Menu
▾
▴
sshguard-users
|
From: Robert S <rob...@gm...> - 2007-06-26 11:50:22
|
I have installed sshguard using the following with debian/etch (the
same occurs with ubuntu):
./configure --with-firewall=iptables --with-iptables=/sbin
make
make install
I have used the recommended method for installation with syslog and
syslog-ng. In both cases sshguard won't start when I start
syslog/syslog-ng - ie, it does not appear in the system log or when I
do 'ps ax'. If I use the "tail" method I get the following, and
sshguard is not activated when a failed login occurs:
# tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard
/usr/local/sbin/sshguard: line 1: syntax error near unexpected token `('
/usr/local/sbin/sshguard: line 1: `Jun 25 07:37:56 etch sshd[10186]:
(pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=myhost.mydomain.com.au user=robert'
This is strange, because when a failed login occurs, the following
appears in my logs (I have tried disabling PAM):
Jun 27 07:41:27 myhost sshd[19437]: Failed password for robert from
192.168.2.40 port 39753 ssh2
Jun 27 07:41:28 myhost sshd[19437]: Failed password for robert from
192.168.2.40 port 39753 ssh2
Jun 27 07:41:30 myhost sshd[19437]: Failed password for robert from
192.168.2.40 port 39753 ssh2
I have installed it on a gentoo machine and it works flawlessly.
Does anybody know how to get this to work?
|
|
From: Mij <mi...@bi...> - 2007-06-26 12:48:25
|
On 26/giu/07, at 13:50, Robert S wrote: > I have installed sshguard using the following with debian/etch (the > same occurs with ubuntu): > > ./configure --with-firewall=iptables --with-iptables=/sbin > make > make install > > I have used the recommended method for installation with syslog and > syslog-ng. In both cases sshguard won't start when I start > syslog/syslog-ng - ie, it does not appear in the system log or when I > do 'ps ax'. for the archives, mind a couple of things on this problem: 1) some older syslogd implementations do not support forwarding to external processes, and overwrite the binary with a FIFO; both debian 3.1 and ubuntu feisty are among them afaik. See http://sshguard.sourceforge.net/doc/setup/loggingsyslog.html 2) for syslogd, external procs are not started when syslogd is restarted, but at the first occurrence of a log for them. So, restart syslogd and try a ssh login before checking ps. > If I use the "tail" method I get the following, and > sshguard is not activated when a failed login occurs: > > # tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard > /usr/local/sbin/sshguard: line 1: syntax error near unexpected > token `(' > /usr/local/sbin/sshguard: line 1: `Jun 25 07:37:56 etch sshd[10186]: > (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=myhost.mydomain.com.au user=robert' > > This is strange, because when a failed login occurs, the following > appears in my logs (I have tried disabling PAM): > > Jun 27 07:41:27 myhost sshd[19437]: Failed password for robert from > 192.168.2.40 port 39753 ssh2 > Jun 27 07:41:28 myhost sshd[19437]: Failed password for robert from > 192.168.2.40 port 39753 ssh2 > Jun 27 07:41:30 myhost sshd[19437]: Failed password for robert from > 192.168.2.40 port 39753 ssh2 I am interested in your report. Could you please: 1) disable syslog config for sshguard 2) reinstall sshguard [[ these ones are for making sure no former problem 1) applies ]] 3) run sshguard from the command line as /usr/local/sbin/sshguard (add the "-d" argument if you're using 1.0-beta1) thanks > I have installed it on a gentoo machine and it works flawlessly. > > Does anybody know how to get this to work? > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Robert S <rob...@gm...> - 2007-06-26 22:07:05
|
> 2) for syslogd, external procs are not started when syslogd is > restarted, but at the first occurrence of a log for them. So, restart > syslogd and try a ssh login before checking ps. I tried using syslog-ng - no luck. > I am interested in your report. Could you please: > 1) disable syslog config for sshguard > 2) reinstall sshguard > 3) run sshguard from the command line as > /usr/local/sbin/sshguard I have tried these things. I get no output when I do this: # /usr/local/sbin/sshguard When I do Ctrl-C I get: ip6tables: No chain/target/match by that name (I assume this is normal because I don't have any ip6tables chain - I get this on my gentoo machine that works OK) My /var/log/messages gives me these messages, but there is no sign that sshguard is being activated when a failed login occurs: Jun 27 17:48:06 etch sshguard[11412]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 27 17:48:55 etch sshguard[11412]: Got exit signal, flushing blocked addresses and exiting... These are the messages I get in my logs when a failed login occurs (I tried disabling PAM): Jun 27 17:49:25 etch sshd[11521]: Failed password for robert from 192.168.2.40 port 33202 ssh2 Jun 27 17:49:28 etch sshd[11523]: Failed password for robert from 192.168.2.40 port 33203 ssh2 Jun 27 17:49:29 etch sshd[11523]: Failed password for robert from 192.168.2.40 port 33203 ssh2 With PAM enabled I get these messages: Jun 27 17:58:28 etch sshd[11575]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost.mydomain.com.au user=robert Jun 27 17:58:31 etch sshd[11575]: Failed password for robert from 192.168.2.40 port 57699 ssh2 Jun 27 17:58:33 etch sshd[11575]: Failed password for robert from 192.168.2.40 port 57699 ssh2 Jun 27 17:58:36 etch sshd[11575]: Failed password for robert from 192.168.2.40 port 57699 ssh2 I hope this is of some help. Robert. |
|
From: Mij <mi...@bi...> - 2007-06-27 10:24:15
|
On 27/giu/07, at 00:07, Robert S wrote: >> 2) for syslogd, external procs are not started when syslogd is >> restarted, but at the first occurrence of a log for them. So, restart >> syslogd and try a ssh login before checking ps. > > I tried using syslog-ng - no luck. > >> I am interested in your report. Could you please: >> 1) disable syslog config for sshguard >> 2) reinstall sshguard >> 3) run sshguard from the command line as >> /usr/local/sbin/sshguard > > I have tried these things. I get no output when I do this: > > # /usr/local/sbin/sshguard this is the correct behaviour; it is expecting input to scan. With 1.1beta you have "-d" to dump logging to standard output; otherwise they go to syslog > When I do Ctrl-C I get: > > ip6tables: No chain/target/match by that name > > (I assume this is normal because I don't have any ip6tables chain - I > get this on my gentoo machine that works OK) correct; on shutdown blocking rules are flushed for consistency; iptables and ip6tables are called for IPv4 and IPv6 > My /var/log/messages gives me these messages, but there is no sign > that sshguard is being activated when a failed login occurs: > > Jun 27 17:48:06 etch sshguard[11412]: Started successfully > [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jun 27 17:48:55 etch sshguard[11412]: Got exit signal, flushing > blocked addresses and exiting... > > These are the messages I get in my logs when a failed login occurs (I > tried disabling PAM): > > Jun 27 17:49:25 etch sshd[11521]: Failed password for robert from > 192.168.2.40 port 33202 ssh2 > Jun 27 17:49:28 etch sshd[11523]: Failed password for robert from > 192.168.2.40 port 33203 ssh2 > Jun 27 17:49:29 etch sshd[11523]: Failed password for robert from > 192.168.2.40 port 33203 ssh2 > > With PAM enabled I get these messages: > > Jun 27 17:58:28 etch sshd[11575]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost.mydomain.com.au > user=robert > Jun 27 17:58:31 etch sshd[11575]: Failed password for robert from > 192.168.2.40 port 57699 ssh2 > Jun 27 17:58:33 etch sshd[11575]: Failed password for robert from > 192.168.2.40 port 57699 ssh2 > Jun 27 17:58:36 etch sshd[11575]: Failed password for robert from > 192.168.2.40 port 57699 ssh2 > > I hope this is of some help. > > Robert. it will not react if you start from the command line without feeding log messages. You would try running "/usr/local/sbin/sshguard" from the command line and pasting this line in its input (from keyboard) Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 paste it 4 times then check "iptables -L" to see if a drop rule for 1.2.3.4 exist. Check on another terminal without interrupting sshguard, otherwise it will flush all rules. Then try feeding from tail. If attacks are not blocked then the only possibility is that sshd is logging unrecognized messages. I definitely do not expect this. Anyway, with "sshguard -d" (1.1beta) or compiling sshguard with - DDEBUG (use "CFLAGS=-DDEBUG make -e" from the shell) (1.0) you have a report on stdout, eg # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 27 12:22:19 portabilis sshd[5355]: Invalid user asd from 127.0.0.1 Matched IP address 127.0.0.1 Jun 27 12:22:19 portabilis sshd[5355]: Failed none for invalid user asd from 127.0.0.1 port 49512 ssh2 (this is on Mac OS X). If both these work, then the problem is in the way sshguard is called or messages are passed to it from syslog-ng. bye |
|
From: Robert S <rob...@gm...> - 2007-06-27 11:44:24
|
> You would try running "/usr/local/sbin/sshguard" from the command > line and > pasting this line in its input (from keyboard) > > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > This seems to work (compiled with debugging): # /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 Matched IP address 1.2.3.4 Blocking 1.2.3.4: 4 failures over 3 seconds. Setting environment: SSHG_ADDR=1.2.3.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. Got exit signal, flushing blocked addresses and exiting... ip6tables: No chain/target/match by that name Run command "/sbin/iptables -F sshguard ; /sbin/ip6tables -F sshguard": exited 256. > paste it 4 times then check "iptables -L" to see if a drop rule for This confirms that the address 1.2.3.4 is DROPed > # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/sshguard No luck when I use a username that exists on the system: # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 28 07:13:28 etch sshd[5789]: Failed password for robert from 192.168.2.40 port 40727 ssh2 Jun 28 07:13:34 etch sshd[5798]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au user=robert Jun 28 07:13:37 etch sshd[5798]: Failed password for robert from 192.168.2.40 port 40729 ssh2 Jun 28 07:13:39 etch sshd[5798]: Failed password for robert from 192.168.2.40 port 40729 ssh2 Jun 28 07:13:42 etch sshd[5798]: Failed password for robert from 192.168.2.40 port 40729 ssh2 Jun 28 07:13:48 etch sshd[5800]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au user=robert Jun 28 07:13:49 etch sshd[5800]: Failed password for robert from 192.168.2.40 port 40730 ssh2 Jun 28 07:13:52 etch sshd[5800]: Failed password for robert from 192.168.2.40 port 40730 ssh2 Jun 28 07:13:56 etch sshd[5800]: Failed password for robert from 192.168.2.40 port 40730 ssh2 <etc> On the other hand - if I use a non-existent user the following happens: # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Jun 28 07:24:44 etch sshd[5922]: Invalid user foobar from 192.168.2.40 Jun 28 07:24:45 etch sshd[5922]: Failed none for invalid user foobar from 192.168.2.40 port 58171 ssh2 Matched IP address 192.168.2.40 Jun 28 07:24:48 etch sshd[5922]: (pam_unix) check pass; user unknown Jun 28 07:24:48 etch sshd[5922]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au Jun 28 07:24:50 etch sshd[5922]: Failed password for invalid user foobar from 192.168.2.40 port 58171 ssh2 Jun 28 07:24:55 etch sshd[5922]: (pam_unix) check pass; user unknown Jun 28 07:24:56 etch sshd[5922]: Failed password for invalid user foobar from 192.168.2.40 port 58171 ssh2 Jun 28 07:25:01 etch sshd[5922]: (pam_unix) check pass; user unknown Jun 28 07:25:03 etch sshd[5922]: Failed password for invalid user foobar from 192.168.2.40 port 58171 ssh2 Jun 28 07:25:04 etch sshd[5924]: Invalid user foobar from 192.168.2.40 Jun 28 07:25:04 etch sshd[5924]: Failed none for invalid user foobar from 192.168.2.40 port 58172 ssh2 Matched IP address 192.168.2.40 Jun 28 07:25:06 etch sshd[5924]: (pam_unix) check pass; user unknown Jun 28 07:25:06 etch sshd[5924]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au Jun 28 07:25:09 etch sshd[5924]: Failed password for invalid user foobar from 192.168.2.40 port 58172 ssh2 Jun 28 07:25:13 etch sshd[5924]: (pam_unix) check pass; user unknown Jun 28 07:25:15 etch sshd[5924]: Failed password for invalid user foobar from 192.168.2.40 port 58172 ssh2 Jun 28 07:25:16 etch sshd[5924]: (pam_unix) check pass; user unknown Jun 28 07:25:18 etch sshd[5924]: Failed password for invalid user foobar from 192.168.2.40 port 58172 ssh2 Jun 28 07:25:20 etch sshd[5926]: Invalid user foobar from 192.168.2.40 Jun 28 07:25:20 etch sshd[5926]: Failed none for invalid user foobar from 192.168.2.40 port 58173 ssh2 Matched IP address 192.168.2.40 Jun 28 07:25:21 etch sshd[5926]: (pam_unix) check pass; user unknown Jun 28 07:25:21 etch sshd[5926]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au Jun 28 07:25:23 etch sshd[5926]: Failed password for invalid user foobar from 192.168.2.40 port 58173 ssh2 Jun 28 07:25:25 etch sshd[5928]: Invalid user foobar from 192.168.2.40 Jun 28 07:25:25 etch sshd[5928]: Failed none for invalid user foobar from 192.168.2.40 port 58174 ssh2 Matched IP address 192.168.2.40 Blocking 192.168.2.40: 4 failures over 40 seconds. Setting environment: SSHG_ADDR=192.168.2.40;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. Strangely, I am still able to log into "etch". iptables -L gives me: Chain sshguard (0 references) target prot opt source destination DROP 0 -- myhost.mydomain.com.au anywhere Further - if I run sshguard with no input, and feed it "Failed password for robert from 192.168.2.40 port 40727 ssh2", it does nothing: # /usr/local/sbin/sshguard Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 Failed password for robert from 192.168.2.40 port 40727 ssh2 It appears to me that sshguard doesn't recognise most of my log messages?? |
|
From: Mij <mi...@bi...> - 2007-06-28 15:46:04
Attachments:
attack_scanner.l
attack_parser.y
|
On 27/giu/07, at 13:44, Robert S wrote: >> You would try running "/usr/local/sbin/sshguard" from the command >> line and >> pasting this line in its input (from keyboard) >> >> Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 >> > > This seems to work (compiled with debugging): > > # /usr/local/sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4 > Matched IP address 1.2.3.4 > Blocking 1.2.3.4: 4 failures over 3 seconds. > > Setting environment: > SSHG_ADDR=1.2.3.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10. > Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard > -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s > $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. > Got exit signal, flushing blocked addresses and exiting... > ip6tables: No chain/target/match by that name > Run command "/sbin/iptables -F sshguard ; /sbin/ip6tables -F > sshguard": exited 256. > >> paste it 4 times then check "iptables -L" to see if a drop rule for > > This confirms that the address 1.2.3.4 is DROPed > >> # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/ >> sshguard > > No luck when I use a username that exists on the system: > > # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/ > sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jun 28 07:13:28 etch sshd[5789]: Failed password for robert from > 192.168.2.40 port 40727 ssh2 > Jun 28 07:13:34 etch sshd[5798]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > user=robert > Jun 28 07:13:37 etch sshd[5798]: Failed password for robert from > 192.168.2.40 port 40729 ssh2 > Jun 28 07:13:39 etch sshd[5798]: Failed password for robert from > 192.168.2.40 port 40729 ssh2 > Jun 28 07:13:42 etch sshd[5798]: Failed password for robert from > 192.168.2.40 port 40729 ssh2 > Jun 28 07:13:48 etch sshd[5800]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > user=robert > Jun 28 07:13:49 etch sshd[5800]: Failed password for robert from > 192.168.2.40 port 40730 ssh2 > Jun 28 07:13:52 etch sshd[5800]: Failed password for robert from > 192.168.2.40 port 40730 ssh2 > Jun 28 07:13:56 etch sshd[5800]: Failed password for robert from > 192.168.2.40 port 40730 ssh2 > <etc> > > On the other hand - if I use a non-existent user the following > happens: > > # tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/ > sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Jun 28 07:24:44 etch sshd[5922]: Invalid user foobar from 192.168.2.40 > Jun 28 07:24:45 etch sshd[5922]: Failed none for invalid user foobar > from 192.168.2.40 port 58171 ssh2 > Matched IP address 192.168.2.40 > Jun 28 07:24:48 etch sshd[5922]: (pam_unix) check pass; user unknown > Jun 28 07:24:48 etch sshd[5922]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > Jun 28 07:24:50 etch sshd[5922]: Failed password for invalid user > foobar from 192.168.2.40 port 58171 ssh2 > Jun 28 07:24:55 etch sshd[5922]: (pam_unix) check pass; user unknown > Jun 28 07:24:56 etch sshd[5922]: Failed password for invalid user > foobar from 192.168.2.40 port 58171 ssh2 > Jun 28 07:25:01 etch sshd[5922]: (pam_unix) check pass; user unknown > Jun 28 07:25:03 etch sshd[5922]: Failed password for invalid user > foobar from 192.168.2.40 port 58171 ssh2 > Jun 28 07:25:04 etch sshd[5924]: Invalid user foobar from 192.168.2.40 > Jun 28 07:25:04 etch sshd[5924]: Failed none for invalid user foobar > from 192.168.2.40 port 58172 ssh2 > Matched IP address 192.168.2.40 > Jun 28 07:25:06 etch sshd[5924]: (pam_unix) check pass; user unknown > Jun 28 07:25:06 etch sshd[5924]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > Jun 28 07:25:09 etch sshd[5924]: Failed password for invalid user > foobar from 192.168.2.40 port 58172 ssh2 > Jun 28 07:25:13 etch sshd[5924]: (pam_unix) check pass; user unknown > Jun 28 07:25:15 etch sshd[5924]: Failed password for invalid user > foobar from 192.168.2.40 port 58172 ssh2 > Jun 28 07:25:16 etch sshd[5924]: (pam_unix) check pass; user unknown > Jun 28 07:25:18 etch sshd[5924]: Failed password for invalid user > foobar from 192.168.2.40 port 58172 ssh2 > Jun 28 07:25:20 etch sshd[5926]: Invalid user foobar from 192.168.2.40 > Jun 28 07:25:20 etch sshd[5926]: Failed none for invalid user foobar > from 192.168.2.40 port 58173 ssh2 > Matched IP address 192.168.2.40 > Jun 28 07:25:21 etch sshd[5926]: (pam_unix) check pass; user unknown > Jun 28 07:25:21 etch sshd[5926]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au > Jun 28 07:25:23 etch sshd[5926]: Failed password for invalid user > foobar from 192.168.2.40 port 58173 ssh2 > Jun 28 07:25:25 etch sshd[5928]: Invalid user foobar from 192.168.2.40 > Jun 28 07:25:25 etch sshd[5928]: Failed none for invalid user foobar > from 192.168.2.40 port 58174 ssh2 > Matched IP address 192.168.2.40 > Blocking 192.168.2.40: 4 failures over 40 seconds. > > Setting environment: > SSHG_ADDR=192.168.2.40;SSHG_ADDRKIND=4;SSHG_SERVICE=10. > Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard > -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s > $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. > > Strangely, I am still able to log into "etch". iptables -L gives me: > > Chain sshguard (0 references) > target prot opt source destination > DROP 0 -- myhost.mydomain.com.au anywhere sshguard did its job in putting the blocking rule in the "sshguard" chain, so I guess this address is not blocked because you have not demanded the INPUT chain to this one, possible? > Further - if I run sshguard with no input, and feed it "Failed > password for robert from 192.168.2.40 port 40727 ssh2", it does > nothing: > > # /usr/local/sbin/sshguard > Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > Failed password for robert from 192.168.2.40 port 40727 ssh2 > > It appears to me that sshguard doesn't recognise most of my log > messages?? There are 2 basic kinds of attack: invalid user or invalid password. The former is recognized on your system, the latter is not. There is a parser attached that recognizes these logs. It has been integrated in 1.1beta3. You can simply copy these files in a clean sshguard-1.0 package (directory "src") and then run: cd src bison -vd attack_parser.y flex attack_scanner.l then recompile and reinstall. bye |
|
From: Robert S <rob...@gm...> - 2007-07-03 21:20:01
|
> There are 2 basic kinds of attack: invalid user or invalid password.
> The former is recognized on your system, the latter is not. There is
> a parser attached that recognizes these logs. It has been integrated
> in 1.1beta3.
>
> You can simply copy these files in a clean sshguard-1.0 package
> (directory "src") and then run:
>
> cd src
> bison -vd attack_parser.y
> flex attack_scanner.l
>
> then recompile and reinstall.
>
Hi. Many thanks. That seems to work. I've done a debian startup
script that seems to do the job. I hope it helps somebody:
#! /bin/sh
### BEGIN INIT INFO
# Provides: sshguard
# Required-Start: $syslog
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Sshguard initscript
# Description: This file should be used to construct scripts to be
# placed in /etc/init.d.
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ssh guard service"
NAME=sshguard
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
WHITELIST=/etc/sshguard.whitelist
LOG=/var/log/auth.log
. /lib/init/vars.sh
. /lib/lsb/init-functions
function startGuard {
[ -e $WHITELIST ] && ARGS="-w $WHITELIST"
sh -c "echo \$\$ > $PIDFILE && exec tail -n0 -f $LOG" |
/usr/local/sbin/sshguard $ARGS
return $?
}
do_start()
{
[ -e $PIDFILE ] && return 1
iptables -N sshguard
iptables -I INPUT 1 -p tcp --dport 22 -j sshguard
ip6tables -N sshguard
ip6tables -A INPUT -p tcp --dport 22 -j sshguard
startGuard &
[ 0 -ne $? ] && return 2 || return 0
}
do_stop()
{
kill `cat $PIDFILE`
RETVAL=$?
sleep 1
iptables -D INPUT -p tcp --dport 22 -j sshguard
iptables -F sshguard
iptables -X sshguard
ip6tables -D INPUT -p tcp --dport 22 -j sshguard
ip6tables -F sshguard
ip6tables -X sshguard
rm -f $PIDFILE
return "$RETVAL"
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
|
|
From: Mij <mi...@bi...> - 2007-07-04 16:32:09
|
I forwarded the script to the -maintainers mailing list. thanks On 03/lug/07, at 23:19, Robert S wrote: >> There are 2 basic kinds of attack: invalid user or invalid password. >> The former is recognized on your system, the latter is not. There is >> a parser attached that recognizes these logs. It has been integrated >> in 1.1beta3. >> >> You can simply copy these files in a clean sshguard-1.0 package >> (directory "src") and then run: >> >> cd src >> bison -vd attack_parser.y >> flex attack_scanner.l >> >> then recompile and reinstall. >> > > Hi. Many thanks. That seems to work. I've done a debian startup > script that seems to do the job. I hope it helps somebody: |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X