherwise,
some people could get huge log files and use up disk quota :-)
Thanks,
truffe.
|
|
From: Truffe C. <tru...@gm...> - 2007-05-22 02:33:13
|
Hi Mij,
> If you use syslog-ng I suggest you to go the simpler (#2): specify
> the following
> filter for sshguard
> filter sshlogs { facility(auth, authpriv) and match
> ("sshd"); };
According to the instruction, I have included following lines in the
/etc/syslog-ng/syslog-ng.conf:
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
destination sshguardproc { program("/usr/local/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n")); };
log { source(src); filter(sshlogs); destination(sshguardproc); };
Then syslog-ng was restarted well with following message:
May 22 11:01:57 hostname sshguard[4098]: Started successfully
[(a,p,s)=(4, 420, 1200)], now ready to scan.
However, at the first remote ssh login after restarting syslog-ng,
same message loop happened.
If I use tail option, tail -n0 -F /var/log/messages | /usr/local/sbin/sshguard,
I got similar result.
truffe
> On 21/mag/07, at 19:09, Truffe Champagne wrote:
>
> > I have installed sshguard-1.0beta2 on suse 10.1 with iptables,
> > following instruction described in README.
> > Installation and configuration following README seemed to work fine.
> >
> > However, after killall -HUP syslog-ng, HUGE amount
> > (several GBs in a few minutes) of log is written in /var/log/
> > messages .
> > The messages are just in finite repeat of following message:
> >
> > ++++++++++++++++++++++++++++++++++
> > May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22
> > 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01
> > hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]:
> > Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line
> > 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ':
> > skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip.
> > ': skip.
> > ++++++++++++++++++++++++++++++++++
> >
> > Now sshguard is stopped by commenting syslog-ng conf file and restart
> > syslog-ng.
> >
> > Probably I have mistaken at some steps in configuration.
> > Is someone tell me what is wrong in my configuration?
> >
> > Thanks,
> >
> > ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
|
From: Mij <mi...@bi...> - 2007-05-21 20:55:07
|
Truffe,
this is the mechanism that causes that loop:
1) log lines of the auth facility are given to sshguard
2) sshguard parses each line; the parser generates a log message
with "debug" level on its work result. All sshguard logging happens to
the auth facility
3) syslog takes these logs back to sshguard which then generates
further logging
I was aware of this possibility and relied on either of these
assumptions
for avoiding step 3 (and thus the whole loop):
# debug logs are typically discarded or directed to a specific log
file, e.g. "debug.log"
# log messages with "sshd" are filtered before passing to sshguard
If you use syslog-ng I suggest you to go the simpler (#2): specify
the following
filter for sshguard
filter sshlogs { facility(auth, authpriv) and match
("sshd"); };
In the future I will possibly remove that debug message.
Thanks for making me put this remark on the archives.
On 21/mag/07, at 19:09, Truffe Champagne wrote:
> I have installed sshguard-1.0beta2 on suse 10.1 with iptables,
> following instruction described in README.
> Installation and configuration following README seemed to work fine.
>
> However, after killall -HUP syslog-ng, HUGE amount
> (several GBs in a few minutes) of log is written in /var/log/
> messages .
> The messages are just in finite repeat of following message:
>
> ++++++++++++++++++++++++++++++++++
> May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22
> 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01
> hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]:
> Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line
> 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ':
> skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip.
> ': skip.
> ++++++++++++++++++++++++++++++++++
>
> Now sshguard is stopped by commenting syslog-ng conf file and restart
> syslog-ng.
>
> Probably I have mistaken at some steps in configuration.
> Is someone tell me what is wrong in my configuration?
>
> Thanks,
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Truffe C. <tru...@gm...> - 2007-05-21 17:09:55
|
I have installed sshguard-1.0beta2 on suse 10.1 with iptables, following instruction described in README. Installation and configuration following README seemed to work fine. However, after killall -HUP syslog-ng, HUGE amount (several GBs in a few minutes) of log is written in /var/log/messages . The messages are just in finite repeat of following message: ++++++++++++++++++++++++++++++++++ May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]: Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ++++++++++++++++++++++++++++++++++ Now sshguard is stopped by commenting syslog-ng conf file and restart syslog-ng. Probably I have mistaken at some steps in configuration. Is someone tell me what is wrong in my configuration? Thanks, |
|
From: Mij <mi...@bi...> - 2007-05-09 00:17:45
|
sshguard 1.0 has just been released. While it has a lot of improvements, please notice that it is a beta version. The announcement on the project news has more info on this release: http://sourceforge.net/forum/forum.php?forum_id=693985 bye |
|
From: Mij <mi...@bi...> - 2007-04-16 19:08:06
|
On 16/apr/07, at 19:51, Philip Kizer wrote: > Through a series of links, I made my way to sshguard which looks > functional enough for my systems that do not have pf(4) and its built- > in limits available. One of them was: > > http://hawking.nonlogic.org/#e2007-03-12T03_45_55.txt > > that also contains a modification to the SSHCRACK_REGEX pattern. thank you for reporting this. Covering *all* the possible attack patterns (they vary on different OSes) is tough and I've thus provided http://sshguard.sourceforge.net/newattackpatt.php for gathering and tracking them. I'm quite impressed I got more mails with patches extending SSHCRACK_REGEX than example submissions to this page. In any case, in version sshguard 1.0 (soon to be released) SSHCRACK_REGEX does no longer exist (replaced by a grammar-based context-free parser). The grammar of this parser will take into account the user-submitted extensions I got for the regex. > > Playing with the program I also want to make sure certain hosts are > never blocked for a variety of reasons. Ideally I would prefer to > match on a set of CIDR blocks/etc like I can innately with pf(4), but > since some of my systems cannot do that I added another regex. the whitelist thing is a very good idea for a new feature. Anyway,a boolean function that takes the candidate IP and tells if it can be blocked appears more elegant and flexible than a further parser. White patterns could be added on the command line, e.g. with "-w 10.11.12.0/24". > Here is a patch that includes the one from the hawking page as well > as a trivial white-list addition: > > diff -ru sshguard-0.91-orig/sshguard.c sshguard-0.91/sshguard.c > --- sshguard-0.91-orig/sshguard.c 2007-02-10 09:40:17.000000000 -0600 > +++ sshguard-0.91/sshguard.c 2007-04-16 12:41:00.000000000 -0500 > @@ -41,6 +41,7 @@ > void sighand(int sig); > regex_t crackre; > +regex_t whitere; > int main(int argc, char *argv[]) { > char ip[IP_LEN], logline[MAX_LOGLINE_LEN]; > @@ -56,6 +57,13 @@ > exit(1); > } > + retv = regcomp(&whitere, SSHGUARD_WHITELIST, REG_EXTENDED); > + if (retv != 0) { > + regerror(retv, &whitere, logline, MAX_LOGLINE_LEN); > + fprintf(stderr, "%s\n", logline); > + exit(1); > + } > + > list_init(&limbo); > list_init(&hell); > @@ -107,13 +115,19 @@ > /* extract the IP address */ > extractIP(logline, ip, pmatch[REGEXIPENTRY].rm_so, pmatch > [REGEXIPENTRY].rm_eo); > sshguard_log(LOG_DEBUG, "Matched IP address %s\n", ip); > - > + > + if ( regexec(&whitere, ip, 0, NULL, 0) == 0 ) { > + sshguard_log(LOG_DEBUG, "Ignoring IP address, matched > whitelist: %s\n", ip); > + continue; > + } > + > /* report IP */ > reportIP(ip); > } > /* cleanup */ > regfree(&crackre); > + regfree(&whitere); > if (fw_fin() != 0) sshguard_log(LOG_ERR, "Cound not finalize > firewall."); > sshguard_log_fin(); > @@ -228,6 +242,7 @@ > closelog(); > regfree(&crackre); > + regfree(&whitere); > exit(0); > } > diff -ru sshguard-0.91-orig/sshguard.h sshguard-0.91/sshguard.h > --- sshguard-0.91-orig/sshguard.h 2007-02-10 09:00:47.000000000 -0600 > +++ sshguard-0.91/sshguard.h 2007-04-16 12:41:15.000000000 -0500 > @@ -17,8 +17,10 @@ > * > */ > /* regex for log entries representing brute force trials */ > -#define SSHCRACK_REGEX "sshd\\[[0-9]+\\]: (Failed|Illegal user| > Invalid user|User) .+from ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9] > ([0-9])?)(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3}) > ( not allowed)?" > +#define SSHCRACK_REGEX "sshd\\[[0-9]+\\]: (Failed|Illegal user| > Invalid user|User|pam_unix\\(sshd:auth\\): authentication failure;).+ > (from |rhost=)((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\\.(25 > [0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3})( not allowed)?" > /* field number in SSHCRACK_REGEX containing the attacker IP > address */ > -#define REGEXIPENTRY 2 > +#define REGEXIPENTRY 3 > + > +#define SSHGUARD_WHITELIST "ADD\\.SOME\\.IP\\.HERE|OR\\.SUBNET\ > \.BLOCK\\." > #endif > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Philip K. <pc...@no...> - 2007-04-16 17:51:35
|
Through a series of links, I made my way to sshguard which looks functional enough for my systems that do not have pf(4) and its built- in limits available. One of them was: http://hawking.nonlogic.org/#e2007-03-12T03_45_55.txt that also contains a modification to the SSHCRACK_REGEX pattern. Playing with the program I also want to make sure certain hosts are never blocked for a variety of reasons. Ideally I would prefer to match on a set of CIDR blocks/etc like I can innately with pf(4), but since some of my systems cannot do that I added another regex. Here is a patch that includes the one from the hawking page as well as a trivial white-list addition: diff -ru sshguard-0.91-orig/sshguard.c sshguard-0.91/sshguard.c --- sshguard-0.91-orig/sshguard.c 2007-02-10 09:40:17.000000000 -0600 +++ sshguard-0.91/sshguard.c 2007-04-16 12:41:00.000000000 -0500 @@ -41,6 +41,7 @@ void sighand(int sig); regex_t crackre; +regex_t whitere; int main(int argc, char *argv[]) { char ip[IP_LEN], logline[MAX_LOGLINE_LEN]; @@ -56,6 +57,13 @@ exit(1); } + retv = regcomp(&whitere, SSHGUARD_WHITELIST, REG_EXTENDED); + if (retv != 0) { + regerror(retv, &whitere, logline, MAX_LOGLINE_LEN); + fprintf(stderr, "%s\n", logline); + exit(1); + } + list_init(&limbo); list_init(&hell); @@ -107,13 +115,19 @@ /* extract the IP address */ extractIP(logline, ip, pmatch[REGEXIPENTRY].rm_so, pmatch [REGEXIPENTRY].rm_eo); sshguard_log(LOG_DEBUG, "Matched IP address %s\n", ip); - + + if ( regexec(&whitere, ip, 0, NULL, 0) == 0 ) { + sshguard_log(LOG_DEBUG, "Ignoring IP address, matched whitelist: %s\n", ip); + continue; + } + /* report IP */ reportIP(ip); } /* cleanup */ regfree(&crackre); + regfree(&whitere); if (fw_fin() != 0) sshguard_log(LOG_ERR, "Cound not finalize firewall."); sshguard_log_fin(); @@ -228,6 +242,7 @@ closelog(); regfree(&crackre); + regfree(&whitere); exit(0); } diff -ru sshguard-0.91-orig/sshguard.h sshguard-0.91/sshguard.h --- sshguard-0.91-orig/sshguard.h 2007-02-10 09:00:47.000000000 -0600 +++ sshguard-0.91/sshguard.h 2007-04-16 12:41:15.000000000 -0500 @@ -17,8 +17,10 @@ * */ /* regex for log entries representing brute force trials */ -#define SSHCRACK_REGEX "sshd\\[[0-9]+\\]: (Failed|Illegal user| Invalid user|User) .+from ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9] ([0-9])?)(\\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3}) ( not allowed)?" +#define SSHCRACK_REGEX "sshd\\[[0-9]+\\]: (Failed|Illegal user| Invalid user|User|pam_unix\\(sshd:auth\\): authentication failure;).+ (from |rhost=)((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?)(\\.(25 [0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]([0-9])?|0)){3})( not allowed)?" /* field number in SSHCRACK_REGEX containing the attacker IP address */ -#define REGEXIPENTRY 2 +#define REGEXIPENTRY 3 + +#define SSHGUARD_WHITELIST "ADD\\.SOME\\.IP\\.HERE|OR\\.SUBNET\ \.BLOCK\\." #endif |
|
From: David V. K. <dk...@su...> - 2007-04-05 12:54:16
|
I have moved my SSH accept rule to a higher number than 55050 which solves the issues I mentioned. Many thanks for your prompt replies! -David On 03.04.2007, at 23:48, Mij wrote: > I suppose you opted in for "Use IPFW as firewall backend". > > In this case, can you see blocking rules just after a "Blocking > 1.2.3.4: 4 failures over X seconds"? > get ipfw rules with "ipfw list". Sshguard rule IDs in IPFW range > between 55000 and 55050 by default. > > It is likely that you have ssh enabled in a higher rules, so those > blocking rules are not passed (IPFW > has a "first match win" policy) > > > On 03/apr/07, at 23:20, David V. Kocher wrote: > >> I use IPFW. The sshguard version installed is from ports >> (sshguard-0.91_1) [1]. >> >> -David >> >> [1] http://www.freshports.org/security/sshguard/ >> >> On 03.04.2007, at 23:01, Mij wrote: >> >>> hello david >>> >>> what firewall are you using on you freebsd box? Is the sshguard fw >>> backend consistent with it? >>> >>> >>> On 03/apr/07, at 17:27, David V. Kocher wrote: >>> >>>> I can see the following in my log >>>>> Apr 2 20:23:19 gdp-bsd-231-218 sshguard[118]: Blocking >>>>> 195.140.140.35: 4 failures over 0 seconds. >>>>> Apr 2 20:23:19 gdp-bsd-231-218 sshd[782]: Failed password for >>>>> illegal user rpc from 195.140.140.35 port 47790 ssh2 >>>>> Apr 2 20:23:20 gdp-bsd-231-218 sshd[787]: Failed password for >>>>> illegal user gopher from 195.140.140.35 port 47817 ssh2 >>>>> Apr 2 20:30:44 gdp-bsd-231-218 sshguard[118]: Release command >>>>> failed. Exited: 17664 >>>>> >>>> >>>> I am wondering why there are still failed login attempts after >>>> sshguard claims to have blocked the IP address in question and what >>>> the 'Release command failed' error message which appears numerous >>>> times means. >>>> >>>> My system is FreeBSD 5.4-RELEASE-p14. >>>> >>>> Thanks. >>>> -David >>>> >>>> ------------------------------------------------------------------- >>>> - >>>> -- >>>> --- >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>> share your >>>> opinions on IT & business topics through brief surveys-and earn >>>> cash >>>> http://www.techsay.com/default.php? >>>> page=join.php&p=sourceforge&CID=DEVDEV >>>> _______________________________________________ >>>> Sshguard-users mailing list >>>> Ssh...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>> >>> >>> -------------------------------------------------------------------- >>> - >>> ---- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to >>> share your >>> opinions on IT & business topics through brief surveys-and earn cash >>> http://www.techsay.com/default.php? >>> page=join.php&p=sourceforge&CID=DEVDEV >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>> >> > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Mij <mi...@bi...> - 2007-04-03 21:48:27
|
I suppose you opted in for "Use IPFW as firewall backend". In this case, can you see blocking rules just after a "Blocking 1.2.3.4: 4 failures over X seconds"? get ipfw rules with "ipfw list". Sshguard rule IDs in IPFW range between 55000 and 55050 by default. It is likely that you have ssh enabled in a higher rules, so those blocking rules are not passed (IPFW has a "first match win" policy) On 03/apr/07, at 23:20, David V. Kocher wrote: > I use IPFW. The sshguard version installed is from ports > (sshguard-0.91_1) [1]. > > -David > > [1] http://www.freshports.org/security/sshguard/ > > On 03.04.2007, at 23:01, Mij wrote: > >> hello david >> >> what firewall are you using on you freebsd box? Is the sshguard fw >> backend consistent with it? >> >> >> On 03/apr/07, at 17:27, David V. Kocher wrote: >> >>> I can see the following in my log >>>> Apr 2 20:23:19 gdp-bsd-231-218 sshguard[118]: Blocking >>>> 195.140.140.35: 4 failures over 0 seconds. >>>> Apr 2 20:23:19 gdp-bsd-231-218 sshd[782]: Failed password for >>>> illegal user rpc from 195.140.140.35 port 47790 ssh2 >>>> Apr 2 20:23:20 gdp-bsd-231-218 sshd[787]: Failed password for >>>> illegal user gopher from 195.140.140.35 port 47817 ssh2 >>>> Apr 2 20:30:44 gdp-bsd-231-218 sshguard[118]: Release command >>>> failed. Exited: 17664 >>>> >>> >>> I am wondering why there are still failed login attempts after >>> sshguard claims to have blocked the IP address in question and what >>> the 'Release command failed' error message which appears numerous >>> times means. >>> >>> My system is FreeBSD 5.4-RELEASE-p14. >>> >>> Thanks. >>> -David >>> >>> -------------------------------------------------------------------- >>> -- >>> --- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to >>> share your >>> opinions on IT & business topics through brief surveys-and earn cash >>> http://www.techsay.com/default.php? >>> page=join.php&p=sourceforge&CID=DEVDEV >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> >> --------------------------------------------------------------------- >> ---- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > |
|
From: David V. K. <dk...@su...> - 2007-04-03 21:20:51
|
I use IPFW. The sshguard version installed is from ports (sshguard-0.91_1) [1]. -David [1] http://www.freshports.org/security/sshguard/ On 03.04.2007, at 23:01, Mij wrote: > hello david > > what firewall are you using on you freebsd box? Is the sshguard fw > backend consistent with it? > > > On 03/apr/07, at 17:27, David V. Kocher wrote: > >> I can see the following in my log >>> Apr 2 20:23:19 gdp-bsd-231-218 sshguard[118]: Blocking >>> 195.140.140.35: 4 failures over 0 seconds. >>> Apr 2 20:23:19 gdp-bsd-231-218 sshd[782]: Failed password for >>> illegal user rpc from 195.140.140.35 port 47790 ssh2 >>> Apr 2 20:23:20 gdp-bsd-231-218 sshd[787]: Failed password for >>> illegal user gopher from 195.140.140.35 port 47817 ssh2 >>> Apr 2 20:30:44 gdp-bsd-231-218 sshguard[118]: Release command >>> failed. Exited: 17664 >>> >> >> I am wondering why there are still failed login attempts after >> sshguard claims to have blocked the IP address in question and what >> the 'Release command failed' error message which appears numerous >> times means. >> >> My system is FreeBSD 5.4-RELEASE-p14. >> >> Thanks. >> -David >> >> --------------------------------------------------------------------- >> - >> --- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Mij <mi...@bi...> - 2007-04-03 21:02:12
|
hello david what firewall are you using on you freebsd box? Is the sshguard fw backend consistent with it? On 03/apr/07, at 17:27, David V. Kocher wrote: > I can see the following in my log >> Apr 2 20:23:19 gdp-bsd-231-218 sshguard[118]: Blocking >> 195.140.140.35: 4 failures over 0 seconds. >> Apr 2 20:23:19 gdp-bsd-231-218 sshd[782]: Failed password for >> illegal user rpc from 195.140.140.35 port 47790 ssh2 >> Apr 2 20:23:20 gdp-bsd-231-218 sshd[787]: Failed password for >> illegal user gopher from 195.140.140.35 port 47817 ssh2 >> Apr 2 20:30:44 gdp-bsd-231-218 sshguard[118]: Release command >> failed. Exited: 17664 >> > > I am wondering why there are still failed login attempts after > sshguard claims to have blocked the IP address in question and what > the 'Release command failed' error message which appears numerous > times means. > > My system is FreeBSD 5.4-RELEASE-p14. > > Thanks. > -David > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: David V. K. <dk...@su...> - 2007-04-03 15:27:52
|
I can see the following in my log > Apr 2 20:23:19 gdp-bsd-231-218 sshguard[118]: Blocking > 195.140.140.35: 4 failures over 0 seconds. > Apr 2 20:23:19 gdp-bsd-231-218 sshd[782]: Failed password for > illegal user rpc from 195.140.140.35 port 47790 ssh2 > Apr 2 20:23:20 gdp-bsd-231-218 sshd[787]: Failed password for > illegal user gopher from 195.140.140.35 port 47817 ssh2 > Apr 2 20:30:44 gdp-bsd-231-218 sshguard[118]: Release command > failed. Exited: 17664 > I am wondering why there are still failed login attempts after sshguard claims to have blocked the IP address in question and what the 'Release command failed' error message which appears numerous times means. My system is FreeBSD 5.4-RELEASE-p14. Thanks. -David |
|
From: Mij <mi...@bi...> - 2007-03-17 14:46:45
|
1) you must reload syslogd AND make sshd generate some logging before checking 2) check with "ps ax | grep sshguard", not top On 2007-03-17 15:14:57 +0100 Noiano <no...@x-...> wrote: > Mij wrote: >> It may be the case that the space after the pipe symbol is taken as >> program name. Please try >> >> auth.info;authpriv.info |/usr/local/sbin/sshguard >> >> and let me know if it does not work. > The error is not displayed any more. However sshguard is not listed in > the top command. I assume there are still problems. > > Noiano > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Noiano <no...@x-...> - 2007-03-17 14:15:25
|
Mij wrote: > It may be the case that the space after the pipe symbol is taken as > program name. Please try > > auth.info;authpriv.info |/usr/local/sbin/sshguard > > and let me know if it does not work. The error is not displayed any more. However sshguard is not listed in the top command. I assume there are still problems. Noiano |
|
From: Mij <mi...@bi...> - 2007-03-17 12:02:55
|
It may be the case that the space after the pipe symbol is taken as program name. Please try auth.info;authpriv.info |/usr/local/sbin/sshguard and let me know if it does not work. On 2007-03-17 09:22:21 +0100 Noiano <no...@x-...> wrote: > Mij wrote: >> If sshguard appears in the proc table then you can expect it is >> running >> properly. >> No idea why syslog logs that message with a correct path (I expect >> syslogd >> is >> running as root). >> >> Please try to you use simply >> >> auth.*;authpriv.* | /usr/local/sbin/sshguard >> >> (w/o exec) in syslog.conf, and restart syslogd. Do you have sshguard >> running? >> > Same error and sshguard seems not to be running. I followed all > instruction step by step. What can be wrong? > > Noiano > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Noiano <no...@x-...> - 2007-03-17 08:23:02
|
Mij wrote: > If sshguard appears in the proc table then you can expect it is=20 > running properly. > No idea why syslog logs that message with a correct path (I expect=20 > syslogd is > running as root). > > Please try to you use simply > > auth.*;authpriv.* | /usr/local/sbin/sshguard > > (w/o exec) in syslog.conf, and restart syslogd. Do you have sshguard=20 > running? > =20 Same error and sshguard seems not to be running. I followed all instruction step by step. What can be wrong? Noiano |
|
From: Mij <mi...@bi...> - 2007-03-16 19:27:47
|
> Hi everybody > I have a little problem with sshguard. I followed the instruction in > the > readme file but syslogd says: "exec: /usr/local/sbin/sshguard : No > such > file or directory". If i type that path on a command line and then I > execute ps > > noiano 6731 0.0 0.0 9860 652 pts/1 Sl+ 11:52 0:00 > /usr/local/sbin/sshguard > > sshguard seems running. Is this related to the fact that I have the > sshd > logs stored in /var/log/daemon.log? > > How can I realize if sshguard is running properly? If sshguard appears in the proc table then you can expect it is running properly. No idea why syslog logs that message with a correct path (I expect syslogd is running as root). Please try to you use simply auth.*;authpriv.* | /usr/local/sbin/sshguard (w/o exec) in syslog.conf, and restart syslogd. Do you have sshguard running? > Thanks for your help |
|
From: Mij <mi...@bi...> - 2007-03-16 19:15:38
|
On 2007-03-16 16:28:03 +0100 Kuroro <inf...@gm...> wrote:
> On open suse 10.2 i ran configure --prefix=/usr
> --with-firewall=iptables
> made the changes in fwalls/command.h file from /sbin/ to
> /usr/sbin
> make && make install
> i added
> iptables -N sshguard
> iptables -A INPUT -p tcp --dport 22 -j sshguard
> then i ran
> tail -n0 -f /var/log/messages | /usr/sbin/sshguard &
>
> ssh from another machine to the opensuse 10.2 box and it blocked
> the
> ip.
>
> The only issue now on the redhat machine and the open suse computer is
> setting up syslog to fire up sshguard when it a login is attempted
> from ssh
>
> I tried the adding the settings in your readme file but it did not
> work on
> redhat nor opensuse
>
> OpenSuse uses syslog-ng while redhat uses syslog.conf
>
> On openSuse i added the settings as in the documentation
> filter sshlogs { facility(authpriv) and match(ssh); };
> destination sshguardproc { program("/usr/sbin/sshguard"); };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
By default ssh logs with facility LOG_AUTH, not authpriv, so I don't
know why I suggested this. A correct one is instead
filter sshlogs { facility(auth, authpriv) and match("ssh"); };
[...]
I will fix this suggestion in the README file in the next release
> and on red hat
> # The authpriv file has restricted access.
> authpriv.*
> /var/log/secure
>
> authpriv.* |exec
> /usr/sbin/sshguard
Same here (with the exception that the suggestion is correct for this
one :) ),
so use instead
auth.*;authpriv.* | exec /usr/sbin/sshguard
Please try these and feel free to write in if they still do not work.
bye
> Both did not work, however both work when i run them manually on
> redhat
> tail -n0 -f /var/log/secure | /usr/sbin/sshguard &
> and on opensuse
> tail -n0 -f /var/log/message | /usr/sbin/sshguard &
>
> Keep up the good work
>
> Giovanni
|
|
From: Mij <mi...@bi...> - 2007-03-15 00:43:37
|
> On 3/14/07, Mij <mi...@bi...> wrote: >> >> > Hi all. >> > >> > I installed sshguard on Open suse. by >> > >> >> chmod +s /usr/sbin/sshguard >> >> > please don't make sshguard setuid. Besides being useless, this is very >> > lame and dangerous. A local user could simply run sshguard and feed it >> > some crafted lines of text with arbitrary IP addresses and make the >> > machine block them. This is a major mistake. >> I agree, i followed the README file when that did not worked for me, I >> followed what the article on > > http://applications.linux.com/article.pl?sid=07/02/27/1957242&tid=129&tid=47&tid=100&tid=35 > > > "Lastly, since sshguard needs to be able to tell iptables to add > and > drop dynamic rules, it needs permission to do so. Use the chmod command to > make the program run as root: > > chmod +s /usr/local/sbin/sshguard" I will put a note on the website discouraging to follow this > >> >> ln -s /usr/sbin/ip* /sbin/ >> >> >not idea what this orrible thing should serve for :) > > > When i tried version sshguard 0.9 with the scons.py > > python scons.py -Q FIREWALLTYPE=iptables > > I noticed this on my log file > > "sshguard[9731]:Started successfully [(a,p,s)=(3, 3, 1200)], now ready to > scan. > sshguard[9731]: Got exit signal, flushing blocked addresses and exiting... > sshguard[9731]: Running command "/sbin/iptables" > sshguard[9733]: Unable to exec(): No such file or directory > sshguard[9736]: Started successfully [(a,p,s)=(3, 3, 1200)], now ready to > scan. > " > after i created a link from /usr/sbin/ip*tables* to /sbin > that exec() error did not show in my logs any more. I assumed iptables being in always in /sbin under linux, as both the Linux hosts I tested on (Gentoo + debian) got iptables in there. I will make this ./configure -able in version 1.0. In the meantime, you can easily adjust the expected path in sshguard: 1) download and extract sshguard v. 0.91 2) run "./configure --with-firewall=iptables" 3) edit fwalls/command.h and replace all "/sbin/" tokens with "/usr/sbin/" 4) run "make && make install" > sshguard detects attackers by analyzing log entries it's given in its >> standard input. If it's not started by syslog-ng, the problem is in >> syslog-ng configuration. But for spotting this problem, just try to run >> sshguard manually like this (as root!): >> >> tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard >> >> replace auth.log with the file in which sshd logs to, find it with: >> >> cd /var/log >> grep -rl 'sshd\[' . >> >> >> > After i tried it on a redhat 3.0 AS test server. with a few variations >> to >> > the configuration but again it did not start the sshguard nor it >> blocked >> > the >> > ip. >> > >> > Did i missed anything on the configuration? >> > >> > Any help is appreciated. >> >> Please try to run sshguard as said above, try some logins as >> non-existent >> user for example, and report what happens. > > > on redhat 3.0 machine i ran it just like you suggested and it ran and > worked. > tail -n0 -F /var/log/secure | /usr/sbin/sysguard > But is not being launched from syslog. > On opensuse > > sshd messages are sent to /var/log/messages and /var/log/warn > > i removed the .9 version of sshguard and i installed the .91 version > an di remove the links from /usr/sbin/iptables to /sbin/ > and i see > > sshguard[14201]: Running command "/sbin/iptables" > sshguard[14211]: Unable to exec(): No such file or directory > > Perhaps the iptable path can be specified on the configure script. > > anyways on suse i ran sshguard with the following command and it did not > block the users > tail -n0 -F /var/log/messges | /usr/sbin/sshguard > > and this is what i get > sshguard[14273]: Blocking 10.2.111.180: 4 failures over 1 seconds. > Mar 14 15:33:00 Zhadum sshguard[14273]: Running command "/sbin/iptables" > Mar 14 15:33:00 Zhadum sshguard[14298]: Matched IP address 10.2.111.180 > Mar 14 15:33:00 Zhadum sshguard[14298]: Matched IP address 10.2.111.180 > Mar 14 15:33:00 Zhadum sshguard[14298]: Blocking 10.2.111.180: 4 failures > over 1 seconds. > Mar 14 15:33:00 Zhadum sshguard[14298]: Running command "/sbin/iptables" > > but it does not block the ip i can still ssh from the other machine to > that one. logs say iptables can be started, but you say the address is not blocked: 1) did you make the proper settings to the firewall? If you did, please try the following: 1) iptables -A sshguard -s %%block-ip%% -j DROP (this is the command sshguard runs for blocking %%block-ip%%) 2) try telnetting the sshguard host from %%block-ip%% if you *can* telnet from the blocked IP, then everything works fine but the firewall chains are such that the blocking rules have no effect. You need to insert the sshguard chain into a higher priority in the INPUT table in this case. 2) if everything above behave as expected, then sshguard cannot run iptables successfully. For example, it's blocked for insufficient credentials. In this case, in syslog you should see a line like "Blocking command failed. Exited: 3." in this case, please report the exit value so we can identify what's wrong. > >> >> > >> > Giovanni >> > Sshguard-users mailing list >> > Ssh...@li... >> > https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > >> >> > |
2 messages has been excluded from this view by a project administrator.
