SSHGuard not Blocking Connections

Ok, This should be here or in ports installation and maintenance, wasn't sure so I started here.

So The original Thread I had was here: http://forums.freebsd.org/showthread.php?t=8047

Um so, I had not had another hack in attempt since getting sshguard talking properly to everything, so I just checked my security report and well....
Code:
Nov 12 01:58:59 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:00 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:13 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:13 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:26 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:39 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:40 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:52 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:53 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:00 blurr-ink sshguard[10051]: Got exit signal, flushing blocked addresses and exiting...
Nov 12 02:00:00 blurr-ink sshguard[11208]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
Nov 12 02:00:05 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:06 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:19 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:19 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:32 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:45 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:58 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:59 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.

No time gap between the logging attempts, and obviously not blocking the ip, PLUS I have it set for 5 attempts if you look at my config in the thread link up top. Any Ideas?

Also, There is alot more then just posted but I didn't want to flood the page 'that' bad
 
What firewall do you use? If you use PF did you add the rules?

Something like:
Code:
block in on $ext_if proto tcp from <sshguard>
 
yes I did my pf.conf looks like this:
Code:
#       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.4.1 2008/11/25 02:59:29 kensmith Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#ext_if="ext0"
#int_if="int0"

#table <spamd-white> persist
table <sshguard> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
block in quick on fxp0 from <sshguard> label "ssh bruteforce"

My ethernet card is fxp0:
Code:
blurr-ink# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:11:11:52:01:13
        inet 192.168.0.194 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

This page http://sshguard.sourceforge.net/doc/setup/blockingpf.html said to change the $ext_if to your WAN interface name, so thats why i put fxp0 is that wrong??

Ironic As I was posting this, it seems the person has stopped trying to get in.... hmmm.. maybe someone on the forum that has seen losts of my posts and figures they can get in easy??
 
I also removed the 'to any port 22' because I want them completely blocked if you try and hack one, why should i let you try to hack another... my thoughts anyway


ADDED: yes I have reloaded the rules twice and even tried a restart

I did a 'pfctl -F all -f /etc/pf.conf' because it said it flushes all rules before reloading them, figured it was a good idea
 
Are you sure SSHguard actually sees these login attempts? Try this trick again if you must. Also make sure that the PID file you gave to SSHguard to check the validity of the logging process is actually present/correct.
 
Actually, I did re-add that trick, and restarted syslogd, Those Failed attempts listed up top are pulled from the sshguard.log file; how do I verify the PID file is present/correct??

when I 'ee /var/run/proftpd.pid' it opens a document that says 932 thats it! not supposed to do that am I? lol
 
So, is ProFTPD actually running as process # 932 in [cmd=]pgrep proftpd[/cmd]? SSHguard will only consider those authentication attempts if /var/run/proftpd.pid and [cmd=]pgrep proftpd[/cmd] match.
 
Yes, they do match, weird I thought I was wrong opening the file like that; 932 in the /var/run/proftpd.pid, and 932 for the pgrep:
Code:
blurr-ink# pgrep proftpd
932
blurr-ink#
 
Actually, ProFTPD is service code 310, not 300 ..., I saw they were both mentioned in the other thread. Make sure it's 310.
 
yes that was changed when you had given me the link to the service codes page, this is the current /etc/syslog.conf line:
Code:
auth.info;authpriv.info;ftp.info;mail.info     |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot/master.pid -w 127.0.0.1 -a 5
auth.info;authpriv.info;ftp.info;mail.info       /var/log/sshguard.log
 
Well, if the service code is ok, the logging arrives ok, the PID is ok, and sshguard is running .. I don't know what's left to look at. Is it working for sshd and Dovecot?
 
hmm.... Not sure, I guess I could try and ban myself, but I haven't had any attacks on sshd since I changed the Port and I've never had an attack to my mail server, I'll do 5 failed attempts to ssh now, and see if it works...
 
Ok, LOL yes it is blocking sshd attempts.... Now I'm Locked out of my server LOL
Code:
Nov 13 18:25:29 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:32 blurr-ink last message repeated 2 times
Nov 13 18:25:32 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:25:34 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:34 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:25:35 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:35 blurr-ink sshguard[37486]: Blocking 216.8.133.228: 5 failures over 6 seconds.
Nov 13 18:25:35 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:27:27 blurr-ink sshd[49446]: Accepted keyboard-interactive/pam for lego from 192.168.0.196 port 58108 ssh2
Nov 13 18:27:27 blurr-ink sshd[49443]: error: ssh_msg_send: write
Nov 13 18:27:35 blurr-ink su: lego to root on /dev/ttyp1

after the 5 it just crashed my putty, well wouldn't even let me connect, so it is blocking for ssh..... it then let me locally ssh in, so I can remove the blocked address

ADDED: how do I remove the address, or do I just have to wait?? default time is what 2-7 minutes??
 
The default is 420 seconds. You get unblocked after 420 ~ 630 seconds.

It's also possible to use # pfctl -t sshguard -T d ip.add.re.ss to delete IPs. -T s to show them and -T f to flush the table.
 
and Imap seems to be working aswell:
Code:
Nov 13 18:40:00 blurr-ink imapd[49729]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:12 blurr-ink last message repeated 2 times
Nov 13 18:40:17 blurr-ink imapd[49729]: Login excessive login failures user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:22 blurr-ink imapd[49729]: Login excessive login failures user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:28 blurr-ink imapd[49729]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:28 blurr-ink imapd[49733]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:34 blurr-ink imapd[49733]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:34 blurr-ink imapd[49734]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:37 blurr-ink imapd[49734]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:37 blurr-ink imapd[49735]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:37 blurr-ink sshguard[37486]: Blocking 216.8.133.228: 5 failures over 902 seconds.
 
dennylin93 said:
The default is 420 seconds. You get unblocked after 420 ~ 630 seconds.

It's also possible to use # pfctl -t sshguard -T d ip.add.re.ss to delete IPs. -T s to show them and -T f to flush the table.

Thanks, Yea I'm unblocked already.
 
Um I think I either don't understand your syntax or its wrong....
this Worked but yours didn't
Code:
blurr-ink# pfctl -Tshow -t sshguard
No ALTQ support in kernel
ALTQ related functions disabled

the -T f didn't flush them either, what am I don't wrong.... http://sshguard.sourceforge.net/doc/setup/blockingpf.html thats where I got the command I used. Oh and I did re-ban myself before trying to flush them... time ran out before I got it to work
 
These are all the same:
Code:
-t table -T s
-t table -T show
-t table -Ts
-t table -Tshow
-T s -t table
-T show -t table
-Ts -t table
-Tshow -t table
-ttable -T .... etc.
-Td -Tdelete -Tflush -T f -T delete -T flush etc. etc
 
Ok, Um I think I did the right thing, Im supposed to submit an email to the mailing list?? so I did, and gave the link to this thread, hopefully thats what I was supposed to do, and someone will be able to help me :)
 
Back
Top