Menu
▾
▴
sshguard-users
|
From: Peter V. <sku...@gm...> - 2014-11-14 19:52:05
|
Hi all, anybody seeing/saw similar messages? Once this occur the SSH isn't accessible at least our Zabbix monitoring reporting that. Jun 4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after 1372366479 seconds. Jun 4 21:31:43 server sshguard[8003]: Setting environment: SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Jun 4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 1. Jun 4 21:31:43 server sshguard[8003]: Release command failed. Exited: -1 System information: - Debian Squeeze LTS - iptables 1.4.8-3 - sshguard 1.4-2 - linux-image 2.6.32-48squeeze8 Was this bug fixed already? Are the IPs checked for validity before they are blocked? Could be that it was related to some bug in kernel. Sorry for a little late reporting. Hope that somebody would be able to explain what could happen and make us sure all is fixed in new versions. -- Peter Viskup |
|
From: Peter V. <sku...@gm...> - 2014-11-14 19:33:39
|
Hi all, [keep me in copy, I'm not subscribed] anybody seeing similar messages? Once this occur the SSH isn't accessible at least our Zabbix monitoring reporting that. Jun 4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after 1372366479 seconds. Jun 4 21:31:43 server sshguard[8003]: Setting environment: SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Jun 4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 1. Jun 4 21:31:43 server sshguard[8003]: Release command failed. Exited: -1 System information: - Debian Squeeze LTS - iptables 1.4.8-3 - sshguard 1.4-2 - linux-image 2.6.32-48squeeze8 Was this bug fixed already? Are the IPs checked for validity before they are blocked? Could be that it was related to some bug in kernel. Sorry for a little late reporting. Hope that somebody would be able to explain what could happen and make us sure all is fixed in new versions. -- Peter Viskup |
|
From: Kevin Z. <kev...@gm...> - 2014-11-14 20:02:27
|
Hi Peter, On 11/14/2014 13:51, Peter Viskup wrote: > anybody seeing/saw similar messages? Once this occur the SSH isn't > accessible at least our Zabbix monitoring reporting that. > > Jun 4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after 1372366479 seconds. > Jun 4 21:31:43 server sshguard[8003]: Setting environment: SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Jun 4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; > 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 1. > Jun 4 21:31:43 server sshguard[8003]: Release command failed. Exited: -1 This sounds like SSHGuard picking up some invalid IP addresses and passing them on. Are you using Log Sucker or syslog? Additionally, something could have been happening with the blacklist database. What whitelist/blacklist settings are you using? Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: Peter V. <sku...@gm...> - 2014-11-14 20:09:15
|
Hi Kevin,
thanks for quick reply. Running syslog-ng version 3.1.3-3.
filter sshlogs { facility(auth, authpriv) and not match("sshguard"
value("MESSAGE")); };
destination sshguardproc {
program("/usr/sbin/sshguard -w <some_IP>/24"
log { source(s_src); filter(sshlogs); destination(sshguardproc); };
No other [white,black]listing.
On Fri, Nov 14, 2014 at 9:02 PM, Kevin Zheng <kev...@gm...> wrote:
> Hi Peter,
>
> On 11/14/2014 13:51, Peter Viskup wrote:
> > anybody seeing/saw similar messages? Once this occur the SSH isn't
> > accessible at least our Zabbix monitoring reporting that.
> >
> > Jun 4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after
> 1372366479 seconds.
> > Jun 4 21:31:43 server sshguard[8003]: Setting environment:
> SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> > Jun 4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND
> in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;;
> > 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2
> ;; esac": exited 1.
> > Jun 4 21:31:43 server sshguard[8003]: Release command failed. Exited: -1
>
> This sounds like SSHGuard picking up some invalid IP addresses and
> passing them on. Are you using Log Sucker or syslog?
>
> Additionally, something could have been happening with the blacklist
> database. What whitelist/blacklist settings are you using?
>
> Thanks,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
|
From: Peter V. <sku...@gm...> - 2014-11-27 22:54:32
|
Hi all,
todays messages:
Nov 27 23:31:25 server sshguard[25526]: Releasing after 450 seconds.
Nov 27 23:31:25 server sshguard[25526]: Setting environment:
SSHG_ADDR=SSHG_ADDR=<E8>~a^GL^?;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Nov 27 23:31:25 server sshguard[25526]: Run command "case $SSHG_ADDRKIND in
4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac":
exited 2.
Nov 27 23:31:25 server sshguard[25526]: Release command failed. Exited: -1
Other strange messages:
Nov 27 23:34:16 server sshguard[25526]: Releasing after 621 seconds.
Nov 27 23:34:16 server sshguard[25526]: Setting environment:
SSHG_ADDR=0;SSHG_ADDRKIND=0;SSHG_SERVICE=0.
Nov 27 23:34:16 server sshguard[25526]: Run command "case $SSHG_ADDRKIND in
4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac":
exited 2.
Nov 27 23:34:16 server sshguard[25526]: Release command failed. Exited: -1
Both examples are for rules removal. There are no messages for
corresponding iptables inserts.
I do see some strange users as inputs.
"Failed password for invalid user rock123\r"
Could be that message strings are not handled appropriately and specially
crafted user accounts lead to unexpected results. Could anybody have a look
on that?
sshguard 1.4-2
syslog-ng 3.1.3-3
--
Peter Viskup
On Fri, Nov 14, 2014 at 9:09 PM, Peter Viskup <sku...@gm...> wrote:
> Hi Kevin,
> thanks for quick reply. Running syslog-ng version 3.1.3-3.
>
> filter sshlogs { facility(auth, authpriv) and not match("sshguard"
> value("MESSAGE")); };
> destination sshguardproc {
> program("/usr/sbin/sshguard -w <some_IP>/24"
> log { source(s_src); filter(sshlogs); destination(sshguardproc); };
>
> No other [white,black]listing.
>
>
> On Fri, Nov 14, 2014 at 9:02 PM, Kevin Zheng <kev...@gm...> wrote:
>
>> Hi Peter,
>>
>> On 11/14/2014 13:51, Peter Viskup wrote:
>> > anybody seeing/saw similar messages? Once this occur the SSH isn't
>> > accessible at least our Zabbix monitoring reporting that.
>> >
>> > Jun 4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after
>> 1372366479 seconds.
>> > Jun 4 21:31:43 server sshguard[8003]: Setting environment:
>> SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
>> > Jun 4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND
>> in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;;
>> > 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit
>> -2 ;; esac": exited 1.
>> > Jun 4 21:31:43 server sshguard[8003]: Release command failed. Exited:
>> -1
>>
>> This sounds like SSHGuard picking up some invalid IP addresses and
>> passing them on. Are you using Log Sucker or syslog?
>>
>> Additionally, something could have been happening with the blacklist
>> database. What whitelist/blacklist settings are you using?
>>
>> Thanks,
>> Kevin Zheng
>>
>> --
>> Kevin Zheng
>> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
>
|
|
From: Kevin Z. <kev...@gm...> - 2014-11-27 23:36:14
|
Hi Peter, Sorry I haven't gotten back to you on an earlier email. On 11/27/2014 16:54, Peter Viskup wrote: > todays messages: > Nov 27 23:31:25 server sshguard[25526]: Releasing after 450 seconds. > Nov 27 23:31:25 server sshguard[25526]: Setting environment: > SSHG_ADDR=SSHG_ADDR=<E8>~a^GL^?;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Nov 27 23:31:25 server sshguard[25526]: Run command "case $SSHG_ADDRKIND > in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec > /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; > esac": exited 2. > Nov 27 23:31:25 server sshguard[25526]: Release command failed. Exited: -1 If random characters made it in, this failure isn't surprising since the code uses the system(3) call. > Other strange messages: > Nov 27 23:34:16 server sshguard[25526]: Releasing after 621 seconds. > Nov 27 23:34:16 server sshguard[25526]: Setting environment: > SSHG_ADDR=0;SSHG_ADDRKIND=0;SSHG_SERVICE=0. > Nov 27 23:34:16 server sshguard[25526]: Run command "case $SSHG_ADDRKIND > in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec > /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; > esac": exited 2. > Nov 27 23:34:16 server sshguard[25526]: Release command failed. Exited: -1 This seems like the same problem as above. > Both examples are for rules removal. There are no messages for > corresponding iptables inserts. I'm baffled that there are no inserts, but removals. I'm not very familiar with the iptables backend; if this happens frequently try flushing the rules or the blacklist file (if any). > I do see some strange users as inputs. > "Failed password for invalid user rock123\r" I'm not sure if these characters make it in or not; if they do, then this is the culprit. This sounds dangerous, too. > Could be that message strings are not handled appropriately and > specially crafted user accounts lead to unexpected results. Could > anybody have a look on that? I'll be taking a look! Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: Kevin Z. <kev...@gm...> - 2014-11-27 23:47:50
|
Hi Peter, Sorry for the follow-up email. SSHGuard uses regular expressions in its lexer to match attack signatures and IP addresses. This means that if you feed it an invalid IP address it shouldn't even try to block it. Would it be possible for you to try using the "log sucker" option by specifying a log file on the command line? I'm wondering if this is something funny happening with syslog-ng. Incorrect string handling sounds troubling; do you have snippets of logs that we can take a look at and test? Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X