Menu
▾
▴
sshguard-users
|
From: Adam C. <ada...@be...> - 2009-04-16 17:09:58
|
greetings, I've recently installed sshguard 1x. on a Redhat box and it seems to be working well. However, I noticed the following on my system log: Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402 seconds. Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed. Exited: -1 Seems like the dynamic removal of blocked hosts from iptables is failing. iptables -L shows multiple entries for the same host on the sshguard chain. Is this a valid conclusion? Any ideas on why or how to fix? thanks -- Adam Cohen IT Manager Energy Biosciences Institute 109 Calvin Lab 642-7709 |
|
From: Mij <mi...@bi...> - 2009-04-17 08:32:34
|
On Apr 16, 2009, at 19:09 , Adam Cohen wrote: > greetings, > I've recently installed sshguard 1x. on a Redhat box and it seems to > be > working well. However, I noticed the following on my system log: > > Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402 > seconds. > Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed. > Exited: -1 > > Seems like the dynamic removal of blocked hosts from iptables is > failing. iptables -L shows multiple entries for the same host on the > sshguard chain. Is this a valid conclusion? yes, reasonable if releasing fails. > Any ideas on why or how to fix? can you run sshguard manually, as root: /usr/local/bin/sshguard -d -a2 -p10 and then paste *2 times* as its input one line like: Apr 12 10:11:12 foo sshd[1234]: Invalid user root from 1.2.3.4 it should block the address. Wait some seconds, it should release it. If you still see the "Release command failed. Exited: -1", there should now be more debug info. Please send that in. > > thanks > > -- > Adam Cohen > IT Manager > Energy Biosciences Institute > 109 Calvin Lab > 642-7709 > > > ------------------------------------------------------------------------------ > Stay on top of everything new and different, both inside and > around Java (TM) technology - register by April 22, and save > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. > 300 plus technical and hands-on sessions. Register today. > Use priority code J9JMT32. http://p.sf.net/sfu/p > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Adam C. <ada...@be...> - 2009-04-17 22:57:10
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Running interactively seems to work fine. <br>
<br>
In my log, the message for the release that failed shows an incomplete
IP. (see "Releaseing 4...." below)<br>
It looks like the IP address might not have been parsed out completely?<br>
<br>
Also, not sure how to report this, but my version of Redhat generates a
message that sshguard isn't catching. They look like this:<br>
<br>
<div class="moz-text-html" lang="x-western"><tt>Apr 17 14:42:41 prod-02
sshd[12923]: Failed password for invalid user staff from 209.9.188.68
port 54513 ssh2<br>
</tt></div>
<br>
Can additional scanning rules be added by the user (me?) I will look
at the source in svn to see how this is structured.<br>
<br>
thanks<br>
Adam<br>
<br>
<br>
Mij wrote:
<blockquote cite="mid:2EE...@bi..."
type="cite">
<pre wrap="">On Apr 16, 2009, at 19:09 , Adam Cohen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">greetings,
I've recently installed sshguard 1x. on a Redhat box and it seems to
be
working well. However, I noticed the following on my system log:
Apr 14 14:43:22 prod-02 sshguard[23831]: Releasing 4 after 1239745402
seconds.
Apr 14 14:43:22 prod-02 sshguard[23831]: Release command failed.
Exited: -1
Seems like the dynamic removal of blocked hosts from iptables is
failing. iptables -L shows multiple entries for the same host on the
sshguard chain. Is this a valid conclusion?
</pre>
</blockquote>
<pre wrap=""><!---->
yes, reasonable if releasing fails.
</pre>
<blockquote type="cite">
<pre wrap="">Any ideas on why or how to fix?
</pre>
</blockquote>
<pre wrap=""><!---->
can you run sshguard manually, as root:
/usr/local/bin/sshguard -d -a2 -p10
and then paste *2 times* as its input one line like:
Apr 12 10:11:12 foo sshd[1234]: Invalid user root from 1.2.3.4
it should block the address. Wait some seconds, it should release it.
If you still see the "Release command failed. Exited: -1", there
should now be more debug info. Please send that in.
</pre>
<blockquote type="cite">
<pre wrap="">thanks
--
Adam Cohen
IT Manager
Energy Biosciences Institute
109 Calvin Lab
642-7709
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
</pre>
</blockquote>
<pre wrap=""><!---->
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
</pre>
</body>
</html>
|
|
From: Mij <mi...@bi...> - 2009-04-18 12:41:59
|
On Apr 18, 2009, at 0:56 , Adam Cohen wrote: > Running interactively seems to work fine. > > In my log, the message for the release that failed shows an > incomplete IP. (see "Releaseing 4...." below) > It looks like the IP address might not have been parsed out > completely? > > Also, not sure how to report this, but my version of Redhat > generates a message that sshguard isn't catching. They look like > this: > > Apr 17 14:42:41 prod-02 sshd[12923]: Failed password for invalid > user staff from 209.9.188.68 port 54513 ssh2 This is supported; which version did you install? Have a peek at the SVN version http://sshguard.sourceforge.net/svn.html > Can additional scanning rules be added by the user (me?) I will > look at the source in svn to see how this is structured. You can sure do that if you're vaguely familiar with Yacc parsers. In general, users can submit here http://sshguard.sourceforge.net/newattackpatt.php I periodically check there and integrate. |
|
From: Adam C. <ada...@be...> - 2009-04-20 03:21:58
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffcc" text="#000099">
<tt>1.4rc3<br>
<br>
I ran a simple test from a known ssh client and purposely entered a bad
password. Sshguard caught it and blocked the host. So I guess I need
to look more closely at why this other attacker isn't getting blocked.
<br>
<br>
It looks like he's trying to guess a user name and then makes one
password attempt before trying another account name. I might need to
lower the threshold to 1 but that could be harsh on real users who
mistype a legitimate password.<br>
<br>
</tt><br>
Mij wrote:
<blockquote cite="mid:CFE...@bi..."
type="cite">
<pre wrap="">On Apr 18, 2009, at 0:56 , Adam Cohen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Running interactively seems to work fine.
In my log, the message for the release that failed shows an
incomplete IP. (see "Releaseing 4...." below)
It looks like the IP address might not have been parsed out
completely?
Also, not sure how to report this, but my version of Redhat
generates a message that sshguard isn't catching. They look like
this:
Apr 17 14:42:41 prod-02 sshd[12923]: Failed password for invalid
user staff from 209.9.188.68 port 54513 ssh2
</pre>
</blockquote>
<pre wrap=""><!---->
This is supported; which version did you install? Have a peek at the
SVN version
<a class="moz-txt-link-freetext" href="http://sshguard.sourceforge.net/svn.html">http://sshguard.sourceforge.net/svn.html</a>
</pre>
<blockquote type="cite">
<pre wrap="">Can additional scanning rules be added by the user (me?) I will
look at the source in svn to see how this is structured.
</pre>
</blockquote>
<pre wrap=""><!---->
You can sure do that if you're vaguely familiar with Yacc parsers.
In general, users can submit here
<a class="moz-txt-link-freetext" href="http://sshguard.sourceforge.net/newattackpatt.php">http://sshguard.sourceforge.net/newattackpatt.php</a>
I periodically check there and integrate.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. <a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/p">http://p.sf.net/sfu/p</a>
_______________________________________________
Sshguard-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ssh...@li...">Ssh...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/sshguard-users">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a>
</pre>
</blockquote>
</body>
</html>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X