• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SSHGuard not Blocking Connections

Lego

Well-Known Member

Thanks: 1
Messages: 404

#27
Ok So I was suggested to Download sshguard 1.4 compile and install and get back to them, and possibly help port it to bsd, so I downloaded the binary from:
Code:
blurr-ink# fetch https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2
sshguard-1.4.tar.bz2                          100% of   55 kB   13 kBps
And I installed bzip2:
Code:
===>   Compressing manual pages for bzip2-1.0.5
===>   Running ldconfig
/sbin/ldconfig -m /usr/local/lib
===>   Registering installation for bzip2-1.0.5
===>  Cleaning for bzip2-1.0.5
blurr-ink# rehash
and Im trying to extract now:
Code:
blurr-ink# tar yxf sshguard-1.4.tar.bz2
tar: Unrecognized archive format: Inappropriate file type or format
tar: Error exit delayed from previous errors.
What am I doing wrong? And I am in the proper directory that I downloaded it to.
 

jalla

Well-Known Member

Thanks: 84
Messages: 385

#28
Code:
blurr-ink# tar yxf sshguard-1.4.tar.bz2
tar: Unrecognized archive format: Inappropriate file type or format
tar: Error exit delayed from previous errors.
What am I doing wrong? And I am in the proper directory that I downloaded it to.
Use tar -zxf sshguard-1.4.tar.bz2
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#29
No, 'y' is for bz2, 'z' is for gzip.

Lego, can you bunzip it first? Does that work?
 

jalla

Well-Known Member

Thanks: 84
Messages: 385

#31
DutchDaemon said:
No, 'y' is for bz2, 'z' is for gzip.
Not really

Code:
gong:/h/tl# tar cf z.tar tmp
gong:/h/tl# bzip2 z.tar
gong:/h/tl# tar -tvzf z.tar.bz2
drwxr-xr-x  0 tl     tl          0 Nov  6 08:51 tmp/
-rwxr-xr-x  0 tl     tl    1402400 Nov  5 20:30 tmp/filer02.091004
-rwxr-xr-x  0 tl     tl       2189 Nov  5 20:30 tmp/ops_dp.pl
-rwxr-xr-x  0 tl     tl    1633905 Nov  5 20:30 tmp/filer02.091011
-rwxr-xr-x  0 tl     tl       5430 Nov  6 00:15 tmp/stat_dp.pl
-rwxr-xr-x  0 tl     tl     501267 Nov  5 20:30 tmp/dataf02.txt
-rwxr-xr-x  0 tl     tl    3041058 Nov  5 20:30 tmp/ASUPGrab.zip
gong:/h/tl#
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#32
In fact, you don't even need 'y' or 'z', because both are ignored by tar when decompressing ...

Code:
     -y      (c mode only) Compress the resulting archive with bzip2(1).  In
             extract or list modes, this option is ignored.  Note that, unlike
             other tar implementations, this implementation recognizes bzip2
             compression automatically when reading archives.

     -z      (c mode only) Compress the resulting archive with gzip(1).  In
             extract or list modes, this option is ignored.  Note that, unlike
             other tar implementations, this implementation recognizes gzip
             compression automatically when reading archives.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#33
Anyway, something else is wrong here:

Code:
[X] The "/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2" file could not be found or is not available. Please select another file.
Code:
$ fetch https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2
fetch: https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2: Unknown error: 0
A direct download doesn't seem to work.

Use a webbrowser and go to http://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2/download

or give that URL to fetch and rename the resulting file ('download', which is 'bzip2 compressed data') to sshguard-1.4.tar.bz2
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#34
WOW! lots of reply's Thanks Everyone! Yes, It was My screw up, the actual name of the file is download:
Code:
fetch https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2/download
download                                      100% of  148 kB  124 kBps
blurr-ink# tar -yxf download
blurr-ink# ls
download        sshguard-1.4
blurr-ink# cd sshguard-1.4
blurr-ink# ls
Changes         aclocal.m4      depcomp         missing         stamp-h1
Makefile.am     config.h.in     examples        mkinstalldirs   ylwrap
Makefile.in     configure       install-sh      scripts
README          configure.ac    man             src
blurr-ink#
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#35
Okay, So Now I'm following these Instructions and I'm getting a tad confused. http://sshguard.sourceforge.net/doc/setup/compileinstall1x.html

I figured there would be a clash between sshguard-pf (which is sshguard 1.3) and the new Install of sshguard-1.4 so I:
Code:
#cd /usr/ports/security/sshguard-pf && make deinstall
and went back to my home dir and into the sshguard-1.4 folder:
Code:
./configure --with-firewall=pf
Everything looks fine, so I 'make' and then 'make install' as directed, But two questions: 1, do I need to actually install pf now?? or will it do that like sshguard-pf did?? 2, when I ran make it went fine as I could tell, and when I did the make install I got this:
Code:
blurr-ink# make
Making all in src
make  all-recursive
Making all in parser
make  all-am
Making all in fwalls
gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=
200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
mv -f .deps/command.Tpo .deps/command.Po
rm -f libfwall.a
ar cru libfwall.a command.o
ranlib libfwall.a
gcc -DHAVE_CONFIG_H -I.     -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L   -g -O2 -MT 
sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o 
sshguard_options.o sshguard_options.c
mv -f .deps/sshguard_options.Tpo .deps/sshguard_options.Po
gcc -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L   -g -O2   -o sshguard sshguard.o 
sshguard_whitelist.o  sshguard_log.o sshguard_procauth.o  
sshguard_blacklist.o sshguard_options.o  simclist.o parser/libparser.a fwalls/libfwall.a -lpthread
Making all in man
blurr-ink# make install
Making install in src
Making install in parser
make  install-am
Making install in fwalls
test -z "/usr/local/sbin" || .././install-sh -c -d "/usr/local/sbin"
  /usr/bin/install -c 'sshguard' '/usr/local/sbin/sshguard'
Making install in man
test -z "/usr/local/share/man/man8" || .././install-sh -c -d "/usr/local/share/man/man8"
 /usr/bin/install -c -m 644 'sshguard.8' '/usr/local/share/man/man8/sshguard.8'
blurr-ink#
so everything looks ok but....
Code:
blurr-ink#
blurr-ink# rehash
blurr-ink# pkg_info|grep sshguard
blurr-ink#
its doesn't look like its installed.... what Have I done wrong now?? :S
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#36
Manual installs from tarballs don't end up in pkg_info. That doesn't mean it's not installed, it's just outside of the scope of ports management tools. You could try incorporating this version into the ports tree by editing the Makefile in /usr/ports/security/sshguard-pf and by changing the hashes in distinfo. Or you can just run this version until the port version bumps up to 1.4 and replace it then.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#37
Yup Your right!
Code:
blurr-ink# /usr/local/sbin/sshguard -v
sshguard 1.4.4

Copyright (c) 2007,2008 Mij <mij@*beep**beep**beep**beep**beep*x.it>
This is free software; see the source for conditions on copying.
blurr-ink#
So If I wanted to help update the port tree to the new version how would I do that?? what do you mean when you say 'change the hashes in distinfo' whats weird is when I open the Makefile in /usr/ports/security/sshguard-pf it says this:
Code:
# New ports collection makefile for:    sshguard-pf
# Date created:                         17 May 2007
# Whom:                                 Mij <mij@*beep**beep**beep**beep**beep*x.it>
#
# $FreeBSD: ports/security/sshguard-pf/Makefile,v 1.4 2008/07/26 14:01:10 lwhsu Exp $
#

PKGNAMESUFFIX=  -pf

COMMENT=        Protect hosts from brute force attacks against ssh and other services using pf

CONFLICTS=      sshguard-1.* sshguard-ipfilter-1.* sshguard-ipfw-1.*

SSHGUARDFW=     pf
MASTERDIR=      ${.CURDIR}/../sshguard

.include "${MASTERDIR}/Makefile"
Whats funny is it had installed 1.3 from ports and to get 1.4 i had to download and compile/install :S

One More problem:
Code:
Nov 20 14:00:24 blurr-ink webmin[943]: Webmin starting
Nov 20 14:00:24 blurr-ink sshguard[944]: authenticating service 310 with process ID from /var/run/proftpd.pid
Nov 20 14:00:24 blurr-ink sshguard[944]: unable to open pidfile '/var/run/sshd.pid': No such file or directory.
Nov 20 14:00:24 blurr-ink sshguard[944]: authenticating service 100 with process ID from /var/run/sshd.pid
Nov 20 14:00:24 blurr-ink sshguard[944]: unable to open pidfile '/var/run/dovecot/master.pid': No such file or directory.
Nov 20 14:00:24 blurr-ink sshguard[944]: authenticating service 210 with process ID from /var/run/dovecot/master.pid
Nov 20 14:00:24 blurr-ink sshguard[944]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
Why is it saying it can't find the pid files now?? i already attempted to block myself on ssh and it did work, but isn't that weird ?
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#38
Also, sshd, and dovecot are being blocked properly again, but still not proftpd AARRGGG!!! lol
Code:
Nov 20 14:12:09 blurr-ink proftpd[1382]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:12:09 blurr-ink proftpd[1382]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:12:24 blurr-ink proftpd[1385]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:12:24 blurr-ink proftpd[1385]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:12:40 blurr-ink proftpd[1386]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:12:40 blurr-ink proftpd[1386]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:13:19 blurr-ink proftpd[1455]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:13:19 blurr-ink proftpd[1455]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:13:34 blurr-ink proftpd[1456]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:13:34 blurr-ink proftpd[1456]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:13:50 blurr-ink proftpd[1457]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:13:50 blurr-ink proftpd[1457]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:14:06 blurr-ink proftpd[1460]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:14:06 blurr-ink proftpd[1460]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:14:30 blurr-ink proftpd[1464]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego: Login successful.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#39
OK, I'm A Retard, I apologize. After removing the hashes, on the lines that uninstalling sshguard-pf hashed in my syslog.conf and restarting syslogd and reloading pf rules it started blocking proftpd attempts. Not quite sure which factor fixed the issues but its fixed!

sshguard 1.4.4 is what I have installed and it is blocking sshd/dovecot & proftpd properly now :) But I have a question about this:

Code:
Nov 20 18:49:25 blurr-ink sshguard[2356]: Got exit signal, flushing blocked addresses and exiting...
Nov 20 18:49:25 blurr-ink sshguard[6911]: authenticating service 310 with process ID from /var/run/proftpd.pid
Nov 20 18:49:25 blurr-ink sshguard[6911]: authenticating service 100 with process ID from /var/run/sshd.pid
Nov 20 18:49:25 blurr-ink sshguard[6911]: unable to open pidfile '/var/run/dovecot/master.pid': No such file or directory.
Nov 20 18:49:25 blurr-ink sshguard[6911]: authenticating service 210 with process ID from /var/run/dovecot/master.pid
Nov 20 18:49:25 blurr-ink sshguard[6911]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Its successfully blocks attempts to crack my imapd server but says it can't find the proper PID file, which this proves:

Code:
blurr-ink# tail /var/run/sshd.pid
1094
blurr-ink# tail /var/run/proftpd.pid
932
blurr-ink# tail /var/run/sshd.pid
1094
blurr-ink# tail /var/run/dovecot/master.pid
tail: /var/run/dovecot/master.pid: No such file or directory
blurr-ink# cd /var/run/ && ls
ConsoleKit              httpd.pid               saslauthd
PolicyKit               inetd.pid               sendmail.pid
accept.lock.1082        ld-elf.so.hints         spamass-milter.sock
clamav                  ld.so.hints             spamd
cron.pid                log                     sshd.pid
dbus                    logpriv                 syslog.pid
devd.pid                named                   syslogd.sockets
devd.pipe               ppp                     utmp
dmesg.boot              proftpd                 xauth
hald                    proftpd.pid             xdmctl
There is no master.pid, or dovecot folder/dovecot.pid file(that information was on the old service codes page i believe); There also no impad.pid file. So why/How is it successfully doing that? I think I need to modify my syslog.conf but I'm not sure.

SO! I have imap-uw installed; The Link that DutchDaemon gave me for the service codes I cannot find now: http://sshguard.sourceforge.net/doc/servicecodes.html it sends you to a different page, So which pid file do I use and where can I find the service codes now?

Would I use the sendmail.pid file?? or leave it as is?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#40
There really should be a /var/run/dovecot/ directory, with several files in it, among which master.pid. First # pkg_delete dovecot\*, and then install the port again. I guess sshguard still works because it will take the logging from Dovecot 'on face value' instead of checking it against a pid file.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#41
what exactly is dovecot, do I need to install it? I thought I remembered seeing service codes for imap-uw or uw-imap....

Is dovecot just the 'program' used by all imap/pop servers to log in??
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#42
Huh, I assumed you were using Dovecot because you had it in your sshguard configuration: http://forums.freebsd.org/showpost.php?p=48701&postcount=11

Dovecot is a POP3/IMAP server, of which there are several in the ports tree. If you don't use it, why feed it to sshguard?

Check in [cmd=]pkg_info[/cmd] whether you have Dovecot installed or not, and if not, remove that stuff from sshguard and replace it with the imap you're actually using ...
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#43
Yea I figured thats what I had to do.... so in that folder listed above i don't see my imap pid file
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#45
Either imap-uw gets a 'child pid' from inetd, in which case inetd's pid file could be used, or imap-uw places a very temporary pid file (because imap-uw is not running as a daemon, i.e. permanently) in /var/run/. I don't know which it is. I have mailed sshguard's maintainers to get that servicecode page back online a.s.a.p. It will likely contain the answer.

P.S. that email bounced, because the email address is not valid ..
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#46
No, Im not using Dovecot, not installed at all... which is why I thought it was weird that it worked to block the imap attempts

Yes as a matter of fact I am running imap from inetd, now that I think about it. I remember adding inetd_enable="YES" to my rc.conf and unhashing the pop3 and imapd lines when I installed uw-imap.

So which would you suggest I do: Add the imap info from the service codes page when It comes back up? or should I change it to the inetd.pid? or LOL should I just leave as is since its working :S which is kinda odd if you ask me...

What bounced email are you talking about??
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#47
I have mailed sshguard's maintainers to get that servicecode page back online a.s.a.p. It will likely contain the answer.

P.S. that email bounced, because the email address is not valid ..
That wasn't that academic a statement, was it? ;)
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#48
As to your setup: leave it as it is until that page comes back online, and then apply the proper settings.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#49
Sounds good, I didn't put two and two together for the email thing :p Should I ask on the mailing list for it to be reposted?? (the service codes that is)
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,620
Messages: 11,217

#50
I think that would be the best thing. And tell them that their broken link report address doesn't work ;)
 
Top