sshguard-users

[Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

I have my home fixed IP set int he whitelist or sshguard but when I was unable to login to the server remotely this weekend, I discovered that that IP had been added to the top of /etc/hosts.allow with a DENY.

when running, sshgiard shows up:

/usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

/usr/local/etc/sshguard.whitelist contains IP addresses, one per line:

230.240.250.260
230.240.250.261
260.1.2.5
etc

I just started up sshguard and again, it blacklisted my IP.

$ head -3 /etc/hosts.allow 
###sshguard###
ALL : 230.240.250.260 : DENY
###sshguard###
$ cat /usr/local/etc/sshguard.whitelist 
230.240.250.260
230.240.250.261
260.1.2.5

(obviously those are not real IPs, but the two IPs *are* identical)

-- 
Realizing the importance of the case, my men are rounding up twice the
usual number of suspects.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

Anyone?

> On Jul 21, 2015, at 2:23 AM, @lbutlr <kr...@kr...> wrote:
> 
> I have my home fixed IP set in the whitelist for sshguard but when I was unable to login to the server remotely this weekend, I discovered that that IP had been added to the top of /etc/hosts.allow with a DENY.

Typos fixed.

My IP has been blacklisted again today. Still listed in the whitelist file.

-- 
Realizing the importance of the case, my men are rounding up twice the
usual number of suspects.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/23/2015 08:48, @lbutlr wrote:
> Anyone?

Sorry for the belated response, but I'm still looking at your problem.
I'm having a hard time reproducing the issue. What operating system are
you using, and what version of SSHGuard?

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[LuKreme <kr...@kr...>]

> On Jul 22, 2015, at 18:56, Kevin Zheng <kev...@gm...> wrote:
> 
> Sorry for the belated response, but I'm still looking at your problem.
> I'm having a hard time reproducing the issue. What operating system are
> you using, and what version of SSHGuard?

FreeBSD 9.2. I'll have to double check the version of ssh guard when I go in tomorrow to unblacklist myself, but it is current within the last two or three months at the outside. Probably much more recently than that.

I did delete the db file for ssh guard before I launched it last, hoping that would eliminate the issue,

Will also check logs tomorrow for anything of interest.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[LuKreme <kr...@kr...>]

On Jul 22, 2015, at 18:56, Kevin Zheng <kev...@gm...> wrote:
> 
> what version of SSHGuard?

Oh, and by "current" I mean "current in ports" if that matters.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/21/2015 16:23, @lbutlr wrote:
> I have my home fixed IP set int he whitelist or sshguard but when I
> was unable to login to the server remotely this weekend, I discovered
> that that IP had been added to the top of /etc/hosts.allow with a
> DENY.

I still can't seem to reproduce your issue. Could you please run this
from the command line and see if you spot any interesting output?

env SSHGUARD_DEBUG=yes sshguard -b 40:/var/db/sshguard/blacklist.db -l
/var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w
/usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

In particular, pay attention to the first few lines that read from your
whitelist. Are those the IPs you expected?

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

On Jul 22, 2015, at 8:58 PM, Kevin Zheng <kev...@gm...> wrote:
> env SSHGUARD_DEBUG=yes sshguard -b 40:/var/db/sshguard/blacklist.db -l
> /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w
> /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

SSHGuard version sshguard-1.5_12

Adding '/var/log/auth.log' to polled files.
Registering events.
Setting 2 events for 1 (act+inact) files.
File '/var/log/auth.log' added, fd 4, serial 5297173.
Adding '/var/log/maillog' to polled files.
Registering events.
Setting 4 events for 2 (act+inact) files.
File '/var/log/maillog' added, fd 5, serial 5297154.
whitelist: add '230.240.250.260' as plain IPv4.
whitelist: add plain IPv4 230.240.250.260.
whitelist: add '230.240.250.261' as plain IPv4.
whitelist: add plain IPv4 230.240.250.261.
whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain IPv4 127.0.0.1.
Blacklist loaded, blocking 56 addresses.
…

the behavior has changed since yesterday. Over 1200 IPs are listed in /etc/hosts.deny and /etc/hosts.allow is empty. Something else is going on here, right?

sshguard 1.5.0

Copyright (c) 2007,2008 Mij <mi...@ss...>
This is free software; see the source for conditions on copying.


I’ve removed the hosts.deny file and started sshguard again:

 $ cat hosts.allow 
###sshguard###
ALL : 200.114.65.111 45.114.11.16 111.207.126.80 45.114.11.34 190.60.31.107 218.65.30.92 218.65.30.23 122.243.249.122 : DENY
ALL :  2.115.68.148 198.252.66.108 125.69.80.32 218.65.30.73 82.208.235.94 183.60.175.149 182.100.67.114 61.36.33.233 : DENY
ALL :  45.114.11.13 218.87.111.116 218.26.243.138 113.11.197.233 193.201.227.30 218.65.30.217 58.218.211.166 221.179.89.90 : DENY
ALL :  218.65.30.61 218.87.109.60 119.147.47.94 190.9.130.71 182.100.67.112 219.229.222.4 62.210.7.160 113.195.145.12 : DENY
ALL :  45.114.11.41 45.114.11.29 23.91.120.48 45.114.11.39 184.168.119.160 91.199.151.85 45.114.11.51 218.200.188.213 : DENY
ALL :  198.58.95.66 109.169.74.58 14.63.161.216 193.107.17.72 182.100.67.102 45.55.76.112 162.250.126.81 218.87.111.110 : DENY
ALL :  103.17.107.18 193.104.41.53 45.114.11.14 23.21.125.218 71.245.177.204 45.114.11.28 191.235.188.206 45.114.11.26 : DENY
ALL :  : DENY
###sshguard###

This time, my home IP is not listed there, and many IPs are listed which show up in /var/log/auth.log trying to ssh as the root user, so that’s good.

I’m going to keep an eye on it, and restore the rests of hosts.allow from the backup.

Jul 23 02:44:04 mail sshguard[3339]: Offender '200.114.65.111:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Jul 23 02:44:04 mail sshguard[3339]: Blocking 200.114.65.111:4 for >0secs: 40 danger in 4 attacks over 757 seconds (all: 40d in 1 abuses over 757s).

-- 
'It's still a lie. Like the lie about masks.' 'What lie about masks?'
'The way people say they hide faces.' 'They do hide faces,' said Nanny
Ogg. 'Only the one on the outside.' --Maskerade

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/23/2015 18:24, @lbutlr wrote:
> SSHGuard version sshguard-1.5_12

The latest version from ports is 1.6.0.

> whitelist: add '230.240.250.260' as plain IPv4. whitelist: add plain
> IPv4 230.240.250.260. whitelist: add '230.240.250.261' as plain
> IPv4. whitelist: add plain IPv4 230.240.250.261. whitelist: add
> '127.0.0.1' as plain IPv4. whitelist: add plain IPv4 127.0.0.1. 

Are the correct addresses whitelisted?

> the behavior has changed since yesterday. Over 1200 IPs are listed in
> /etc/hosts.deny and /etc/hosts.allow is empty. Something else is
> going on here, right?

I'm not very familiar with the 'hosts' backend, so I'm not sure. I
believe SSHGuard should only be making changes to one file, which is set
at compile time.

I'd be interested to hear if you find out what's going on.

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

> On Jul 23, 2015, at 7:39 AM, Willem Jan Withagen <wj...@di...> wrote:
> 
> On 23/07/2015 15:20, Kevin Zheng wrote:
>> On 07/23/2015 18:24, @lbutlr wrote:
>>> the behavior has changed since yesterday. Over 1200 IPs are listed in
>>> /etc/hosts.deny and /etc/hosts.allow is empty. Something else is
>>> going on here, right?
>> 
>> I'm not very familiar with the 'hosts' backend, so I'm not sure. I
>> believe SSHGuard should only be making changes to one file, which is set
>> at compile time.
>> 
>> I'd be interested to hear if you find out what's going on.
> 
> It is normal to dump everything into /etc/hosts.deny, as is suggested in
> the header in /etc/hosts.deny…

There were no headers at all in the host.deny file, and the file has not been recreated since yesterday (but it was modified at the same time as hosts.allow)

> It now can go all in the same file.

Yes, which is why I found the list of IPS in hosts.deny odd since everything should be in Hosts.allow.

> And on those servers I manually blacklist C-nets(/24) (mostly
> russian/asian) which have more than a 10-15%% coverage. so if more that
> 32 ipnrs in a segment try to abuse the system, I don't wait, I just
> block the whole C-net.

If there were a reliable way to block all of russia and china, that would be great. Heck, other than a few connections from Western Europe and Africa I could safely block the rest of the world.

I would like to tune the behavior a bit (for example, attempts to ssh as root should count for like 21 so that two attempts result in a blacklist. (since I do not allow ssh access to the root account).

Whatever oddness there was hasn’t recurred so far.

-- 
Realizing the importance of the case, my men are rounding up twice the
usual number of suspects.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[James H. <jam...@gm...>]

Currently I'm leaning towards writing some tools which can be used offline
to analyse the blacklist. Make suggestions about blocking IP ranges and
removing IPs from the blacklist which are contained in the ranges selected
to be blocked. I would want to see promoting a few IPs to blocking a ranges
works well before integrating such complexity into sshguard.

On Thu, Jul 23, 2015 at 4:47 PM, Kevin Zheng <kev...@gm...> wrote:

> On 07/24/2015 02:53, @lbutlr wrote:
> > If there were a reliable way to block all of russia and china, that
> > would be great. Heck, other than a few connections from Western
> > Europe and Africa I could safely block the rest of the world.
>
> Here's a list of CIDR blocks by country:
> http://www.ipdeny.com/ipblocks/
>
> You don't need SSHGuard to block these.
>
> > I would like to tune the behavior a bit (for example, attempts to ssh
> > as root should count for like 21 so that two attempts result in a
> > blacklist. (since I do not allow ssh access to the root account).
>
> This idea was thrown around on the mailing list a short while ago, but I
> haven't gotten around to start looking at it, yet. Most of the changes
> probably involve updating the lexer/parser to spit out the username (if
> available), but this is not as trivial as it sounds.
>
> Best,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>



-- 
James Harris
Software Engineer
jam...@gm...

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/24/2015 09:06, James Harris wrote:
> Currently I'm leaning towards writing some tools which can be used
> offline to analyse the blacklist. Make suggestions about blocking IP
> ranges and removing IPs from the blacklist which are contained in the
> ranges selected to be blocked. I would want to see promoting a few IPs
> to blocking a ranges works well before integrating such complexity into
> sshguard.

I think that's a good idea. And, you won't have to do it in C :p

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Willem J. W. <wj...@di...>]

On 23/07/2015 15:20, Kevin Zheng wrote:
> On 07/23/2015 18:24, @lbutlr wrote:
>> the behavior has changed since yesterday. Over 1200 IPs are listed in
>> /etc/hosts.deny and /etc/hosts.allow is empty. Something else is
>> going on here, right?
> 
> I'm not very familiar with the 'hosts' backend, so I'm not sure. I
> believe SSHGuard should only be making changes to one file, which is set
> at compile time.
> 
> I'd be interested to hear if you find out what's going on.

It is normal to dump everything into /etc/hosts.deny, as is suggested in
the header in /etc/hosts.deny...
It now can go all in the same file.

The fact is that 1200 addresses seems a lot, but I have servers with
over 8000 blacklisted ipnrs.

And on those servers I manually blacklist C-nets(/24) (mostly
russian/asian) which have more than a 10-15%% coverage. so if more that
32 ipnrs in a segment try to abuse the system, I don't wait, I just
block the whole C-net.

--WjW

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Greg P. <gr...@n0...>]

@lbutlr said:
> If there were a reliable way to block all of russia and china, that would be great. Heck, other than a few connections from Western Europe and Africa I could safely block the rest of the world.
> 
> I would like to tune the behavior a bit (for example, attempts to ssh as root should count for like 21 so that two attempts result in a blacklist. (since I do not allow ssh access to the root account).

Can find networks in China & North Korea at:
http://okean.com

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[James H. <jam...@gm...>]

I had been looking at two idea, first blocking subnets when a certain
number of ips had been blocked. Thus replacing like 128 rules with one if
half of a class c was blocked.  Another option is to look up the AS of the
ips, and when enough bad guys from one AS show up just block all the IPs
there.  Many of these attackers can force a provider to give them another
IP but few go to the trouble of changing providers. I suspect blocking by
AS will have the same thing as blocking by country where these attacks most
often originate.

On Thu, Jul 23, 2015 at 12:52 PM, Greg Putrich <gr...@n0...> wrote:

> @lbutlr said:
> > If there were a reliable way to block all of russia and china, that
> would be great. Heck, other than a few connections from Western Europe and
> Africa I could safely block the rest of the world.
> >
> > I would like to tune the behavior a bit (for example, attempts to ssh as
> root should count for like 21 so that two attempts result in a blacklist.
> (since I do not allow ssh access to the root account).
>
> Can find networks in China & North Korea at:
> http://okean.com
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>



-- 
James Harris
Software Engineer
jam...@gm...

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/24/2015 02:53, @lbutlr wrote:
> If there were a reliable way to block all of russia and china, that
> would be great. Heck, other than a few connections from Western
> Europe and Africa I could safely block the rest of the world.

Here's a list of CIDR blocks by country:
http://www.ipdeny.com/ipblocks/

You don't need SSHGuard to block these.

> I would like to tune the behavior a bit (for example, attempts to ssh
> as root should count for like 21 so that two attempts result in a
> blacklist. (since I do not allow ssh access to the root account).

This idea was thrown around on the mailing list a short while ago, but I
haven't gotten around to start looking at it, yet. Most of the changes
probably involve updating the lexer/parser to spit out the username (if
available), but this is not as trivial as it sounds.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090