Menu
▾
▴
sshguard-users
|
From: Akis M. <ph...@at...> - 2007-06-17 21:18:37
|
Hello,
Trying to get sshguard to work, I've come to a strange problem.
Testing it from LAN environment, sshguard successfully blocks the LAN
attacker.
In the case the attacker is from an non LAN IP, it detects the attack
and applies the IPTABLE rule
/var/log/auth.log:
Jun 17 23:46:48 sextus sshd[4590]: Invalid user avl from 194.24.158.16
Jun 17 23:46:48 sextus sshd[4590]: Failed none for invalid user avl from
194.24.158.16 port 28446 ssh2
Jun 17 23:46:49 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:46:49 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:47:49 sextus sshd(pam_unix)[4590]: check pass; user unknown
Jun 17 23:47:49 sextus sshd(pam_unix)[4590]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=194.24.158.16
Jun 17 23:47:51 sextus sshd[4590]: Failed password for invalid user avl
from 194.24.158.16 port 28446 ssh2
Jun 17 23:47:52 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:47:52 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 63 seconds.
Jun 17 23:47:52 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:49:07 sextus sshd[4609]: Invalid user avl from 194.24.158.16
Jun 17 23:49:07 sextus sshd[4609]: Failed none for invalid user avl from
194.24.158.16 port 28723 ssh2
Jun 17 23:49:08 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:08 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:44 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:49:44 sextus sshd(pam_unix)[4609]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:49:46 sextus sshd[4609]: Failed password for invalid user avl
from 194.24.158.16 port 28723 ssh2
Jun 17 23:49:47 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:47 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 39 seconds.
Jun 17 23:49:47 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:49:57 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:49:58 sextus sshd[4609]: Failed password for invalid user avl
from 194.24.158.16 port 28723 ssh2
Jun 17 23:49:59 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:10 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:50:13 sextus sshd[4609]: Failed password for invalid user avl
from 194.24.158.16 port 28723 ssh2
Jun 17 23:50:14 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:29 sextus sshd[4631]: Invalid user avl from 194.24.158.16
Jun 17 23:50:29 sextus sshd[4631]: Failed none for invalid user avl from
194.24.158.16 port 28926 ssh2
Jun 17 23:50:30 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:30 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 31 seconds.
Jun 17 23:50:30 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:50:30 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:34 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:34 sextus sshd(pam_unix)[4631]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:50:36 sextus sshd[4631]: Failed password for invalid user avl
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:37 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:43 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:45 sextus sshd[4631]: Failed password for invalid user avl
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:46 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:46 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 16 seconds.
Jun 17 23:50:46 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:50:50 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:52 sextus sshd[4631]: Failed password for invalid user avl
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:53 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshd[4636]: Invalid user avl from 194.24.158.16
Jun 17 23:51:02 sextus sshd[4636]: Failed none for invalid user avl from
194.24.158.16 port 28995 ssh2
Jun 17 23:51:02 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 9 seconds.
Jun 17 23:51:02 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:51:06 sextus sshd(pam_unix)[4636]: check pass; user unknown
Jun 17 23:51:06 sextus sshd(pam_unix)[4636]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:51:08 sextus sshd[4636]: Failed password for invalid user avl
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:09 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:10 sextus sshd[4636]: Failed password for invalid user avl
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:11 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:14 sextus sshd(pam_unix)[4636]: check pass; user unknown
Jun 17 23:51:16 sextus sshd[4636]: Failed password for invalid user avl
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:17 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:17 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 8 seconds.
Jun 17 23:51:17 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:51:40 sextus sshd[4650]: Invalid user \316\261\316\262\316\273
from 194.24.158.16
Jun 17 23:51:40 sextus sshd[4650]: Failed none for invalid user
\316\261\316\262\316\273 from 194.24.158.16 port 29166 ssh2
Jun 17 23:51:41 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:41 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:52 sextus sshd(pam_unix)[4650]: bad username [αβλ]
Jun 17 23:51:52 sextus sshd[4650]: Failed password for invalid user
\316\261\316\262\316\273 from 194.24.158.16 port 29166 ssh2
Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3
failures over 12 seconds.
iptables -L:
Chain sshguard (0 references)
target prot opt source destination
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
DROP 0 -- lime-gw16.one.at anywhere
The strange thing, is that the DROP Rule, contains the hostname of the
"attacker", and NOT the IP address.
Running an nslookup in lime-gw16.one.at gives:
Server: 193.92.150.3
Address: 193.92.150.3#53
Non-authoritative answer:
Name: lime-gw16.one.at
Address: 194.24.158.16
Which successfully resolves to the "attacker' s" IP. But does not block
the attacker..
What is going wrong? I guess it has something to do with the hostname
and not the IP in the drop Rule.
P.S.
I should point out, that the detected "attacker's" IP is a friend of
mine, trying to test the behavior of sshguard, not an actual attacker.
|
|
From: Mij <mi...@bi...> - 2007-06-17 21:58:50
|
hello akis > Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address > 194.24.158.16 > Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 > failures over 12 seconds. good to see helpful debugging messages in your report, bravo. These pair of lines tells you that sshguard correctly resolved the hostname to address 194.24.158.16, and then blocked this IP. > iptables -L: > > Chain sshguard (0 references) > target prot opt source destination > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > > > > The strange thing, is that the DROP Rule, contains the hostname of the > "attacker", and NOT the IP address. this is iptables reversing addresses for better readability: with "iptables -Ln" you should get 194.24.158.16 . sshguard did its job in putting the blocking rule in the "sshguard" chain, so I guess this address is not blocked because you have not demanded the INPUT chain to this one, possible? "iptables -Ln" should give you Chain INPUT (policy ACCEPT) target prot opt source destination sshguard tcp -- anywhere anywhere tcp dpt:ssh [...] if this is missing, follow the commands in http://sshguard.sourceforge.net/doc/setup/blockingiptables.html bye > Running an nslookup in lime-gw16.one.at gives: > > Server: 193.92.150.3 > Address: 193.92.150.3#53 > > Non-authoritative answer: > Name: lime-gw16.one.at > Address: 194.24.158.16 > > Which successfully resolves to the "attacker' s" IP. But does not > block > the attacker.. > What is going wrong? I guess it has something to do with the hostname > and not the IP in the drop Rule. > > > > > P.S. > I should point out, that the detected "attacker's" IP is a friend of > mine, trying to test the behavior of sshguard, not an actual attacker. > > > > > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Akis M. <ph...@at...> - 2007-06-18 17:10:30
|
O/H Mij έγραψε: > hello akis > > > >> Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address >> 194.24.158.16 >> Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 >> failures over 12 seconds. >> > > good to see helpful debugging messages in your report, bravo. > These pair of lines tells you that sshguard correctly resolved the > hostname to address 194.24.158.16, > and then blocked this IP. > > > >> iptables -L: >> >> Chain sshguard (0 references) >> target prot opt source destination >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> >> >> >> The strange thing, is that the DROP Rule, contains the hostname of the >> "attacker", and NOT the IP address. >> > > this is iptables reversing addresses for better readability: with > "iptables -Ln" you should > get 194.24.158.16 . > > sshguard did its job in putting the blocking rule in the "sshguard" > chain, so I guess > this address is not blocked because you have not demanded the INPUT > chain to this one, > possible? > > "iptables -Ln" should give you > > Chain INPUT (policy ACCEPT) > target prot opt source destination > sshguard tcp -- anywhere anywhere tcp dpt:ssh > > [...] > > if this is missing, follow the commands in > http://sshguard.sourceforge.net/doc/setup/blockingiptables.html > > bye > > >> Running an nslookup in lime-gw16.one.at gives: >> >> Server: 193.92.150.3 >> Address: 193.92.150.3#53 >> >> Non-authoritative answer: >> Name: lime-gw16.one.at >> Address: 194.24.158.16 >> >> Which successfully resolves to the "attacker' s" IP. But does not >> block >> the attacker.. >> What is going wrong? I guess it has something to do with the hostname >> and not the IP in the drop Rule. >> >> >> >> >> P.S. >> I should point out, that the detected "attacker's" IP is a friend of >> mine, trying to test the behavior of sshguard, not an actual attacker. >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> --- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > oops, I forgot to input this command: iptables -A INPUT -p tcp --dport 22 -j sshguard Works like a charm now ! You were correct Thank you Mij :) |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X