Menu
▾
▴
sshguard-users
|
From: Júlio M. <jul...@gm...> - 2018-05-25 16:20:17
|
Does SSHGuard support OpenSMTPD, both running on OpenBSD? I found no positive indication on net and your site. Cheers Júlio |
|
From: Kevin Z. <kev...@gm...> - 2018-05-25 17:38:26
|
On 05/25/2018 09:20, Júlio Maranhão wrote: > Does SSHGuard support OpenSMTPD, both running on OpenBSD? > > I found no positive indication on net and your site. An older version of SSHGuard is available on OpenBSD: security/sshguard SSHGuard does not recognize log messages from OpenSMTPD. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Júlio M. <ju...@ma...> - 2018-05-26 15:54:58
|
On 25 May 2018 at 14:38, Kevin Zheng <kev...@gm...> wrote: > > An older version of SSHGuard is available on OpenBSD: > > security/sshguard > > SSHGuard does not recognize log messages from OpenSMTPD. In your (members) opinion, is SSHGuard mature? I.e., is it done for what it does propose/declare in the website (few bugs)? Sorry for these questions. I am only used to a python-based software and Linux. I need to assess the OpenBSD + Dovecot + OpenSMTPD + SSHGuard. Your anwer is clear: no go. What about Postfix instead of OpenSMTPD? P.S.: Interesting C/yacc code. If the only problem is OpenSMTPD and low interest/priority, I am willing to work it. Júlio Sent via Migadu.com, world's easiest email hosting |
|
From: Kevin Z. <kev...@gm...> - 2018-05-26 16:58:16
|
On 05/26/2018 08:38, Júlio Maranhão wrote:
> On 25 May 2018 at 14:38, Kevin Zheng <kev...@gm...> wrote:
>>
>> An older version of SSHGuard is available on OpenBSD:
>>
>> security/sshguard
>>
>> SSHGuard does not recognize log messages from OpenSMTPD.
>
> In your (members) opinion, is SSHGuard mature? I.e., is it done for
> what it does propose/declare in the website (few bugs)?
Being completely biased, I would say so.
The code is separated into well-defined components with well-defined
interfaces. In fact, the recent changes that updated attack signatures
have only changed one binary ('sshg-parser'). You could even write your
own sshg-parser and continue to use the rest of SSHGuard as-is.
Both the blocker ('sshg-blocker') and parser ('sshg-parser') logic work
with minimal privileges. While I still had OpenBSD to test on, both
pledge "dns" and "stdio". I'd be happy to help you update this.
> Sorry for these questions. I am only used to a python-based software
> and Linux. I need to assess the OpenBSD + Dovecot + OpenSMTPD +
> SSHGuard. Your anwer is clear: no go.
>
> What about Postfix instead of OpenSMTPD?
I think it's better to choose the SMTPD you want. I would be confident
running OpenSMTPD without SSHGuard, but would still install SSHGuard to
reduce the amount of log noise.
We do recognize some SASL login errors from Postfix, but most likely
they need to be updated or expanded, as well.
> P.S.: Interesting C/yacc code. If the only problem is OpenSMTPD and
> low interest/priority, I am willing to work it.
I'd be happy to help take a look at adding OpenSMTPD signatures.
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
|
|
From: Gary <li...@la...> - 2018-05-26 23:01:09
|
As a former BSD user, there is a general consensus that the open source community support for BSD is going to erode. Human resources are limited. It used to be BSD on the server and Linux on the desktop. Now it is Linux everywhere.
But getting back to SSHGuard, I never understood how to use it for both ssh and email ports. They are different attacks. Just because some server is attacking ssh, do I really want to block that server's email?
Original Message
From: kev...@gm...
Sent: May 26, 2018 9:58 AM
To: ssh...@li...
Subject: Re: [SSHGuard-users] OpenSMTPD and SSHGuard?
On 05/26/2018 08:38, Júlio Maranhão wrote:
> On 25 May 2018 at 14:38, Kevin Zheng <kev...@gm...> wrote:
>>
>> An older version of SSHGuard is available on OpenBSD:
>>
>> security/sshguard
>>
>> SSHGuard does not recognize log messages from OpenSMTPD.
>
> In your (members) opinion, is SSHGuard mature? I.e., is it done for
> what it does propose/declare in the website (few bugs)?
Being completely biased, I would say so.
The code is separated into well-defined components with well-defined
interfaces. In fact, the recent changes that updated attack signatures
have only changed one binary ('sshg-parser'). You could even write your
own sshg-parser and continue to use the rest of SSHGuard as-is.
Both the blocker ('sshg-blocker') and parser ('sshg-parser') logic work
with minimal privileges. While I still had OpenBSD to test on, both
pledge "dns" and "stdio". I'd be happy to help you update this.
> Sorry for these questions. I am only used to a python-based software
> and Linux. I need to assess the OpenBSD + Dovecot + OpenSMTPD +
> SSHGuard. Your anwer is clear: no go.
>
> What about Postfix instead of OpenSMTPD?
I think it's better to choose the SMTPD you want. I would be confident
running OpenSMTPD without SSHGuard, but would still install SSHGuard to
reduce the amount of log noise.
We do recognize some SASL login errors from Postfix, but most likely
they need to be updated or expanded, as well.
> P.S.: Interesting C/yacc code. If the only problem is OpenSMTPD and
> low interest/priority, I am willing to work it.
I'd be happy to help take a look at adding OpenSMTPD signatures.
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sshguard-users mailing list
ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Júlio M. <ju...@ma...> - 2018-05-27 00:32:49
|
On 26 May 2018 at 19:41, Gary <li...@la...> wrote: > But getting back to SSHGuard, I never understood how to use it for both ssh and email ports. It's all about logs. No port are monitored by SSHGuard, I presume. > They are different attacks. Yes. Different objectives, apps and logs. But SSHGuard is not only ssh. It's actually a "MultiAppGuard" as writen in the website. > Just because some server is attacking ssh, do I really want to block that server's email? I didn't understand your doubt. But to clarify my case, I want to monitor three apps: an IMAP, an SMTP and an SSH server. SSHGuard (and Fail2Ban) method is to read and analyze the respective log files. What these apps have in common? Run in the same server and have access protection (login/passwd). SSHGuard can see in the logs all failed attempts to access the apps, so it can configure a firewall to block the offender access to the apps: block a port (or all ports) to some external IP. A good comparison is failed login attempts to an ATM or smartcard holding a digital certificate. Three (n) errors in a row will block access for a day (bank) or forever (smartcard). Did I help you? Júlio Sent via Migadu.com, world's easiest email hosting |
|
From: Gary <li...@la...> - 2018-05-27 02:34:33
|
"It's all about logs. No port are monitored by SSHGuard, I presume." But a firewall controls a port. Just because some IP is poking at my port 22, I don't want to block that same IP from port 25. If you really want to nitpick, your email should always be reachable. You agree to that when you get a domain. Now of course in practice there are many hurdles blocking email. I enable anvil on postfix. Good enough for me. I have most of the world blocked on all email ports other than 25. Note I completely block the xyz TLD, along with a number of other TLD know to be used by spammers. Well not block but reply a 550. I am not unique in this respect. Original Message From: julio@maranhao.xyz Sent: May 26, 2018 5:32 PM To: ssh...@li... Subject: Re: [SSHGuard-users] OpenSMTPD and SSHGuard? On 26 May 2018 at 19:41, Gary <li...@la...> wrote: > But getting back to SSHGuard, I never understood how to use it for both ssh and email ports. It's all about logs. No port are monitored by SSHGuard, I presume. > They are different attacks. Yes. Different objectives, apps and logs. But SSHGuard is not only ssh. It's actually a "MultiAppGuard" as writen in the website. > Just because some server is attacking ssh, do I really want to block that server's email? I didn't understand your doubt. But to clarify my case, I want to monitor three apps: an IMAP, an SMTP and an SSH server. SSHGuard (and Fail2Ban) method is to read and analyze the respective log files. What these apps have in common? Run in the same server and have access protection (login/passwd). SSHGuard can see in the logs all failed attempts to access the apps, so it can configure a firewall to block the offender access to the apps: block a port (or all ports) to some external IP. A good comparison is failed login attempts to an ATM or smartcard holding a digital certificate. Three (n) errors in a row will block access for a day (bank) or forever (smartcard). Did I help you? Júlio Sent via Migadu.com, world's easiest email hosting ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Júlio M. <ju...@ma...> - 2018-05-27 14:00:53
|
On 26 May 2018 at 23:34, Gary <li...@la...> wrote: > I enable anvil on postfix. Good enough for me. I have most of the world blocked on all email ports other than 25. > > Note I completely block the xyz TLD, along with a number of other TLD know to be used by spammers. Well not block but reply a 550. I am not unique in this respect. Enough to me, Gary. This talking is getting nonsense. But at least I can assess your comment about BSD versus Linux. To the others on the list, I am sorry for the off-topic mails. Cheers Júlio Sent via Migadu.com, world's easiest email hosting |
|
From: Kevin Z. <kev...@gm...> - 2018-06-05 05:54:15
|
A pull request recently added two messages from OpenSMTPD: https://bitbucket.org/sshguard/sshguard/pull-requests/34/add-monitoring-support-for-new-service/diff If you're interested in adding support for more messages from OpenSMTPD, you can take a look at the changes. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Júlio M. <ju...@ma...> - 2018-06-06 08:03:02
|
On Tue, 5 Jun 2018 at 02:54, Kevin Zheng <kev...@gm...> wrote: > A pull request recently added two messages from OpenSMTPD: > > https://bitbucket.org/sshguard/sshguard/pull-requests/34/add-monitoring-support-for-new-service/diff > > If you're interested in adding support for more messages from OpenSMTPD, > you can take a look at the changes. Thanks. I looked at it. I tried to analise the openSMTPD code and got some hits but I needed to test on a live system. Here are some live results: smtp event=connected address=192.168.1.222 host=client.lan smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH PLAIN (...)" result="535 Authentication failed" smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH LOGIN (password)" result="535 Authentication failed" smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH PLAIN (...)" result="535 Authentication failed" smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH LOGIN (password)" result="535 Authentication failed" smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=ok smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH PLAIN (...)" result="535 Authentication failed" smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH LOGIN (password)" result="535 Authentication failed" smtp event=authentication user=julio1 address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH PLAIN (...)" result="535 Authentication failed" smtp event=authentication user=julio1 address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH LOGIN (password)" result="535 Authentication failed" smtp event=failed-command address=192.168.1.222 host=client.lan command="MAIL FROM:<ju...@ma...n> BODY=8BITMIME SIZE=404" result="530 5.5.1 Invalid command: Must issue an AUTH command first" smtp event=authentication user=alien address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH PLAIN (...)" result="535 Authentication failed" smtp event=authentication user=alien address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH LOGIN (password)" result="535 Authentication failed" smtp event=authentication user=alien address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH PLAIN (...)" result="535 Authentication failed" smtp event=authentication user=alien address=192.168.1.222 host=client.lan result=permfail smtp event=failed-command address=192.168.1.222 host=client.lan command="AUTH LOGIN (password)" result="535 Authentication failed" smtp event=authentication user=julio address=192.168.1.222 host=client.lan result=ok I could not trigger the command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" message. Using the notation from https://www.sshguard.net/docs/reference/attack-signatures/, every AUTH failure is preceded by: XYZ smtp event=authentication user=XYZ address=6.6.6.0 host=XYZ result=permfail Maybe only that signature is need. I am not comfortable with lex/yacc or even git to make a pull request. It could take time (weeks). So I need help to translate the above signature to lex/yacc. Júlio Sent via Migadu.com, world's easiest email hosting |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X