sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] Unable to start sshguard

[Noiano <no...@x-...>]

Mij wrote:
> It may be the case that the space after the pipe symbol is taken as
> program name. Please try
>
> auth.info;authpriv.info		|/usr/local/sbin/sshguard
>
> and let me know if it does not work.
The error is not displayed any more. However sshguard is not listed in
the top command. I assume there are still problems.

Noiano

Re: [Sshguard-users] Unable to start sshguard

[Mij <mi...@bi...>]

It may be the case that the space after the pipe symbol is taken as
program name. Please try

auth.info;authpriv.info		|/usr/local/sbin/sshguard

and let me know if it does not work.


On 2007-03-17 09:22:21 +0100 Noiano <no...@x-...> wrote:

> Mij wrote:
>> If sshguard appears in the proc table then you can expect it is 
>> running 
>> properly.
>> No idea why syslog logs that message with a correct path (I expect 
>> syslogd 
>> is
>> running as root).
>> 
>> Please try to you use simply
>> 
>> auth.*;authpriv.*			| /usr/local/sbin/sshguard
>> 
>> (w/o exec) in syslog.conf, and restart syslogd. Do you have sshguard 
>> running?
>> 
> Same error and sshguard seems not to be running. I followed all
> instruction step by step. What can be wrong?
> 
> Noiano
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to 
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 

Re: [Sshguard-users] Unable to start sshguard

[Noiano <no...@x-...>]

Mij wrote:
> If sshguard appears in the proc table then you can expect it is=20
> running properly.
> No idea why syslog logs that message with a correct path (I expect=20
> syslogd is
> running as root).
>
> Please try to you use simply
>
> auth.*;authpriv.*			| /usr/local/sbin/sshguard
>
> (w/o exec) in syslog.conf, and restart syslogd. Do you have sshguard=20
> running?
>  =20
Same error and sshguard seems not to be running. I followed all
instruction step by step. What can be wrong?

Noiano

Re: [Sshguard-users] Unable to start sshguard

[Mij <mi...@bi...>]

> Hi everybody
> I have a little problem with sshguard. I followed the instruction in 
> the
> readme file but syslogd says: "exec: /usr/local/sbin/sshguard : No 
> such
> file or directory". If i type that path on a command line and then I
> execute ps
> 
> noiano 6731 0.0 0.0 9860 652 pts/1 Sl+ 11:52 0:00 
> /usr/local/sbin/sshguard
> 
> sshguard seems running. Is this related to the fact that I have the 
> sshd
> logs stored in /var/log/daemon.log?
> 
> How can I realize if sshguard is running properly?

If sshguard appears in the proc table then you can expect it is 
running properly.
No idea why syslog logs that message with a correct path (I expect 
syslogd is
running as root).

Please try to you use simply

auth.*;authpriv.*			| /usr/local/sbin/sshguard

(w/o exec) in syslog.conf, and restart syslogd. Do you have sshguard 
running?

> Thanks for your help

Re: [Sshguard-users] I can't get it to work.

[Mij <mi...@bi...>]

On 2007-03-16 16:28:03 +0100 Kuroro <inf...@gm...> wrote:


>    On open suse 10.2 i ran configure --prefix=/usr 
> --with-firewall=iptables
>        made the changes in fwalls/command.h file from /sbin/ to 
> /usr/sbin
>    make && make install
>   i added
>         iptables -N sshguard
>         iptables -A INPUT -p tcp --dport 22 -j sshguard
> then i ran
>     tail -n0 -f /var/log/messages | /usr/sbin/sshguard &
> 
>      ssh from another machine to the opensuse 10.2 box and it blocked 
> the
> ip.
> 
> The only issue now on the redhat machine and the open suse computer is
> setting up syslog to fire up sshguard when it a login is attempted 
> from ssh
> 
> I tried the adding the settings in your readme file but it did not 
> work on
> redhat nor opensuse
> 
> OpenSuse  uses syslog-ng while redhat uses syslog.conf
> 
> On openSuse i added the settings as in the documentation
> filter sshlogs { facility(authpriv) and match(ssh); };
> destination sshguardproc { program("/usr/sbin/sshguard"); };
> log { source(src); filter(sshlogs); destination(sshguardproc); };

By default ssh logs with facility LOG_AUTH, not authpriv, so I don't
know why I suggested this. A correct one is instead

filter sshlogs { facility(auth, authpriv) and match("ssh"); };
[...]

I will fix this suggestion in the README file in the next release

> and on red hat
> # The authpriv file has restricted access.
> authpriv.*                                              
> /var/log/secure
> 
> authpriv.*                                             |exec
> /usr/sbin/sshguard

Same here (with the exception that the suggestion is correct for this 
one :) ),
so use instead

auth.*;authpriv.*		| exec /usr/sbin/sshguard

Please try these and feel free to write in if they still do not work.

bye

> Both did not work, however both work when i run them manually on 
> redhat
> tail -n0 -f /var/log/secure | /usr/sbin/sshguard &
> and on opensuse
> tail -n0 -f /var/log/message | /usr/sbin/sshguard &
> 
> Keep up the good work
> 
> Giovanni

Re: [Sshguard-users] I can't get it to work.

[Mij <mi...@bi...>]

> On 3/14/07, Mij <mi...@bi...> wrote:
>>
>> > Hi all.
>> >
>> >    I installed sshguard on Open suse. by
>> >
>> >> chmod +s /usr/sbin/sshguard
>>
>> > please don't make sshguard setuid. Besides being useless, this is very
>> > lame and dangerous. A local user could simply run sshguard and feed it
>> > some crafted lines of text with arbitrary IP addresses and make the
>> > machine block them. This is a major mistake.
>> I agree, i followed the README file when that did not worked for me, I
>> followed what the article on
>
>       http://applications.linux.com/article.pl?sid=07/02/27/1957242&tid=129&tid=47&tid=100&tid=35
>
>
>         "Lastly, since sshguard needs to be able to tell iptables to add
> and
> drop dynamic rules, it needs permission to do so. Use the chmod command to
> make the program run as root:
>
> chmod +s /usr/local/sbin/sshguard"

I will put a note on the website discouraging to follow this


>
>> >> ln -s /usr/sbin/ip* /sbin/
>>
>> >not idea what this orrible thing should serve for :)
>
>
>      When i tried version sshguard 0.9  with the scons.py
>
> python scons.py -Q FIREWALLTYPE=iptables
>
> I noticed this on my log file
>
> "sshguard[9731]:Started successfully [(a,p,s)=(3, 3, 1200)], now ready to
> scan.
> sshguard[9731]: Got exit signal, flushing blocked addresses and exiting...
> sshguard[9731]: Running command "/sbin/iptables"
> sshguard[9733]: Unable to exec(): No such file or directory
> sshguard[9736]: Started successfully [(a,p,s)=(3, 3, 1200)], now ready to
> scan.
> "
> after i created a link from /usr/sbin/ip*tables* to /sbin
>  that exec() error did not show in my logs any more.

I assumed iptables being in always in /sbin under linux, as both the
Linux hosts I tested on (Gentoo + debian) got iptables in there.

I will make this ./configure -able in version 1.0. In the meantime, you
can easily adjust the expected path in sshguard:

1) download and extract sshguard v. 0.91
2) run "./configure --with-firewall=iptables"
3) edit fwalls/command.h and replace all "/sbin/" tokens with "/usr/sbin/"
4) run "make && make install"


> sshguard detects attackers by analyzing log entries it's given in its
>> standard input. If it's not started by syslog-ng, the problem is in
>> syslog-ng configuration. But for spotting this problem, just try to run
>> sshguard manually like this (as root!):
>>
>> tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard
>>
>> replace auth.log with the file in which sshd logs to, find it with:
>>
>> cd /var/log
>> grep -rl 'sshd\[' .
>>
>>
>> > After i tried it on a redhat 3.0 AS test server. with a few variations
>> to
>> > the configuration but again it did not start the sshguard nor it
>> blocked
>> > the
>> > ip.
>> >
>> > Did i missed anything on the configuration?
>> >
>> > Any help is appreciated.
>>
>> Please try to run sshguard as said above, try some logins as
>> non-existent
>> user for example, and report what happens.
>
>
> on redhat 3.0 machine i  ran it just like you suggested and it ran and
> worked.
> tail -n0 -F /var/log/secure | /usr/sbin/sysguard
> But is not being launched from syslog.
> On opensuse
>
> sshd messages are sent to /var/log/messages and /var/log/warn
>
> i removed the .9 version of sshguard and i installed the .91 version
> an di remove the links from /usr/sbin/iptables to /sbin/
> and i see
>
> sshguard[14201]: Running command "/sbin/iptables"
> sshguard[14211]: Unable to exec(): No such file or directory
>
> Perhaps the iptable path can be specified on  the configure script.
>
> anyways on suse i ran sshguard with the following command and it did not
> block the users
> tail -n0 -F /var/log/messges | /usr/sbin/sshguard
>
> and this is what i get
> sshguard[14273]: Blocking 10.2.111.180: 4 failures over 1 seconds.
> Mar 14 15:33:00 Zhadum sshguard[14273]: Running command "/sbin/iptables"
> Mar 14 15:33:00 Zhadum sshguard[14298]: Matched IP address 10.2.111.180
> Mar 14 15:33:00 Zhadum sshguard[14298]: Matched IP address 10.2.111.180
> Mar 14 15:33:00 Zhadum sshguard[14298]: Blocking 10.2.111.180: 4 failures
> over 1 seconds.
> Mar 14 15:33:00 Zhadum sshguard[14298]: Running command "/sbin/iptables"
>
> but it does not block the ip i can still ssh from the other machine to
> that one.

logs say iptables can be started, but you say the address is not blocked:

1) did you make the proper settings to the firewall? If you did, please
try the following:
    1) iptables -A sshguard -s %%block-ip%% -j DROP (this is the command
sshguard runs for blocking %%block-ip%%)
    2) try telnetting the sshguard host from %%block-ip%%
if you *can* telnet from the blocked IP, then everything works fine but
the firewall chains are such that the blocking rules have no effect. You
need to
insert the sshguard chain into a higher priority in the INPUT table in
this case.

2) if everything above behave as expected, then sshguard cannot run
iptables successfully. For example, it's blocked for insufficient
credentials. In this case, in syslog you should see a line like

"Blocking command failed. Exited: 3."

in this case, please report the exit value so we can identify what's wrong.


>
>>
>> >
>> > Giovanni
>> > Sshguard-users mailing list
>> > Ssh...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>> >
>>
>>
>

Re: [Sshguard-users] I can't get it to work.

[Mij <mi...@bi...>]

> Hi all.
>
>    I installed sshguard on Open suse. by
>
> ./configure --prefix=/usr --with-firewall=iptables
>
> make
>
> su - root
>
> make install
>
> i add
> iptables -N sshguard
> iptables -A INPUT -p tcp --dport 22 -j sshguard

this is correct


> chmod +s /usr/sbin/sshguard

please don't make sshguard setuid. Besides being useless, this is very
lame and dangerous. A local user could simply run sshguard and feed it
some crafted lines of text with arbitrary IP addresses and make the
machine block them. This is a major mistake.


> then i edit
>
> /etc/syslog-ng/syslog-ng.conf
>
>
> concatenate
>
> filter sshlogs { facility(authpriv) and match(ssh); };
> destination sshguardproc { program("/usr/sbin/sshguard"); };
> log { source(src); filter(sshlogs); destination(sshguardproc); };
>
> killall -HUP syslog-ng

this is correct


> ln -s /usr/sbin/ip* /sbin/

not idea what this orrible thing should serve for :)


> then i ssh with the wrong password 3 times and it does sshguard does not
start automatically nor it blocks ip. I started sshguard manually with
-a 2
> -p 3& and it starts but it does not block ips.

sshguard detects attackers by analyzing log entries it's given in its
standard input. If it's not started by syslog-ng, the problem is in
syslog-ng configuration. But for spotting this problem, just try to run
sshguard manually like this (as root!):

tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard

replace auth.log with the file in which sshd logs to, find it with:

cd /var/log
grep -rl 'sshd\[' .


> After i tried it on a redhat 3.0 AS test server. with a few variations
to the configuration but again it did not start the sshguard nor it
blocked the
> ip.
>
> Did i missed anything on the configuration?
>
> Any help is appreciated.

Please try to run sshguard as said above, try some logins as non-existent
user for example, and report what happens.


>
>
> Giovanni
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

[Sshguard-users] I can't get it to work.

[Kuroro <inf...@gm...>]

Hi all.

   I installed sshguard on Open suse. by

./configure --prefix=/usr --with-firewall=iptables

make

su - root

make install

i add
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard

chmod +s /usr/sbin/sshguard

then i edit

/etc/syslog-ng/syslog-ng.conf


concatenate

filter sshlogs { facility(authpriv) and match(ssh); };
destination sshguardproc { program("/usr/sbin/sshguard"); };
log { source(src); filter(sshlogs); destination(sshguardproc); };

killall -HUP syslog-ng

ln -s /usr/sbin/ip* /sbin/

then i ssh with the wrong password 3 times and it does sshguard does not
start automatically nor it blocks ip. I started sshguard manually with -a 2
-p 3& and it starts but it does not block ips.

After i tried it on a redhat 3.0 AS test server. with a few variations to
the configuration but again it did not start the sshguard nor it blocked the
ip.

Did i missed anything on the configuration?

Any help is appreciated.


Giovanni

[Sshguard-users] Unable to start sshguard

[Noiano <no...@x-...>]

Hi everybody
I have a little problem with sshguard. I followed the instruction in the
readme file but syslogd says: "exec: /usr/local/sbin/sshguard : No such
file or directory". If i type that path on a command line and then I
execute ps

noiano    6731  0.0  0.0   9860   652 pts/1    Sl+  11:52   0:00
/usr/local/sbin/sshguard

sshguard seems running. Is this related to the fact that I have the sshd
logs stored in /var/log/daemon.log?

How can I realize if sshguard is running properly?

Thanks for your help