Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2015-08-01 17:49:45
|
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body { font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div>This is a sample of my auth.log or message log on freebsd using sshguard-ifpw. The user is blocked, but the attack keeps coming.</div><div>------------------</div><div><br></div><div><br></div><div></div><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:15 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:39 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:43 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:48 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:51 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:55 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:37:58 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:01 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:19 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:27 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:31 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:34 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:39 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:42 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:47 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:38:50 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:03 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:06 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:21 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:44 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug 1 02:39:52 theranch last message repeated 2 times</span></body></html>
|
|
From: James H. <jam...@gm...> - 2015-08-01 18:28:55
|
Have you checked the firewall rules? You should see the one sshguard added. On Aug 1, 2015 10:50 AM, <li...@la...> wrote: > This is a sample of my auth.log or message log on freebsd using > sshguard-ifpw. The user is blocked, but the attack keeps coming. > ------------------ > > > Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:15 theranch last message repeated 2 times > Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4' > scored 40 danger in 1 abuses (threshold 40) -> blacklisted. > Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for > >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over > 1s). > Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:39 theranch last message repeated 2 times > Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:43 theranch last message repeated 2 times > Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:48 theranch last message repeated 2 times > Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:51 theranch last message repeated 2 times > Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:55 theranch last message repeated 2 times > Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:37:58 theranch last message repeated 2 times > Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:01 theranch last message repeated 2 times > Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:19 theranch last message repeated 2 times > Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:27 theranch last message repeated 2 times > Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:31 theranch last message repeated 2 times > Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:34 theranch last message repeated 2 times > Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:39 theranch last message repeated 2 times > Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:42 theranch last message repeated 2 times > Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:47 theranch last message repeated 2 times > Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:38:50 theranch last message repeated 2 times > Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:39:03 theranch last message repeated 2 times > Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:39:06 theranch last message repeated 2 times > Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:39:21 theranch last message repeated 2 times > Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:39:44 theranch last message repeated 2 times > Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for > root from 218.87.111.110 > Aug 1 02:39:52 theranch last message repeated 2 times > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > |
|
From: <li...@la...> - 2015-08-03 04:58:09
|
<html><head></head><body lang="en-US" style="background-color: rgb(255, 255, 255); line-height: initial;"> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Would that be in rc.firewall? There isn't any comment regarding sshguard in that file.</div> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br style="display:initial"></div> <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"></div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>James Harris</div><div><b>Sent: </b>Saturday, August 1, 2015 11:29 AM</div><div><b>To: </b>ssh...@li...</div><div><b>Reply To: </b>ssh...@li...</div><div><b>Subject: </b>Re: [Sshguard-users] Is sshguard working?</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><p dir="ltr">Have you checked the firewall rules? You should see the one sshguard added.</p> <div class="gmail_quote">On Aug 1, 2015 10:50 AM, <<a href="mailto:li...@la...">li...@la...</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div lang="en-US"><div>This is a sample of my auth.log or message log on freebsd using sshguard-ifpw. The user is blocked, but the attack keeps coming.</div><div>------------------</div><div><br></div><div><br></div><div></div><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:15 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:16 theranch sshguard[55685]: Offender '<a href="http://218.87.111.110:4" target="_blank">218.87.111.110:4</a>' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:16 theranch sshguard[55685]: Blocking <a href="http://218.87.111.110:4" target="_blank">218.87.111.110:4</a> for >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:39 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:43 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:48 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:51 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:55 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:37:58 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:01 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:19 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:27 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:31 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:34 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:39 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:42 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:47 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:38:50 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:03 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:06 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:21 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:44 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug 1 02:39:52 theranch last message repeated 2 times</span></div> <br>------------------------------------------------------------------------------<br> <br>_______________________________________________<br> Sshguard-users mailing list<br> <a href="mailto:Ssh...@li...">Ssh...@li...</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a><br> <br></blockquote></div> <br><!--end of _originalContent --></div></body></html> |
|
From: James H. <jam...@gm...> - 2015-08-03 22:14:57
|
No I'm suggesting you look at the running firewall configuration to see if sshguard is adding rules for you. I believe on freebsd that is 'ipfw list' On Sun, Aug 2, 2015 at 9:58 PM, <li...@la...> wrote: > Would that be in rc.firewall? There isn't any comment regarding sshguard > in that file. > > *From: *James Harris > *Sent: *Saturday, August 1, 2015 11:29 AM > *To: *ssh...@li... > *Reply To: *ssh...@li... > *Subject: *Re: [Sshguard-users] Is sshguard working? > > Have you checked the firewall rules? You should see the one sshguard added. > On Aug 1, 2015 10:50 AM, <li...@la...> wrote: > >> This is a sample of my auth.log or message log on freebsd using >> sshguard-ifpw. The user is blocked, but the attack keeps coming. >> ------------------ >> >> >> Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:15 theranch last message repeated 2 times >> Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4' >> scored 40 danger in 1 abuses (threshold 40) -> blacklisted. >> Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for >> >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over >> 1s). >> Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:39 theranch last message repeated 2 times >> Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:43 theranch last message repeated 2 times >> Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:48 theranch last message repeated 2 times >> Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:51 theranch last message repeated 2 times >> Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:55 theranch last message repeated 2 times >> Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:37:58 theranch last message repeated 2 times >> Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:01 theranch last message repeated 2 times >> Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:19 theranch last message repeated 2 times >> Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:27 theranch last message repeated 2 times >> Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:31 theranch last message repeated 2 times >> Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:34 theranch last message repeated 2 times >> Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:39 theranch last message repeated 2 times >> Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:42 theranch last message repeated 2 times >> Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:47 theranch last message repeated 2 times >> Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:38:50 theranch last message repeated 2 times >> Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:39:03 theranch last message repeated 2 times >> Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:39:06 theranch last message repeated 2 times >> Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:39:21 theranch last message repeated 2 times >> Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:39:44 theranch last message repeated 2 times >> Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for >> root from 218.87.111.110 >> Aug 1 02:39:52 theranch last message repeated 2 times >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > -- James Harris Software Engineer jam...@gm... |
|
From: <li...@la...> - 2015-08-04 00:23:07
|
I'm new to freebsd, so assume I am clueless and you are probably correct.
Let me know if top posting is an issue.
# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 check-state
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state
01400 allow udp from me to any keep-state
01500 allow icmp from me to any keep-state
01600 allow ipv6-icmp from me to any keep-state
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
01800 allow udp from any 67 to me dst-port 68 in
01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
02000 allow udp from fe80::/10 to me dst-port 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 allow tcp from any to me dst-port 22
02600 allow tcp from any to me dst-port 443
02700 allow tcp from any to me dst-port 80
02800 allow tcp from any to me dst-port 500
02900 allow tcp from any to me dst-port 4500
65000 count ip from any to any
65100 allow log udp from any to any dst-port 500 keep-state
65200 allow log udp from any 500 to any keep-state
65300 allow log udp from any to any dst-port 4500 keep-state
65400 allow log udp from any 4500 to any keep-state
65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
65500 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any dst-port 520 in
65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any
Original Message
From: James Harris
Sent: Monday, August 3, 2015 3:15 PM
To: ssh...@li...
Reply To: ssh...@li...
Subject: Re: [Sshguard-users] Is sshguard working?
No I'm suggesting you look at the running firewall configuration to see if sshguard is adding rules for you.
I believe on freebsd that is 'ipfw list'
On Sun, Aug 2, 2015 at 9:58 PM, <li...@la...> wrote:
Would that be in rc.firewall? There isn't any comment regarding sshguard in that file.
From: James Harris
Sent: Saturday, August 1, 2015 11:29 AM
To: ssh...@li...
Reply To: ssh...@li...
Subject: Re: [Sshguard-users] Is sshguard working?
Have you checked the firewall rules? You should see the one sshguard added.
On Aug 1, 2015 10:50 AM, <li...@la...> wrote:
This is a sample of my auth.log or message log on freebsd using sshguard-ifpw. The user is blocked, but the attack keeps coming.
------------------
Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:15 theranch last message repeated 2 times
Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).
Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:39 theranch last message repeated 2 times
Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:43 theranch last message repeated 2 times
Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:48 theranch last message repeated 2 times
Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:51 theranch last message repeated 2 times
Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:55 theranch last message repeated 2 times
Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:58 theranch last message repeated 2 times
Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:01 theranch last message repeated 2 times
Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:19 theranch last message repeated 2 times
Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:27 theranch last message repeated 2 times
Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:31 theranch last message repeated 2 times
Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:34 theranch last message repeated 2 times
Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:39 theranch last message repeated 2 times
Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:42 theranch last message repeated 2 times
Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:47 theranch last message repeated 2 times
Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:50 theranch last message repeated 2 times
Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:03 theranch last message repeated 2 times
Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:06 theranch last message repeated 2 times
Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:21 theranch last message repeated 2 times
Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:44 theranch last message repeated 2 times
Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:52 theranch last message repeated 2 times
------------------------------------------------------------------------------
_______________________________________________
Sshguard-users mailing list
Ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users
------------------------------------------------------------------------------
_______________________________________________
Sshguard-users mailing list
Ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users
--
James Harris
Software Engineer
jam...@gm...
|
|
From: Kevin Z. <kev...@gm...> - 2015-08-04 00:35:57
|
On 08/03/2015 19:22, li...@la... wrote: > 02500 allow tcp from any to me dst-port 22 ipfw is a first-rule-wins firewall. Since SSHGuard adds rules for ipfw around rule 50000 (at least using the current, crash-prone ipfw backend), its rules are never matched. You'll need to adjust your ruleset so that this particular rule has a lower number. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: James H. <jam...@gm...> - 2015-08-04 00:41:19
|
If sshguard is running on this system shouldn't we see the block rules in this list ? To have them actually block the allow port 22 rule (and maybe the other allow rules) need to move but shouldn't we see the rules that have been added? On Mon, Aug 3, 2015 at 5:35 PM, Kevin Zheng <kev...@gm...> wrote: > On 08/03/2015 19:22, li...@la... wrote: > > 02500 allow tcp from any to me dst-port 22 > > ipfw is a first-rule-wins firewall. Since SSHGuard adds rules for ipfw > around rule 50000 (at least using the current, crash-prone ipfw > backend), its rules are never matched. You'll need to adjust your > ruleset so that this particular rule has a lower number. > > Best, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
|
From: Kevin Z. <kev...@gm...> - 2015-08-04 01:25:19
|
On 08/03/2015 19:41, James Harris wrote: > If sshguard is running on this system shouldn't we see the block rules > in this list ? To have them actually block the allow port 22 rule (and > maybe the other allow rules) need to move but shouldn't we see the rules > that have been added? Yes, we *should* see the block rules around rule 55000. Any idea what version of SSHGuard is being used? The one from FreeBSD ports? Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2015-08-04 19:44:24
|
Sshguard -v indicates 1.6.0 I used the version with the suffix -ipfw. Original Message From: Kevin Zheng Sent: Monday, August 3, 2015 6:25 PM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] Is sshguard working? On 08/03/2015 19:41, James Harris wrote: > If sshguard is running on this system shouldn't we see the block rules > in this list ? To have them actually block the allow port 22 rule (and > maybe the other allow rules) need to move but shouldn't we see the rules > that have been added? Yes, we *should* see the block rules around rule 55000. Any idea what version of SSHGuard is being used? The one from FreeBSD ports? Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: <li...@la...> - 2015-08-04 21:11:26
|
I upgraded to 1.6.1. Looks like it crashes. Aug 4 20:54:13 theranch pkg: sshguard-ipfw upgraded: 1.6.0_1 -> 1.6.1 Aug 4 19:41:03 theranch sshguard[18636]: Started with danger threshold=40 ; minimum block=420 seconds Aug 4 19:41:12 theranch sshguard[18636]: Got exit signal, flushing blocked addresses and exiting... Original Message From: Kevin Zheng Sent: Monday, August 3, 2015 6:25 PM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] Is sshguard working? On 08/03/2015 19:41, James Harris wrote: > If sshguard is running on this system shouldn't we see the block rules > in this list ? To have them actually block the allow port 22 rule (and > maybe the other allow rules) need to move but shouldn't we see the rules > that have been added? Yes, we *should* see the block rules around rule 55000. Any idea what version of SSHGuard is being used? The one from FreeBSD ports? Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2015-08-04 21:53:36
|
On 08/04/2015 16:11, li...@la... wrote: > I upgraded to 1.6.1. > Looks like it crashes. This is a known issue that has been fixed in the development version, but did not make it back to the 1.6 branch for the 1.6.1 release. If it's an option, consider compiling and running the development version on Bitbucket (it's the version I run). Alternatively, I can provide a patch against 1.6.1 that fixes the ipfw crash. (Since you're running FreeBSD, you might feel adventurous enough to try out the shiny new Capsicum support!) Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2015-08-06 00:42:41
|
Sorry my reply escaped before I could add comments. Is my use of auto tools correct? It has one error. |
|
From: Mark F. <fe...@Fr...> - 2015-08-10 16:27:40
|
On Tue, Aug 4, 2015, at 16:53, Kevin Zheng wrote: > On 08/04/2015 16:11, li...@la... wrote: > > I upgraded to 1.6.1. > > Looks like it crashes. > > This is a known issue that has been fixed in the development version, > but did not make it back to the 1.6 branch for the 1.6.1 release. > > If it's an option, consider compiling and running the development > version on Bitbucket (it's the version I run). Alternatively, I can > provide a patch against 1.6.1 that fixes the ipfw crash. > > (Since you're running FreeBSD, you might feel adventurous enough to try > out the shiny new Capsicum support!) > > Best, > Kevin Zheng > Kevin, is this the patch in question? https://bitbucket.org/sshguard/sshguard/commits/da561435cc29c22ee3b545b61e76aa318ec8fd0f/raw/ Thanks |
|
From: Kevin Z. <kev...@gm...> - 2015-08-10 17:05:39
Attachments:
patch-ipfw.diff
|
Hi Mark, On 08/10/2015 11:11, Mark Felder wrote: > Kevin, is this the patch in question? > > https://bitbucket.org/sshguard/sshguard/commits/da561435cc29c22ee3b545b61e76aa318ec8fd0f/raw/ I've attached the patch that fixes 'ipfw' support. You can generate this yourself by running: $ git diff v1.6.1 origin/1.6 Most of this diff consists of deletions. You can safely ignore the hunk that deletes 'src/fwalls/ipfw.c' if you're putting this in ports. Keep in mind that in order to use this, users will have to add a rule to their 'ipfw' ruleset that blocks addresses from table 22: # ipfw add 50000 deny ip from table\(22\) to me This will likely change in 1.7, where I think I'll have sshguard insert this rule automatically. Apologies for the trouble here. I don't think the release plan of backporting bug fixes is working too well; I'm thinking about making releases at regular intervals from 'master' instead. But that's a whole different topic. Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: Kevin Z. <kev...@gm...> - 2015-08-12 02:55:30
|
On 08/11/2015 16:20, mij wrote: > If that point has come, let’s party, but please make sure the option is uniformly > available on all supported platforms before pulling the trigger. I believe the only systems using 'ipfw' are FreeBSD and OS X. I'll find out when tables were introduced in FreeBSD. New Macs are replacing 'ipfw' with 'pf', so they will be using that backend. Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: Willem J. W. <wj...@di...> - 2015-08-12 11:37:00
|
On 12-8-2015 04:55, Kevin Zheng wrote:
> On 08/11/2015 16:20, mij wrote:
>> If that point has come, let’s party, but please make sure the option is uniformly
>> available on all supported platforms before pulling the trigger.
>
> I believe the only systems using 'ipfw' are FreeBSD and OS X. I'll find
> out when tables were introduced in FreeBSD. New Macs are replacing
> 'ipfw' with 'pf', so they will be using that backend.
'mmm,
Nice question.
I'd say that was when we went from ipfw to ipfw2...
And ipfw has now become ipfw again.
Tables are at least supported in all versions that are not EoL, and the
full range of 8.x
This is from soem systems I have about:
7.3-STABLE FreeBSD 7.3-STABLE #0: Wed Jun 30 22:15:57 CEST 2010
AND
6.4-PRERELEASE FreeBSD 6.4-PRERELEASE #85: Wed Nov 12 12:46:53 CET 2008
ipfw table number add addr[/masklen] [value]
ipfw table number delete addr[/masklen]
ipfw table {number | all} flush
ipfw table {number | all} list
So I'd expect just about everybody with IPFW to have tables.
And if not, then their version is so old that they better know what they
are doing. Because maintaining these systems needs a lot of expertise to
fix security bugs....
hope that helps,
--WjW
|
|
From: <li...@la...> - 2015-08-06 00:39:37
|
# cd sshguard-sshguard-3216aaa2ba58/ # aclocal # autoconf # automake -a configure.ac:129: installing './compile' configure.ac:6: installing './install-sh' configure.ac:6: installing './missing' configure.ac:5: error: required file 'src/config.h.in' not found # ./configure --with-firewall=ipfw checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... ./install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking whether make supports nested variables... (cached) yes checking for ipfw... no configure: WARNING: ipfw program not in path! Using /sbin as default unless --with-ipfw specified ## -------------- ## ## Program Checks ## ## -------------- ## checking for gawk... (cached) nawk checking for gcc... no checking for cc... cc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether cc accepts -g... yes checking for cc option to accept ISO C89... none needed checking whether cc understands -c and -o together... yes checking for style of include used by make... GNU checking dependency style of cc... gcc3 checking for cc option to accept ISO C99... none needed checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ranlib... ranlib checking for bison... no checking for byacc... byacc checking for flex... flex checking lex output file root... lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes ## -------------- ## ## Library Checks ## ## -------------- ## checking for pthread_create in -lpthread... yes checking how to run the C preprocessor... cc -E checking for ANSI C header files... yes checking for sys/wait.h that is POSIX.1 compatible... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking arpa/inet.h usability... yes checking arpa/inet.h presence... yes checking for arpa/inet.h... yes checking malloc.h usability... no checking malloc.h presence... no checking for malloc.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for unistd.h... (cached) yes checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for off_t... yes checking for pid_t... yes checking for size_t... yes checking for an ANSI C-conforming const... yes checking for inline... inline checking for C/C++ restrict keyword... __restrict checking whether __SUNPRO_C is declared... no ## ----------------- ## ## Library Functions ## ## ----------------- ## checking vfork.h usability... no checking vfork.h presence... no checking for vfork.h... no checking for fork... yes checking for vfork... yes checking for working fork... yes checking for working vfork... (cached) yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking for gethostbyname... yes checking for inet_ntoa... yes checking for strerror... yes checking for strstr... yes checking for strtol... yes checking for library containing socket... none required checking for library containing gethostbyname... none required checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating man/Makefile config.status: error: cannot find input file: `src/Makefile.in' Original Message From: Kevin Zheng Sent: Tuesday, August 4, 2015 2:53 PM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] Is sshguard working? On 08/04/2015 16:11, li...@la... wrote: > I upgraded to 1.6.1. > Looks like it crashes. This is a known issue that has been fixed in the development version, but did not make it back to the 1.6 branch for the 1.6.1 release. If it's an option, consider compiling and running the development version on Bitbucket (it's the version I run). Alternatively, I can provide a patch against 1.6.1 that fixes the ipfw crash. (Since you're running FreeBSD, you might feel adventurous enough to try out the shiny new Capsicum support!) Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2015-08-06 01:17:40
|
On 08/05/2015 19:39, li...@la... wrote: > > # cd sshguard-sshguard-3216aaa2ba58/ > # aclocal > # autoconf > # automake -a > configure.ac:129: installing './compile' > configure.ac:6: installing './install-sh' > configure.ac:6: installing './missing' > configure.ac:5: error: required file 'src/config.h.in' not found Try `autoreconf -i`. It's one command that'll do it all (correctly). Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: James H. <jam...@gm...> - 2015-08-06 01:30:49
|
It seems like build documentation is a place where we are lacking. Until sshguard get picked up into distros that provide packaging I think we need to see most will install from source. I have my own shell scripts that build under fedora. Maybe we should be checking these scripts in? On Aug 5, 2015 6:18 PM, "Kevin Zheng" <kev...@gm...> wrote: > On 08/05/2015 19:39, li...@la... wrote: > > > > # cd sshguard-sshguard-3216aaa2ba58/ > > # aclocal > > # autoconf > > # automake -a > > configure.ac:129: installing './compile' > > configure.ac:6: installing './install-sh' > > configure.ac:6: installing './missing' > > configure.ac:5: error: required file 'src/config.h.in' not found > > Try `autoreconf -i`. It's one command that'll do it all (correctly). > > Best, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Kevin Z. <kev...@gm...> - 2015-08-06 01:35:42
|
On 08/05/2015 20:30, James Harris wrote: > It seems like build documentation is a place where we are lacking. Until > sshguard get picked up into distros that provide packaging I think we > need to see most will install from source. I have my own shell scripts > that build under fedora. Maybe we should be checking these scripts in? Documentation in general is a bit lacking -- sorry. I assume some things are obvious (e.g. 'autoreconf -i', running 'configure'), but it turns out that they aren't. The man page is up to date (yay!), but installation instructions in general (compiling, setting up the firewall) isn't. I also have to figure out how to ship it with the source distribution while keeping the website (even more out of date) up to date. Suggestions are welcome! Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: James H. <jam...@gm...> - 2015-08-06 01:42:05
|
The updated man pages are great. Your doing a great job Kevin. Documentation is often a good entry point to start contributing to a project. So really this is for everyone else that uses sshguard. If you have figured out how to install and configure. Think about writing it up. On Aug 5, 2015 6:36 PM, "Kevin Zheng" <kev...@gm...> wrote: > On 08/05/2015 20:30, James Harris wrote: > > It seems like build documentation is a place where we are lacking. Until > > sshguard get picked up into distros that provide packaging I think we > > need to see most will install from source. I have my own shell scripts > > that build under fedora. Maybe we should be checking these scripts in? > > Documentation in general is a bit lacking -- sorry. I assume some things > are obvious (e.g. 'autoreconf -i', running 'configure'), but it turns > out that they aren't. > > The man page is up to date (yay!), but installation instructions in > general (compiling, setting up the firewall) isn't. I also have to > figure out how to ship it with the source distribution while keeping the > website (even more out of date) up to date. > > Suggestions are welcome! > > Best, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: <li...@la...> - 2015-08-06 06:14:09
|
Ya know, there is much confusion on the interwebs regarding autotools: http://stackoverflow.com/questions/19263899/why-is-autoreconf-not-used-often So some things aren't so obvious. ;-) Easily over 95% of what I have compiled from source is simply ./configure make make install Original Message From: Kevin Zheng Sent: Wednesday, August 5, 2015 6:35 PM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] Is sshguard working? On 08/05/2015 20:30, James Harris wrote: > It seems like build documentation is a place where we are lacking. Until > sshguard get picked up into distros that provide packaging I think we > need to see most will install from source. I have my own shell scripts > that build under fedora. Maybe we should be checking these scripts in? Documentation in general is a bit lacking -- sorry. I assume some things are obvious (e.g. 'autoreconf -i', running 'configure'), but it turns out that they aren't. The man page is up to date (yay!), but installation instructions in general (compiling, setting up the firewall) isn't. I also have to figure out how to ship it with the source distribution while keeping the website (even more out of date) up to date. Suggestions are welcome! Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2015-08-06 12:49:34
|
On 08/06/2015 01:13, li...@la... wrote: > Ya know, there is much confusion on the interwebs regarding autotools: > > http://stackoverflow.com/questions/19263899/why-is-autoreconf-not-used-often > > So some things aren't so obvious. ;-) > > Easily over 95% of what I have compiled from source is simply > ./configure > make > make install So are the SSHGuard source distributions (tarballs). But since autotools are automatically generated, they don't belong in Git. You're expected to generate them yourself with `autoreconf -i`. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2015-08-06 21:35:08
|
Compiled, installed, and banning bad boys. Well maybe.... This user was banned, but not for long: Aug 6 21:20:24 theranch sshd[1494]: reverse mapping checking getaddrinfo for sianet.static.gvt.net.br [179.185.39.196] failed - POSSIBLE BREAK-IN ATTEMPT! Aug 6 21:20:24 theranch sshd[1494]: Invalid user testuser from 179.185.39.196 Aug 6 21:20:24 theranch sshd[1494]: input_userauth_request: invalid user testuser [preauth] Aug 6 21:20:25 theranch sshd[1494]: Received disconnect from 179.185.39.196: 11: Bye Bye [preauth] Aug 6 21:20:25 theranch sshguard[755]: blacklist: added 179.185.39.196 Aug 6 21:20:25 theranch sshguard[755]: Blocking 179.185.39.196:4 for >0secs: 40 danger in 4 attacks over 261 seconds (all: 40d in 1 abuses over 261s). Aug 6 21:24:42 theranch sshd[1504]: reverse mapping checking getaddrinfo for sianet.static.gvt.net.br [179.185.39.196] failed - POSSIBLE BREAK-IN ATTEMPT! Aug 6 21:24:42 theranch sshd[1504]: Invalid user students from 179.185.39.196 Aug 6 21:24:42 theranch sshd[1504]: input_userauth_request: invalid user students [preauth] Aug 6 21:24:42 theranch sshd[1504]: Received disconnect from 179.185.39.196: 11: Bye Bye [preauth] Aug 6 21:28:59 theranch sshd[1508]: reverse mapping checking getaddrinfo for sianet.static.gvt.net.br [179.185.39.196] failed - POSSIBLE BREAK-IN ATTEMPT! Aug 6 21:28:59 theranch sshd[1508]: Invalid user test from 179.185.39.196 Aug 6 21:28:59 theranch sshd[1508]: input_userauth_request: invalid user test [preauth] Aug 6 21:28:59 theranch sshd[1508]: Received disconnect from 179.185.39.196: 11: Bye Bye [preauth] Original Message From: Kevin Zheng Sent: Thursday, August 6, 2015 5:49 AM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] Is sshguard working? On 08/06/2015 01:13, li...@la... wrote: > Ya know, there is much confusion on the interwebs regarding autotools: > > http://stackoverflow.com/questions/19263899/why-is-autoreconf-not-used-often > > So some things aren't so obvious. ;-) > > Easily over 95% of what I have compiled from source is simply > ./configure > make > make install So are the SSHGuard source distributions (tarballs). But since autotools are automatically generated, they don't belong in Git. You're expected to generate them yourself with `autoreconf -i`. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2015-08-06 21:46:50
|
On 08/06/2015 16:34, li...@la... wrote: > Compiled, installed, and banning bad boys. Well maybe.... > > This user was banned, but not for long: You probably didn't set up the firewall correctly. In the development version, you need to add a rule to block address from table '22'. I will document this soon, I promise. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
Thanks for helping keep SourceForge clean.
X