Menu
▾
▴
sshguard-users
|
From: Alan S. <st...@le...> - 2015-01-27 12:25:45
|
Dear all, I’m using the macports version (1.5.0) of sshguard under OSX 10.9.5 and it appears from the logs to successfully be picking up a number of attacks but not all. I have run the code in debug mode with the following outcomes Using an example of an attack that does not trigger shhguard directly from the system.log file (I’ve replaced some text with x and the ip of the ‘via’ machine): Jan 27 06:17:07 xxx.xxx.xxx.uk sshd[14815]: error: PAM: authentication error for root from 115.239.228.7 via 127.0.0.1 there’s a whole bunch of output and finally... Stack now 0 Entering state 23 Reading a token: --accepting rule at line 223 (" ") --accepting rule at line 222 ("via") Next token is token WORD () Error: popping nterm text () Stack now 0 Cleanup: discarding lookahead token WORD () Stack now 0 if i use error: PAM: authentication error for root from 115.239.228.7 via 127.0.0.1 I get a similar outcome to above (i.e. the final text is the same as above) but if I try just the following text error: PAM: authentication error for root from 115.239.228.7 I get (again after a bit of other output) Now at end of input. Stack now 0 23 Cleanup: popping nterm text () Matched address 115.239.228.7:4 attacking service 100, dangerousness 10. Purging stale attackers. If I then repeat the last version (i.e. error: PAM: authentication error for root from 115.239.228.7) a further three times I get First abuse of '115.239.228.7', adding to offenders list. Offender '115.239.228.7:4' scored 40 danger in 1 abuses. Blocking 115.239.228.7:4 for >630secs: 40 danger in 4 attacks over 133 seconds (all: 40d in 1 abuses over 133s). Setting environment: SSHG_ADDR=115.239.228.7;SSHG_ADDRKIND=4;SSHG_SERVICE=100. No ALTQ support in kernel ALTQ related functions disabled 1/1 addresses added. Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0. and one further time I get Matched address 115.239.228.7:4 attacking service 100, dangerousness 10. Purging stale attackers. Asked to block '115.239.228.7', which was already blocked to my account. Any thoughts on what I have setup incorrectly (if anything) or solutions? regards Alan |
|
From: Barry M. <bmu...@ga...> - 2015-02-04 15:39:19
|
diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 4a58dd2..af193fb 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -89,6 +89,7 @@ static struct {
/* ssh */
%token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF
%token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
+%token SSH_VIA_SUFF
%token SSH_REVERSEMAP_PREF SSH_REVERSEMAP_SUFF
%token SSH_NOIDENTIFSTR SSH_BADPROTOCOLIDENTIF SSH_BADPROTOCOLIDENTIF_SUFF
%token SSH_DISCONNECT_PREF SSH_PREAUTH_SUFF
@@ -278,6 +279,7 @@ ssh_illegaluser:
ssh_authfail:
SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
| SSH_LOGINERR_PAM addr
+ | SSH_LOGINERR_PAM addr SSH_VIA_SUFF
;
ssh_reversemapping:
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 5ecdcc8..3956c5d 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -146,6 +146,7 @@ HOSTADDR localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+|{IPV4}|{IPV6}|{IPV4MAPPED6}
/* wrong password for valid user @ FreeBSD, Debian */
"error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user ")?.+" from " { return SSH_LOGINERR_PAM; }
+"via ".* { BEGIN(INITIAL); return SSH_VIA_SUFF; }
/* SSH: reverse mapping "possible break-in attempt!" */
"reverse mapping checking getaddrinfo for "[^\[]*"[" { BEGIN(ssh_reversemap); return SSH_REVERSEMAP_PREF; }
|
|
From: Kevin Z. <kev...@gm...> - 2015-02-05 01:04:49
|
Hi Alan, On 01/27/15 06:25, Alan Stocker wrote: > Any thoughts on what I have setup incorrectly (if anything) or > solutions? This problem has been fixed recently, and is available in the development repository located at: https://bitbucket.org/sshguard/sshguard Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: Bradley G. <pi...@ma...> - 2015-02-05 21:02:02
Attachments:
signature.asc
|
On Feb 4, 2015, at 5:03 PM, Kevin Zheng <kev...@gm...> wrote: > On 01/27/15 06:25, Alan Stocker wrote: >> Any thoughts on what I have setup incorrectly (if anything) or >> solutions? > > This problem has been fixed recently, and is available in the > development repository located at: > > https://bitbucket.org/sshguard/sshguard Thanks Kevin. I maintain the MacPorts sshguard package and will add your patch to our build. Do you know if there are any plans to roll a new release of sshguard? Regards, Bradley Giesbrecht (pixilla) |
|
From: Alan S. <st...@le...> - 2015-02-06 09:07:02
|
Dear Bradley, That's great - many thanks (and to you Kevin) regards Alan On 5 Feb 2015, at 21:01, Bradley Giesbrecht <pi...@ma...> wrote: > On Feb 4, 2015, at 5:03 PM, Kevin Zheng <kev...@gm...> wrote: > >> On 01/27/15 06:25, Alan Stocker wrote: >>> Any thoughts on what I have setup incorrectly (if anything) or >>> solutions? >> >> This problem has been fixed recently, and is available in the >> development repository located at: >> >> https://bitbucket.org/sshguard/sshguard > > Thanks Kevin. > > I maintain the MacPorts sshguard package and will add your patch to our build. > > Do you know if there are any plans to roll a new release of sshguard? > > > Regards, > Bradley Giesbrecht (pixilla) > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2015-02-08 03:30:06
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/05/15 15:01, Bradley Giesbrecht wrote: > I maintain the MacPorts sshguard package and will add your patch to > our build. Fantastic! Thanks for maintaining the package! > Do you know if there are any plans to roll a new release of > sshguard? Yes, since there have been some major release-worthy changes (most notably human-readable blacklisting) from the last release, which was quite some time ago. Unfortunately, there's no ETA for this since it depends on how busy Mij and I are. Meanwhile, testing the development version (from Bitbucket) and reporting issues (or lack thereof) is well appreciated. Thanks, Kevin Zheng -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJU1tfxAAoJEOrPD3bCLhCQ7DcIAKux0pDagzWKrU8D/xNaCqgP ThsVHydFbhZ8yodb03h4ryM5JT9YhzKLmqH1COT9M/COb6YUDsIPyNrchYQSRyC7 QT/X56YCMUC8kymeK6icEa2LFIXZaBfJsoIgRxoCNvArzbUofLNLwkDD8fD9Kzqy GYqcToGjBEz8gATscQi25h4rVQVPidvWm3ItLPPjXqtKSQm+Tdac80mZUUmRNTas svRnQN5dET2IJTDueo9AI+ICNaqTm7smHCfssGCLQDuc6s/PRns025dQFunGYgjW vCcecaHBodiDmuaD4ui+i7o/rF2hAxd/DKp6orG/Q+ntTNk6yhpkc07NYRvGvkE= =WUN/ -----END PGP SIGNATURE----- |
|
From: Bradley G. <pi...@ma...> - 2015-02-11 01:23:38
Attachments:
signature.asc
|
On Feb 7, 2015, at 7:28 PM, Kevin Zheng <kev...@gm...> wrote: > Signed PGP part > On 02/05/15 15:01, Bradley Giesbrecht wrote: > > I maintain the MacPorts sshguard package and will add your patch to > > our build. > > Fantastic! Thanks for maintaining the package! > > > Do you know if there are any plans to roll a new release of > > sshguard? > > Yes, since there have been some major release-worthy changes (most > notably human-readable blacklisting) from the last release, which was > quite some time ago. Unfortunately, there's no ETA for this since it > depends on how busy Mij and I are. > > Meanwhile, testing the development version (from Bitbucket) and > reporting issues (or lack thereof) is well appreciated. Done. MacPorts is now building with 95f80c8 from BitBucket. http://trac.macports.org/changeset/132790 Regards, Bradley Giesbrecht (pixilla) |
|
From: Kevin Z. <kev...@gm...> - 2015-02-11 22:37:14
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/10/2015 19:23, Bradley Giesbrecht wrote: > Done. MacPorts is now building with 95f80c8 from BitBucket. > > http://trac.macports.org/changeset/132790 Fantastic, thanks! If you encounter any bugs or other suggestions, please do report them here. Best, Kevin Zheng - -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJU29mOAAoJEOrPD3bCLhCQ6uQH+wfvNqMH1obzfkY7h84wG4Sj JAsZ3QLD23PuNRlzhyNuwHNkdCzzplMB+tlnSLQDeWcIJXbDWcV7QuPkTiz5NbTH oEa/bW4TqMUaroHmsYG9DguaiMsBq3xzzlEMlVHN+B3I0PvGYiSua3AnEenZc22r yi3ffgUMfhzb8S2GhtWveADHEu4zpb21Eg1vQL7K8cPppZ0iZWyBURDPWUJXH5eR hotYu2tnv7WEIEEVZes7qLyqaliR+eqyDnl4rHcbkl5YqMde8JWQeHd5UsdUvhVs 4i4KeXrqv5nfOxQS5Y2kuv6GnCm0R/fL65V7J3nfUdARYIFE+05bm1rF6XqU3S4= =hKEw -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X