Menu
▾
▴
sshguard-users
|
From: Kevin Z. <kev...@gm...> - 2016-07-13 01:05:30
|
Hi there, Some non-trivial firewall backend changes have landed in the 'master' branch of SSHGuard. I've been able to test the pf and ipfw backends, but the iptables backend needs testing! Briefly, SSHGuard now controls the firewall using a script, 'sshg-fw' that reads commands from standard input (e.g. 'block 1.2.3.4') and runs the appropriate firewall commands. This should make adding new backends as well as custom hooks easier. If you're able and willing to test, your feedback is appreciated! Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Georg L. <jor...@ma...> - 2016-07-26 22:59:08
|
On 12/07/16 19:05, Kevin Zheng wrote: > Hi there, > > Some non-trivial firewall backend changes have landed in the 'master' > branch of SSHGuard. I've been able to test the pf and ipfw backends, but > the iptables backend needs testing! > > Briefly, SSHGuard now controls the firewall using a script, 'sshg-fw' > that reads commands from standard input (e.g. 'block 1.2.3.4') and runs > the appropriate firewall commands. This should make adding new backends > as well as custom hooks easier. > > If you're able and willing to test, your feedback is appreciated! > > Best, > Kevin > Hello, I tried to step forward with iptables testing, but am unable to compile sshguard. After following http://www.sshguard.net/docs/setup/compile-install/ I get the below errors. Note: this has not been an issue about two weeks before. Best Regards, Georg Lehner - - - Making all in src make[1]: Entering directory '/home/jorge/progs/sshguard/src' make all-am make[2]: Entering directory '/home/jorge/progs/sshguard/src' CC parser/attack_parser.o parser/attack_parser.y: In function ‘yyparse’: parser/attack_parser.y:192:25: warning: implicit declaration of function ‘strcpy’ [-Wimplicit-function-declaration] strcpy(attack->address.value, $1); ^ parser/attack_parser.y:192:25: warning: incompatible implicit declaration of built-in function ‘strcpy’ parser/attack_parser.y:196:25: warning: incompatible implicit declaration of built-in function ‘strcpy’ strcpy(attack->address.value, $1); ^ parser/attack_parser.y: In function ‘yyerror’: parser/attack_parser.y:299:1: error: number of arguments doesn’t match prototype static void yyerror() { /* do nothing */ } ^ parser/attack_parser.y:34:13: error: prototype declaration static void yyerror(attack_t *attack, const char *msg); ^ Makefile:606: recipe for target 'parser/attack_parser.o' failed make[2]: *** [parser/attack_parser.o] Error 1 make[2]: Leaving directory '/home/jorge/progs/sshguard/src' Makefile:342: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/jorge/progs/sshguard/src' Makefile:335: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 |
|
From: Kevin Z. <kev...@gm...> - 2016-07-26 23:22:47
|
On 07/26/2016 15:57, Georg Lehner wrote: > I tried to step forward with iptables testing, but am unable to compile > sshguard. After following > http://www.sshguard.net/docs/setup/compile-install/ I get the below errors. > > Note: this has not been an issue about two weeks before. Thanks for the report. I've pushed some changes to 'master' that should fix this issue. I have another report [1] that sshg-fw fails at run-time with the iptables backend. Let me know if you hit this issue, and if you know how to fix it. Thanks, Kevin [1] https://bitbucket.org/sshguard/sshguard/issues/39/ -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2016-07-26 23:27:30
|
You should probably state your OS and rev. I only got the strcpy warning. That was on freebsd 10.2 with the ipfw option. Original Message From: Georg Lehner Sent: Tuesday, July 26, 2016 3:59 PM To: ssh...@li... Subject: Re: [SSHGuard-users] Call for testing: SSHGuard 1.7.0 On 12/07/16 19:05, Kevin Zheng wrote: > Hi there, > > Some non-trivial firewall backend changes have landed in the 'master' > branch of SSHGuard. I've been able to test the pf and ipfw backends, but > the iptables backend needs testing! > > Briefly, SSHGuard now controls the firewall using a script, 'sshg-fw' > that reads commands from standard input (e.g. 'block 1.2.3.4') and runs > the appropriate firewall commands. This should make adding new backends > as well as custom hooks easier. > > If you're able and willing to test, your feedback is appreciated! > > Best, > Kevin > Hello, I tried to step forward with iptables testing, but am unable to compile sshguard. After following http://www.sshguard.net/docs/setup/compile-install/ I get the below errors. Note: this has not been an issue about two weeks before. Best Regards, Georg Lehner - - - Making all in src make[1]: Entering directory '/home/jorge/progs/sshguard/src' make all-am make[2]: Entering directory '/home/jorge/progs/sshguard/src' CC parser/attack_parser.o parser/attack_parser.y: In function ‘yyparse’: parser/attack_parser.y:192:25: warning: implicit declaration of function ‘strcpy’ [-Wimplicit-function-declaration] strcpy(attack->address.value, $1); ^ parser/attack_parser.y:192:25: warning: incompatible implicit declaration of built-in function ‘strcpy’ parser/attack_parser.y:196:25: warning: incompatible implicit declaration of built-in function ‘strcpy’ strcpy(attack->address.value, $1); ^ parser/attack_parser.y: In function ‘yyerror’: parser/attack_parser.y:299:1: error: number of arguments doesn’t match prototype static void yyerror() { /* do nothing */ } ^ parser/attack_parser.y:34:13: error: prototype declaration static void yyerror(attack_t *attack, const char *msg); ^ Makefile:606: recipe for target 'parser/attack_parser.o' failed make[2]: *** [parser/attack_parser.o] Error 1 make[2]: Leaving directory '/home/jorge/progs/sshguard/src' Makefile:342: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/jorge/progs/sshguard/src' Makefile:335: recipe for target 'all-recursive' failed make: *** [all-recursive] Error 1 ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Georg L. <jor...@ma...> - 2016-07-27 00:05:01
|
On 26/07/16 17:27, li...@la... wrote: > You should probably state your OS and rev. I only got the strcpy warning. That was on freebsd 10.2 with the ipfw option. > Sorry, here comes uname -a Debian 8.5: Linux pwx 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) i686 GNU/Linux Debian 7.11 Linux thummim 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u3 i686 GNU/Linux Using Bison and GCC Will check fixes later. Best Regards, Georg Lehner > Original Message > From: Georg Lehner > Sent: Tuesday, July 26, 2016 3:59 PM > To: ssh...@li... > Subject: Re: [SSHGuard-users] Call for testing: SSHGuard 1.7.0 > > On 12/07/16 19:05, Kevin Zheng wrote: >> Hi there, >> >> Some non-trivial firewall backend changes have landed in the 'master' >> branch of SSHGuard. I've been able to test the pf and ipfw backends, but >> the iptables backend needs testing! >> >> Briefly, SSHGuard now controls the firewall using a script, 'sshg-fw' >> that reads commands from standard input (e.g. 'block 1.2.3.4') and runs >> the appropriate firewall commands. This should make adding new backends >> as well as custom hooks easier. >> >> If you're able and willing to test, your feedback is appreciated! >> >> Best, >> Kevin >> > Hello, > > I tried to step forward with iptables testing, but am unable to compile > sshguard. After following > http://www.sshguard.net/docs/setup/compile-install/ I get the below errors. > > Note: this has not been an issue about two weeks before. > > Best Regards, > > Georg Lehner > > - - - > Making all in src > make[1]: Entering directory '/home/jorge/progs/sshguard/src' > make all-am > make[2]: Entering directory '/home/jorge/progs/sshguard/src' > CC parser/attack_parser.o > parser/attack_parser.y: In function ‘yyparse’: > parser/attack_parser.y:192:25: warning: implicit declaration of function > ‘strcpy’ [-Wimplicit-function-declaration] > strcpy(attack->address.value, $1); > ^ > parser/attack_parser.y:192:25: warning: incompatible implicit > declaration of built-in function ‘strcpy’ > parser/attack_parser.y:196:25: warning: incompatible implicit > declaration of built-in function ‘strcpy’ > strcpy(attack->address.value, $1); > ^ > parser/attack_parser.y: In function ‘yyerror’: > parser/attack_parser.y:299:1: error: number of arguments doesn’t match > prototype > static void yyerror() { /* do nothing */ } > ^ > parser/attack_parser.y:34:13: error: prototype declaration > static void yyerror(attack_t *attack, const char *msg); > ^ > Makefile:606: recipe for target 'parser/attack_parser.o' failed > make[2]: *** [parser/attack_parser.o] Error 1 > make[2]: Leaving directory '/home/jorge/progs/sshguard/src' > Makefile:342: recipe for target 'all' failed > make[1]: *** [all] Error 2 > make[1]: Leaving directory '/home/jorge/progs/sshguard/src' > Makefile:335: recipe for target 'all-recursive' failed > make: *** [all-recursive] Error 1 > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports.http://sdm.link/zohodev2dev > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Kevin Z. <kev...@gm...> - 2016-07-26 23:31:15
|
On 07/26/2016 16:27, li...@la... wrote: > You should probably state your OS and rev. I only got the strcpy > warning. That was on freebsd 10.2 with the ipfw option. It's a combination of Bison and GCC. I didn't get your strcpy warning because I was using yacc. I didn't get the GCC warning because I was running clang. I'll have to remember to test with different yaccs and compilers. Thanks, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2016-07-26 23:38:16
|
Ah, should I expect the strcpy warning to go away with a new git clone? Original Message From: Kevin Zheng Sent: Tuesday, July 26, 2016 4:31 PM To: ssh...@li... Subject: Re: [SSHGuard-users] Call for testing: SSHGuard 1.7.0 On 07/26/2016 16:27, li...@la... wrote: > You should probably state your OS and rev. I only got the strcpy > warning. That was on freebsd 10.2 with the ipfw option. It's a combination of Bison and GCC. I didn't get your strcpy warning because I was using yacc. I didn't get the GCC warning because I was running clang. I'll have to remember to test with different yaccs and compilers. Thanks, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2016-07-26 23:44:11
|
On 07/26/2016 16:38, li...@la... wrote: > Ah, should I expect the strcpy warning to go away with a new git clone? Yes. If you don't have local changes, running a `git pull` from inside the source directory should be fine. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Georg L. <jor...@ma...> - 2016-07-28 17:30:09
Attachments:
sshguard_leg.patch
sshguard.log
|
On 26/07/16 17:22, Kevin Zheng wrote: > On 07/26/2016 15:57, Georg Lehner wrote: >> I tried to step forward with iptables testing, but am unable to compile >> sshguard. After following >> http://www.sshguard.net/docs/setup/compile-install/ I get the below errors. >> >> Note: this has not been an issue about two weeks before. > > Thanks for the report. I've pushed some changes to 'master' that should > fix this issue. I have another report [1] that sshg-fw fails at run-time > with the iptables backend. Let me know if you hit this issue, and if you > know how to fix it. > > Thanks, > Kevin > > [1] https://bitbucket.org/sshguard/sshguard/issues/39/ > Hi! Finally I have come around to pull the changes. sshguard compiles w/o errors now. First tests: GNU/Linux, Debian 7.11, Bison, GCC After make install I run: /usr/local/libexec/sshg-logtail /var/log/socklog/main/current \ |sudo env SSHGUARD_DEBUG=1 /usr/local/sbin/sshguard 2>&1 \ |tee /tmp/sshguard.log - The sshg-fw script stops with syntax error, a patch with some improvements (hopefully) is attached. - Shortly after startup the following error message is shown, processing continues sh: 1: exec: NONE/libexec/sshg-fw: not found - After some processing sshguard stops because of a broken pipe. See the attached sshguard.log for the error messages. My guess: sshg-fw is not run (first error), and when the first attacker should be added the half-open pipe breaks. I recommend to add a 'ping' or 'version' command to the sshg-fw interface, so that sshguard can check for sanity on startup. - - - I noticed, that the sshg-fw script is wrapped together by './configure' and not by 'make'. To rebuild it, you need to 'make distclean' and than './configure' again. I propose either to build the script with make, or document the procedure. - - - Best Regards, Georg Lehner |
|
From: Georg L. <jor...@ma...> - 2016-07-28 18:28:40
|
On 28/07/16 11:27, Georg Lehner wrote:
...
>
> sh: 1: exec: NONE/libexec/sshg-fw: not found
>
> - After some processing sshguard stops because of a broken pipe.
> See the attached sshguard.log for the error messages.
>
> My guess: sshg-fw is not run (first error), and when the first attacker
> should be added the half-open pipe breaks.
>
...
In fact, the auto{make,configure} machinery does not supply a default
prefix. After doing:
./configure --prefix=/usr/local --with-firewall=iptables
I got a working sshguard.
Running now in production, any findings will be reported.
Best Regards,
Georg Lehner
|
|
From: <li...@la...> - 2016-07-28 18:41:36
|
http://www.sshguard.net/docs/setup/compile-install/ The prefix requirement is in the instructions above. IIRC, Kevin added a lot of verbiage on the page for me because I kept screwing it up. ;-) Original Message From: Georg Lehner Sent: Thursday, July 28, 2016 11:28 AM To: ssh...@li... Subject: Re: [SSHGuard-users] Call for testing: SSHGuard 1.7.0 On 28/07/16 11:27, Georg Lehner wrote: ... > > sh: 1: exec: NONE/libexec/sshg-fw: not found > > - After some processing sshguard stops because of a broken pipe. > See the attached sshguard.log for the error messages. > > My guess: sshg-fw is not run (first error), and when the first attacker > should be added the half-open pipe breaks. > ... In fact, the auto{make,configure} machinery does not supply a default prefix. After doing: ./configure --prefix=/usr/local --with-firewall=iptables I got a working sshguard. Running now in production, any findings will be reported. Best Regards, Georg Lehner ------------------------------------------------------------------------------ _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Georg L. <jor...@ma...> - 2016-07-28 18:52:10
|
On 28/07/16 12:41, li...@la... wrote: > > http://www.sshguard.net/docs/setup/compile-install/ > > The prefix requirement is in the instructions above. IIRC, Kevin added a lot of verbiage on the page for me because I kept screwing it up. ;-) > ... You are right, I did not rtfm. To my excuse: ./configure --help told me, that the default prefix was /usr/local. Please Kevin, add --prefix=/your-location to the examples in the section on "COMPILING AND INSTALLING" lower down the page too. Regards, Georg Lehner |
|
From: Kevin Z. <kev...@gm...> - 2016-07-28 19:18:11
|
On 07/28/2016 11:41, li...@la... wrote: > > http://www.sshguard.net/docs/setup/compile-install/ > > The prefix requirement is in the instructions above. IIRC, Kevin > added a lot of verbiage on the page for me because I kept screwing it > up. ;-) Although the documentation suggests that you should use '--prefix', I consider the breakage without a '--prefix' a bug. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Kevin Z. <kev...@gm...> - 2016-07-28 22:19:15
|
On 07/28/2016 10:27, Georg Lehner wrote: > - The sshg-fw script stops with syntax error, a patch with some > improvements (hopefully) is attached. What's the purpose of the 'x' in lines like these? if [ "x$2" = "x6" ]; then Since the string literals are provided, there shouldn't be an error when the provided strings are empty. Isn't the 'x' there to guard against an empty string? > - Shortly after startup the following error message is shown, > processing continues > > sh: 1: exec: NONE/libexec/sshg-fw: not found Working on this one. > - After some processing sshguard stops because of a broken pipe. > See the attached sshguard.log for the error messages. > > My guess: sshg-fw is not run (first error), and when the first attacker > should be added the half-open pipe breaks. Should be fixed in 'master' now. > I noticed, that the sshg-fw script is wrapped together by './configure' > and not by 'make'. To rebuild it, you need to 'make distclean' and than > './configure' again. I propose either to build the script with make, or > document the procedure. I agree. I'll see what I can do. The main issue is that the Makefiles don't know what firewall backend you chose. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Georg L. <jor...@ma...> - 2016-07-28 22:34:40
|
On 28/07/16 16:19, Kevin Zheng wrote:
> On 07/28/2016 10:27, Georg Lehner wrote:
>> - The sshg-fw script stops with syntax error, a patch with some
>> improvements (hopefully) is attached.
>
> What's the purpose of the 'x' in lines like these?
>
> if [ "x$2" = "x6" ]; then
>
> Since the string literals are provided, there shouldn't be an error when
> the provided strings are empty. Isn't the 'x' there to guard against an
> empty string?
Force of habit. Consider somebody calling the function without the
second parameter, you'd get a syntax error and the script dies or
behaves erratically.
...
>> I noticed, that the sshg-fw script is wrapped together by './configure'
>> and not by 'make'. To rebuild it, you need to 'make distclean' and than
>> './configure' again. I propose either to build the script with make, or
>> document the procedure.
>
> I agree. I'll see what I can do. The main issue is that the Makefiles
> don't know what firewall backend you chose.
...
Well, my auto{conf,make}-fu is very weak, but I guess that there is a
Makefile.in which can be mangled by ./configure in a way, that the
--with-iptables parameter slips in at the right place in the respective
Makefile.
Best Regards,
Georg Lehner
|
|
From: Jef P. <je...@ma...> - 2016-07-28 22:50:38
|
>What's the purpose of the 'x' in lines like these? > >if [ "x$2" = "x6" ]; then > >Since the string literals are provided, there shouldn't be an error when >the provided strings are empty. Isn't the 'x' there to guard against an >empty string? That's a common idiom in shell script programming. It's to guard against the string being check having a flag argument that the [ command, a.k.a. test, would interpret. This is really due to test having poorly thought out argument syntax but what are you gonna do. Another common idiom is to merely reverse the order of the strings being checked: if [ "6" = "$2" ]; then Putting the variable second means test won't try to interpret it as a flag. |
|
From: Kevin Z. <kev...@gm...> - 2016-07-28 22:28:57
|
On 07/28/2016 15:24, Jef Poskanzer wrote: >> What's the purpose of the 'x' in lines like these? >> >> if [ "x$2" = "x6" ]; then >> >> Since the string literals are provided, there shouldn't be an error when >> the provided strings are empty. Isn't the 'x' there to guard against an >> empty string? > > That's a common idiom in shell script programming. It's to > guard against the string being check having a flag argument > that the [ command, a.k.a. test, would interpret. This > is really due to test having poorly thought out argument > syntax but what are you gonna do. Ahh, I see. I'm glad someone is looking over my shell scripts. > Another common idiom is to merely reverse the order of > the strings being checked: > > if [ "6" = "$2" ]; then > > Putting the variable second means test won't try to interpret > it as a flag. I think I like this better. Thanks, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Kevin Z. <kev...@gm...> - 2016-07-29 01:08:25
|
On 07/28/2016 10:27, Georg Lehner wrote: > - The sshg-fw script stops with syntax error, a patch with some > improvements (hopefully) is attached. Thanks for the patch. Just to make sure, what does 'iptables -w -v' do? I can't seem to tell from the man page [1] what the default action is. [1] http://linuxmanpages.net/manpages/fedora21/man8/iptables.8.html -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Georg L. <jor...@ma...> - 2016-07-29 03:32:47
|
On 28/07/16 19:08, Kevin Zheng wrote: > On 07/28/2016 10:27, Georg Lehner wrote: >> - The sshg-fw script stops with syntax error, a patch with some >> improvements (hopefully) is attached. > > Thanks for the patch. Just to make sure, what does 'iptables -w -v' do? > I can't seem to tell from the man page [1] what the default action is. > > [1] http://linuxmanpages.net/manpages/fedora21/man8/iptables.8.html > Hello Kevin, It should be `-V` (--version), instead of `-v`. I'm sure you remember, that I have a system with an old `iptables` which does not understand the `-w` switch. Since I have a system with a new `iptables`too, I was able to find a way, to detect non-intrusively if `-w` is supported. `iptables -w -V` will exit with an error and a message on stderr if it is an old `iptables`. If it is a new `iptables` it will show its version on stdout and exit with success. I proposed: `if $cmd -w -v 2>/dev/null; then ...` in my patch, however it better be: `if $cmd -w -V 2>&1 >/dev/null; then ...` to suppress the version string too. Best Regards, Georg Lehner |
Thanks for helping keep SourceForge clean.
X