LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-14-2007, 04:40 PM   #1
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 36
ssh guard doesn't startup


i'm trying to get this sshguard to work and i'm not having much luck with it
so i've installed it
./configure --with-firewall=iptables
make && make install
and set it up...
first editet /etc/syslog.conf
and added at the EOF:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard

as it stated in README
and did a restart
/etc/rc.d/rc.syslogd restart

then i edited /etc/ssh/sshd_config
and changed UseDNS yes to:
UseDNS no

and restarted that to with
/etc/rc.d/rc.sshd restart

edited iptables rules
added new chain
iptables -N sshguard
redirected all ssh trafic from INPUT to the newly created chain
iptables -A INPUT -p tcp -m tcp --dport 22 -j sshguard
and accepted port 22 in sshguard chain
iptables -A sshguard -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT

ok it's time to test this stuff
so i connect to a remote server and connect right back to my server through port 22 protocol ssh
the README says that after ssh auth atempt something like this should pop up in the log files(i guess /var/log/messages):
Feb 1 01:01:01 host sshguard[1234]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.

so as i connect from the remote host back to my server i watch this log file with
tail -f /var/log/messages

and nothing like that pops up
I only get this:
May 14 18:52:02 x-shells sshd[12400]: Connection from 86.61.99.50 port 53722
May 14 18:52:04 x-shells sshd[12400]: Failed none for admin from 86.61.99.50 port 53722 ssh2
May 14 18:52:47 x-shells sshd[12400]: Accepted password for admin from 86.61.99.50 port 53722 ssh2

Loging on sshd is set to VERBOSE
maybe this could be wrong?
 
Old 05-16-2007, 11:55 AM   #2
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
Quote:
first editet /etc/syslog.conf
and added at the EOF:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
Might not make a difference, but the documentation says to put it "high" into the file and not at EOF.

http://sourceforge.net/docman/displa...roup_id=188282
 
Old 05-17-2007, 02:20 PM   #3
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 36
you're right
it didn't make the difference
thanks for trying though
 
Old 05-18-2007, 08:35 AM   #4
uw3fa
LQ Newbie
 
Registered: May 2007
Posts: 2

Rep: Reputation: 0
Quote:
Originally Posted by Tux-Slack
you're right
it didn't make the difference
thanks for trying though
I had just set it up successfully following that steps on gentoo.

I get the starting message in /var/log/auth.log so it should log to auth.*, so look in the file
that stores that facility, not in /var/log/messages.

Last edited by uw3fa; 05-18-2007 at 08:47 AM.
 
Old 05-18-2007, 02:31 PM   #5
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 36
Code:
root@x-shells:/etc/rc.d# ls /var/log
apache2/         clamd.1  cups/    debug.4  maillog.1   messages.2   record-up          scripts/  setup/     syslog     uucp/
btmp             cron     date     dmesg    maillog.2   messages.3   removed_packages/  secure    spooler    syslog.1   wtmp
btmp.1           cron.1   debug    faillog  maillog.3   messages.4   removed_scripts/   secure.1  spooler.1  syslog.2   wtmp.1
clamav-update    cron.2   debug.1  iptraf/  maillog.4   nfsd/        rkhunter.log       secure.2  spooler.2  syslog.3
clamav-update.1  cron.3   debug.2  lastlog  messages    packages/    sa/                secure.3  spooler.3  syslog.4
clamd            cron.4   debug.3  maillog  messages.1  proftpd.log  samba/             secure.4  spooler.4  users.log
Code:
root@x-shells:/etc/rc.d# slocate auth.log
root@x-shells:/etc/rc.d#
it does not exist
it's not loging
because it's not starting...
if i connect to the server via ssh there should be a sshguard process in the list
but there isn't any

would you mind posting your syslog.conf here or on a private message?
i think it has something to do with this...
 
Old 05-19-2007, 03:35 AM   #6
uw3fa
LQ Newbie
 
Registered: May 2007
Posts: 2

Rep: Reputation: 0
Quote:
Code:
root@x-shells:/etc/rc.d# ls /var/log
apache2/         clamd.1  cups/    debug.4  maillog.1   messages.2   record-up          scripts/  setup/     syslog     uucp/
btmp             cron     date     dmesg    maillog.2   messages.3   removed_packages/  secure    spooler    syslog.1   wtmp
btmp.1           cron.1   debug    faillog  maillog.3   messages.4   removed_scripts/   secure.1  spooler.1  syslog.2   wtmp.1
clamav-update    cron.2   debug.1  iptraf/  maillog.4   nfsd/        rkhunter.log       secure.2  spooler.2  syslog.3
clamav-update.1  cron.3   debug.2  lastlog  messages    packages/    sa/                secure.3  spooler.3  syslog.4
clamd            cron.4   debug.3  maillog  messages.1  proftpd.log  samba/             secure.4  spooler.4  users.log
Look for the destination of auth.* in syslog.conf, not for the auth.log file itself
From this bunch of files, it could be "secure".


Quote:
it does not exist
it's not loging
because it's not starting...
if i connect to the server via ssh there should be a sshguard process in the list
but there isn't any
This is most likely a syslog misconfiguration then.


Quote:
would you mind posting your syslog.conf here or on a private message?
i think it has something to do with this...
My only difference is that I used
auth.info;authpriv.info |/usr/local/sbin/sshguard
without the "exec". I followed
http://sourceforge.net/docman/displa...roup_id=188282

If you have not success you might want to try asking on the mailing list and pointing
out our thread
http://sourceforge.net/mail/?group_id=188282

Otherwise, you may just try with another tool, there are many for blocking brute forces to ssh
http://freshmeat.net/search/?q=ssh+b...&Go.x=0&Go.y=0
 
Old 05-19-2007, 02:42 PM   #7
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Original Poster
Rep: Reputation: 36
i've tried it without the exec 2
no change

auth.* is supposed to and is loging to messages
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Guard c0mpy Linux - Software 1 11-08-2005 02:30 AM
ssh rc startup hunterk41 Linux - Security 1 02-18-2005 11:58 PM
ssh still in my startup e1000 VectorLinux 1 12-26-2003 03:23 PM
SSH startup washakie Linux - Security 1 10-08-2003 07:12 PM
SSH Startup jimval7 Linux - General 1 02-25-2002 12:56 PM


All times are GMT -5. The time now is 02:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration