ssh guard doesn't startup

Tux-Slack · 05-14-2007, 03:40 PM

i'm trying to get this sshguard to work and i'm not having much luck with it
so i've installed it
./configure --with-firewall=iptables
make && make install
and set it up...
first editet /etc/syslog.conf
and added at the EOF:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard

as it stated in README
and did a restart
/etc/rc.d/rc.syslogd restart

then i edited /etc/ssh/sshd_config
and changed UseDNS yes to:
UseDNS no

and restarted that to with
/etc/rc.d/rc.sshd restart

edited iptables rules
added new chain
iptables -N sshguard
redirected all ssh trafic from INPUT to the newly created chain
iptables -A INPUT -p tcp -m tcp --dport 22 -j sshguard
and accepted port 22 in sshguard chain
iptables -A sshguard -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT

ok it's time to test this stuff
so i connect to a remote server and connect right back to my server through port 22 protocol ssh
the README says that after ssh auth atempt something like this should pop up in the log files(i guess /var/log/messages):
Feb 1 01:01:01 host sshguard[1234]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.

so as i connect from the remote host back to my server i watch this log file with
tail -f /var/log/messages

and nothing like that pops up
I only get this:
May 14 18:52:02 x-shells sshd[12400]: Connection from 86.61.99.50 port 53722
May 14 18:52:04 x-shells sshd[12400]: Failed none for admin from 86.61.99.50 port 53722 ssh2
May 14 18:52:47 x-shells sshd[12400]: Accepted password for admin from 86.61.99.50 port 53722 ssh2

Loging on sshd is set to VERBOSE
maybe this could be wrong?

bsdunix · 05-16-2007, 10:55 AM

Quote:

first editet /etc/syslog.conf
and added at the EOF:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard

Might not make a difference, but the documentation says to put it "high" into the file and not at EOF.

http://sourceforge.net/docman/displa...roup_id=188282

Tux-Slack · 05-17-2007, 01:20 PM

you're right
it didn't make the difference

thanks for trying though

uw3fa · 05-18-2007, 07:35 AM

Quote:

Originally Posted by Tux-Slack

you're right
it didn't make the difference

thanks for trying though

I had just set it up successfully following that steps on gentoo.

I get the starting message in /var/log/auth.log so it should log to auth.*, so look in the file
that stores that facility, not in /var/log/messages.

Tux-Slack · 05-18-2007, 01:31 PM

Code:

root@x-shells:/etc/rc.d# ls /var/log
apache2/         clamd.1  cups/    debug.4  maillog.1   messages.2   record-up          scripts/  setup/     syslog     uucp/
btmp             cron     date     dmesg    maillog.2   messages.3   removed_packages/  secure    spooler    syslog.1   wtmp
btmp.1           cron.1   debug    faillog  maillog.3   messages.4   removed_scripts/   secure.1  spooler.1  syslog.2   wtmp.1
clamav-update    cron.2   debug.1  iptraf/  maillog.4   nfsd/        rkhunter.log       secure.2  spooler.2  syslog.3
clamav-update.1  cron.3   debug.2  lastlog  messages    packages/    sa/                secure.3  spooler.3  syslog.4
clamd            cron.4   debug.3  maillog  messages.1  proftpd.log  samba/             secure.4  spooler.4  users.log

Code:

root@x-shells:/etc/rc.d# slocate auth.log
root@x-shells:/etc/rc.d#

it does not exist
it's not loging
because it's not starting...
if i connect to the server via ssh there should be a sshguard process in the list
but there isn't any

would you mind posting your syslog.conf here or on a private message?
i think it has something to do with this...

uw3fa · 05-19-2007, 02:35 AM

Quote:

Code:

root@x-shells:/etc/rc.d# ls /var/log
apache2/         clamd.1  cups/    debug.4  maillog.1   messages.2   record-up          scripts/  setup/     syslog     uucp/
btmp             cron     date     dmesg    maillog.2   messages.3   removed_packages/  secure    spooler    syslog.1   wtmp
btmp.1           cron.1   debug    faillog  maillog.3   messages.4   removed_scripts/   secure.1  spooler.1  syslog.2   wtmp.1
clamav-update    cron.2   debug.1  iptraf/  maillog.4   nfsd/        rkhunter.log       secure.2  spooler.2  syslog.3
clamav-update.1  cron.3   debug.2  lastlog  messages    packages/    sa/                secure.3  spooler.3  syslog.4
clamd            cron.4   debug.3  maillog  messages.1  proftpd.log  samba/             secure.4  spooler.4  users.log

Look for the destination of auth.* in syslog.conf, not for the auth.log file itself

From this bunch of files, it could be "secure".

Quote:

it does not exist
it's not loging
because it's not starting...
if i connect to the server via ssh there should be a sshguard process in the list
but there isn't any

This is most likely a syslog misconfiguration then.

Quote:

would you mind posting your syslog.conf here or on a private message?
i think it has something to do with this...

My only difference is that I used
auth.info;authpriv.info |/usr/local/sbin/sshguard
without the "exec". I followed
http://sourceforge.net/docman/displa...roup_id=188282

If you have not success you might want to try asking on the mailing list and pointing
out our thread
http://sourceforge.net/mail/?group_id=188282

Otherwise, you may just try with another tool, there are many for blocking brute forces to ssh

http://freshmeat.net/search/?q=ssh+b...&Go.x=0&Go.y=0

Tux-Slack · 05-19-2007, 01:42 PM

i've tried it without the exec 2
no change

auth.* is supposed to and is loging to messages