Menu
▾
▴
sshguard-users
|
From: Forrest A. <fo...@fo...> - 2007-10-31 16:03:35
|
It seems reasonable that sshguard should be able to detect failed password attempts, too. I realize there is "faillog" on Linux systems for that, but not on FreeBSD. My system log was jammed with over 1000 of these entries from last night: Oct 31 10:03:22 gw sshd[55652]: Failed password for root from 213.186.38.84 port 53650 ssh2 Oct 31 10:03:23 gw sshd[55654]: Failed password for root from 213.186.38.84 port 44049 ssh2 Oct 31 10:03:24 gw sshd[55656]: Failed password for root from 213.186.38.84 port 49587 ssh2 Oct 31 10:03:25 gw sshd[55658]: Failed password for root from 213.186.38.84 port 41421 ssh2 Oct 31 10:03:25 gw sshd[55660]: Failed password for root from 213.186.38.84 port 36564 ssh2 Oct 31 10:03:26 gw sshd[55662]: Failed password for root from 213.186.38.84 port 35111 ssh2 Oct 31 10:03:27 gw sshd[55664]: Failed password for root from 213.186.38.84 port 49382 ssh2 |
|
From: Mij <mi...@bi...> - 2007-10-31 21:19:34
|
forrest, You know that syslog has the capability to dispatch logs depending on rules, not only deterministically to one same file. Please follow the instructions on http://sshguard.sourceforge.net/doc/ setup/setup.html and particularly, for the syslog setup, follow the "Older flavour setup" On 31/ott/07, at 17:05, Forrest Aldrich wrote: > It seems reasonable that sshguard should be able to detect failed > password attempts, too. I realize there is "faillog" on Linux > systems > for that, but not on FreeBSD. My system log was jammed with over > 1000 of > these entries from last night: > > Oct 31 10:03:22 gw sshd[55652]: Failed password for root from > 213.186.38.84 port 53650 ssh2 > Oct 31 10:03:23 gw sshd[55654]: Failed password for root from > 213.186.38.84 port 44049 ssh2 > Oct 31 10:03:24 gw sshd[55656]: Failed password for root from > 213.186.38.84 port 49587 ssh2 > Oct 31 10:03:25 gw sshd[55658]: Failed password for root from > 213.186.38.84 port 41421 ssh2 > Oct 31 10:03:25 gw sshd[55660]: Failed password for root from > 213.186.38.84 port 36564 ssh2 > Oct 31 10:03:26 gw sshd[55662]: Failed password for root from > 213.186.38.84 port 35111 ssh2 > Oct 31 10:03:27 gw sshd[55664]: Failed password for root from > 213.186.38.84 port 49382 ssh2 > > > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Forrest A. <fo...@fo...> - 2007-11-01 14:11:38
|
I'm not sure how this applies to my question, as I have syslog working just fine on my system (FreeBSD). The FreeBSD systems use a modern syslog. This log below is from /var/log/auth.log, which is where all of SSH's entries go. I just felt that sshguard should pick up on this (or be tunable to do so, since Linux has a "faillog" subsystem which can lock out at the login: prompt) _F Mij wrote: > forrest, > > You know that syslog has the capability to dispatch logs depending on > rules, not > only deterministically to one same file. > Please follow the instructions on http://sshguard.sourceforge.net/doc/ > setup/setup.html > and particularly, for the syslog setup, follow the "Older flavour setup" > > > On 31/ott/07, at 17:05, Forrest Aldrich wrote: > > >> It seems reasonable that sshguard should be able to detect failed >> password attempts, too. I realize there is "faillog" on Linux >> systems >> for that, but not on FreeBSD. My system log was jammed with over >> 1000 of >> these entries from last night: >> >> Oct 31 10:03:22 gw sshd[55652]: Failed password for root from >> 213.186.38.84 port 53650 ssh2 >> Oct 31 10:03:23 gw sshd[55654]: Failed password for root from >> 213.186.38.84 port 44049 ssh2 >> Oct 31 10:03:24 gw sshd[55656]: Failed password for root from >> 213.186.38.84 port 49587 ssh2 >> Oct 31 10:03:25 gw sshd[55658]: Failed password for root from >> 213.186.38.84 port 41421 ssh2 >> Oct 31 10:03:25 gw sshd[55660]: Failed password for root from >> 213.186.38.84 port 36564 ssh2 >> Oct 31 10:03:26 gw sshd[55662]: Failed password for root from >> 213.186.38.84 port 35111 ssh2 >> Oct 31 10:03:27 gw sshd[55664]: Failed password for root from >> 213.186.38.84 port 49382 ssh2 >> >> >> >> >> ---------------------------------------------------------------------- >> --- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a >> browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Mij <mi...@bi...> - 2007-11-01 15:20:36
|
okay I do not get what's your point :) If you complain sshguard does not block attempts to login with failed password, your setup has something wrong because sshguard does recognize those strings Are you sure sshguard gets those messages? You can trace what's wrong by running sshguard with the debug flag (-d), issue those strings by keyboard and see how it reacts. If it does block, then the system instance is not getting entries or fails to run blocking commands. On 01/nov/07, at 15:11, Forrest Aldrich wrote: > I'm not sure how this applies to my question, as I have syslog working > just fine on my system (FreeBSD). The FreeBSD systems use a > modern syslog. > > This log below is from /var/log/auth.log, which is where all of SSH's > entries go. I just felt that sshguard should pick up on this (or be > tunable to do so, since Linux has a "faillog" subsystem which can lock > out at the login: prompt) > > > _F > > > Mij wrote: >> forrest, >> >> You know that syslog has the capability to dispatch logs depending on >> rules, not >> only deterministically to one same file. >> Please follow the instructions on http://sshguard.sourceforge.net/ >> doc/ >> setup/setup.html >> and particularly, for the syslog setup, follow the "Older flavour >> setup" >> >> >> On 31/ott/07, at 17:05, Forrest Aldrich wrote: >> >> >>> It seems reasonable that sshguard should be able to detect failed >>> password attempts, too. I realize there is "faillog" on Linux >>> systems >>> for that, but not on FreeBSD. My system log was jammed with over >>> 1000 of >>> these entries from last night: >>> >>> Oct 31 10:03:22 gw sshd[55652]: Failed password for root from >>> 213.186.38.84 port 53650 ssh2 >>> Oct 31 10:03:23 gw sshd[55654]: Failed password for root from >>> 213.186.38.84 port 44049 ssh2 >>> Oct 31 10:03:24 gw sshd[55656]: Failed password for root from >>> 213.186.38.84 port 49587 ssh2 >>> Oct 31 10:03:25 gw sshd[55658]: Failed password for root from >>> 213.186.38.84 port 41421 ssh2 >>> Oct 31 10:03:25 gw sshd[55660]: Failed password for root from >>> 213.186.38.84 port 36564 ssh2 >>> Oct 31 10:03:26 gw sshd[55662]: Failed password for root from >>> 213.186.38.84 port 35111 ssh2 >>> Oct 31 10:03:27 gw sshd[55664]: Failed password for root from >>> 213.186.38.84 port 49382 ssh2 >>> >>> >>> >>> >>> -------------------------------------------------------------------- >>> -- >>> --- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a >>> browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>> >> >> >> --------------------------------------------------------------------- >> ---- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a >> browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Forrest A. <fo...@fo...> - 2007-11-06 19:31:44
|
On FreeBSD, all SSH related syslog entries go to /var/log/auth.log. The relevant portion of my /etc/syslog.conf: auth.info;authpriv.info /var/log/auth.log The log entries I sent you about failed password for root (etc) originated from that one file, where sshguard is watching. They were not caught (for whatever reason). For other actions, it works fine and is populating the PF firewall table "sshguard". Forrest Mij wrote: > okay I do not get what's your point :) > If you complain sshguard does not block attempts to login with failed > password, > your setup has something wrong because sshguard does recognize those > strings > > Are you sure sshguard gets those messages? You can trace what's wrong > by running > sshguard with the debug flag (-d), issue those strings by keyboard > and see how it reacts. > If it does block, then the system instance is not getting entries or > fails to run blocking > commands. > > > On 01/nov/07, at 15:11, Forrest Aldrich wrote: > > >> I'm not sure how this applies to my question, as I have syslog working >> just fine on my system (FreeBSD). The FreeBSD systems use a >> modern syslog. >> >> This log below is from /var/log/auth.log, which is where all of SSH's >> entries go. I just felt that sshguard should pick up on this (or be >> tunable to do so, since Linux has a "faillog" subsystem which can lock >> out at the login: prompt) >> >> >> _F >> >> >> Mij wrote: >> >>> forrest, >>> >>> You know that syslog has the capability to dispatch logs depending on >>> rules, not >>> only deterministically to one same file. >>> Please follow the instructions on http://sshguard.sourceforge.net/ >>> doc/ >>> setup/setup.html >>> and particularly, for the syslog setup, follow the "Older flavour >>> setup" >>> >>> >>> On 31/ott/07, at 17:05, Forrest Aldrich wrote: >>> >>> >>> >>>> It seems reasonable that sshguard should be able to detect failed >>>> password attempts, too. I realize there is "faillog" on Linux >>>> systems >>>> for that, but not on FreeBSD. My system log was jammed with over >>>> 1000 of >>>> these entries from last night: >>>> >>>> Oct 31 10:03:22 gw sshd[55652]: Failed password for root from >>>> 213.186.38.84 port 53650 ssh2 >>>> Oct 31 10:03:23 gw sshd[55654]: Failed password for root from >>>> 213.186.38.84 port 44049 ssh2 >>>> Oct 31 10:03:24 gw sshd[55656]: Failed password for root from >>>> 213.186.38.84 port 49587 ssh2 >>>> Oct 31 10:03:25 gw sshd[55658]: Failed password for root from >>>> 213.186.38.84 port 41421 ssh2 >>>> Oct 31 10:03:25 gw sshd[55660]: Failed password for root from >>>> 213.186.38.84 port 36564 ssh2 >>>> Oct 31 10:03:26 gw sshd[55662]: Failed password for root from >>>> 213.186.38.84 port 35111 ssh2 >>>> Oct 31 10:03:27 gw sshd[55664]: Failed password for root from >>>> 213.186.38.84 port 49382 ssh2 >>>> >>>> >>>> >>>> >>>> -------------------------------------------------------------------- >>>> -- >>>> --- >>>> This SF.net email is sponsored by: Splunk Inc. >>>> Still grepping through log files to find problems? Stop. >>>> Now Search log events and configuration files using AJAX and a >>>> browser. >>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>> _______________________________________________ >>>> Sshguard-users mailing list >>>> Ssh...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>>> >>>> >>> --------------------------------------------------------------------- >>> ---- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a >>> browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Sshguard-users mailing list >>> Ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>> >>> >> ---------------------------------------------------------------------- >> --- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a >> browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X