NEW: security/sshguard
sshguard protects hosts from brute force attacks. It supports IPv6,
whitelists and log authentication, interfaces with all the major
firewalling systems, has a remarkably clever log analyzer, and is
independent, fast and lightweight as it's written in C.
- todd
Index: security/sshguard/Makefile
===
RCS file: security/sshguard/Makefile
diff -N security/sshguard/Makefile
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/Makefile 30 Aug 2010 17:10:43 -
@@ -0,0 +1,24 @@
+# $OpenBSD$
+
+COMMENT= Protect against brute force attacks on sshd and others
+
+DISTNAME= sshguard-1.5rc4
+PKGNAME= ${DISTNAME}p0
+CATEGORIES=security
+
+# BSD
+PERMIT_PACKAGE_CDROM= Yes
+PERMIT_PACKAGE_FTP=Yes
+PERMIT_DISTFILES_CDROM=Yes
+PERMIT_DISTFILES_FTP= Yes
+
+HOMEPAGE= http://www.sshguard.net/
+MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
+EXTRACT_SUFX= .tar.bz2
+
+CONFIGURE_STYLE=gnu
+CONFIGURE_ARGS=--with-firewall=pf
+
+NO_REGRESS=Yes
+
+.include bsd.port.mk
Index: security/sshguard/distinfo
===
RCS file: security/sshguard/distinfo
diff -N security/sshguard/distinfo
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/distinfo 30 Aug 2010 16:50:49 -
@@ -0,0 +1,5 @@
+MD5 (sshguard-1.5rc4.tar.bz2) = sl2kawJUh5YJ+qmEGhReug==
+RMD160 (sshguard-1.5rc4.tar.bz2) = 0aHYO8dZEDWQywBzPC0z6S9siIM=
+SHA1 (sshguard-1.5rc4.tar.bz2) = AFhTvNIEVmqr4zwXkybjFF+NQsA=
+SHA256 (sshguard-1.5rc4.tar.bz2) = opAocT5cc54BYa91AXq11GvX2kkFaw7aiTwP/tP9bTU=
+SIZE (sshguard-1.5rc4.tar.bz2) = 296447
Index: security/sshguard/patches/patch-src_sshguard_logsuck_c
===
RCS file: security/sshguard/patches/patch-src_sshguard_logsuck_c
diff -N security/sshguard/patches/patch-src_sshguard_logsuck_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/patches/patch-src_sshguard_logsuck_c 30 Aug 2010
17:06:24 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/sshguard_logsuck.c.origMon Aug 9 02:44:15 2010
src/sshguard_logsuck.c Mon Aug 30 13:06:02 2010
+@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
+ if (ret 0) {
+ if (kevs[0].filter == EVFILT_READ) {
+ /* got data on this one. Read from it */
+-sshguard_log(LOG_DEBUG, Searching for fd %lu in list.,
kevs[0].ident);
++sshguard_log(LOG_DEBUG, Searching for fd %u in list.,
kevs[0].ident);
+ readentry = list_seek( sources_list, kevs[0].ident);
+ assert(readentry != NULL);
+ assert(readentry-active);
Index: security/sshguard/patches/patch-src_sshguard_procauth_c
===
RCS file: security/sshguard/patches/patch-src_sshguard_procauth_c
diff -N security/sshguard/patches/patch-src_sshguard_procauth_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/patches/patch-src_sshguard_procauth_c 30 Aug 2010
17:06:24 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010
src/sshguard_procauth.cMon Aug 30 13:05:40 2010
+@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
+ dup2(ps2me[1], 1);
+
+ sshguard_log(LOG_DEBUG, Running 'ps axo pid,ppid'.);
+-execlp(ps, ps, axo, pid,ppid, NULL);
++execlp(ps, ps, axo, pid,ppid, (char *)0);
+
+ sshguard_log(LOG_ERR, Unable to run 'ps axo pid,ppid': %s.,
strerror(errno));
+ exit(-1);
Index: security/sshguard/pkg/DESCR
===
RCS file: security/sshguard/pkg/DESCR
diff -N security/sshguard/pkg/DESCR
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/pkg/DESCR 30 Aug 2010 16:52:04 -
@@ -0,0 +1,4 @@
+sshguard protects hosts from brute force attacks. It supports IPv6,
+whitelists and log authentication, interfaces with all the major
+firewalling systems, has a remarkably clever log analyzer, and is
+independent, fast and lightweight as it's written in C.
Index: security/sshguard/pkg/PLIST
===
RCS file: security/sshguard/pkg/PLIST
diff -N security/sshguard/pkg/PLIST
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/pkg/PLIST 30 Aug 2010 16:54:04 -
@@ -0,0 +1,3 @@
+...@comment $OpenBSD$
+...@man man/man8/sshguard.8
+...@bin sbin/sshguard
Re: NEW: security/sshguard
On 2010/08/31 16:37, Todd C. Miller wrote:
sshguard protects hosts from brute force attacks. It supports IPv6,
whitelists and log authentication, interfaces with all the major
firewalling systems, has a remarkably clever log analyzer, and is
independent, fast and lightweight as it's written in C.
+COMMENT= Protect against brute force attacks on sshd and others
lowercase first char
+DISTNAME=sshguard-1.5rc4
+PKGNAME= ${DISTNAME}p0
drop this PKGNAME line
+# BSD
+PERMIT_PACKAGE_CDROM=Yes
+PERMIT_PACKAGE_FTP= Yes
+PERMIT_DISTFILES_CDROM= Yes
+PERMIT_DISTFILES_FTP=Yes
+
needs WANTLIB += c pthread here
there was a previous port of this which was never imported, I think
most things have been incorporated upstream but it had some useful
information in MESSAGE about setting up syslogd/pf.conf to work with
which is probably worth incorporating somewhere.
-- snip -- -- --
Please add the following to /etc/pf.conf:
table sshguard persist
block in quick on $ext_if proto tcp from sshguard \
to any port 22 label ssh bruteforce
Please add this to syslogd.conf:
auth.info;authpriv.info |/usr/local/sbin/sshguard
-- snip -- -- --
Re: NEW: security/sshguard
In message 20100831211644.gb15...@symphytum.spacehopper.org
so spake Stuart Henderson (stu):
there was a previous port of this which was never imported, I think
most things have been incorporated upstream but it had some useful
information in MESSAGE about setting up syslogd/pf.conf to work with
which is probably worth incorporating somewhere.
There is no need to change syslog.conf for the current version of
sshguard--you just tell it which log files to follow. I've
incorporated the rest of your suggestions.
- todd
Index: security/sshguard/Makefile
===
RCS file: security/sshguard/Makefile
diff -N security/sshguard/Makefile
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/Makefile 31 Aug 2010 22:03:17 -
@@ -0,0 +1,25 @@
+# $OpenBSD$
+
+COMMENT= protect against brute force attacks on sshd and others
+
+DISTNAME= sshguard-1.5rc4
+CATEGORIES=security
+
+# BSD
+PERMIT_PACKAGE_CDROM= Yes
+PERMIT_PACKAGE_FTP=Yes
+PERMIT_DISTFILES_CDROM=Yes
+PERMIT_DISTFILES_FTP= Yes
+
+WANTLIB+= c pthread
+
+HOMEPAGE= http://www.sshguard.net/
+MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
+EXTRACT_SUFX= .tar.bz2
+
+CONFIGURE_STYLE=gnu
+CONFIGURE_ARGS=--with-firewall=pf
+
+NO_REGRESS=Yes
+
+.include bsd.port.mk
Index: security/sshguard/distinfo
===
RCS file: security/sshguard/distinfo
diff -N security/sshguard/distinfo
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/distinfo 30 Aug 2010 16:50:49 -
@@ -0,0 +1,5 @@
+MD5 (sshguard-1.5rc4.tar.bz2) = sl2kawJUh5YJ+qmEGhReug==
+RMD160 (sshguard-1.5rc4.tar.bz2) = 0aHYO8dZEDWQywBzPC0z6S9siIM=
+SHA1 (sshguard-1.5rc4.tar.bz2) = AFhTvNIEVmqr4zwXkybjFF+NQsA=
+SHA256 (sshguard-1.5rc4.tar.bz2) = opAocT5cc54BYa91AXq11GvX2kkFaw7aiTwP/tP9bTU=
+SIZE (sshguard-1.5rc4.tar.bz2) = 296447
Index: security/sshguard/patches/patch-src_sshguard_logsuck_c
===
RCS file: security/sshguard/patches/patch-src_sshguard_logsuck_c
diff -N security/sshguard/patches/patch-src_sshguard_logsuck_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/patches/patch-src_sshguard_logsuck_c 30 Aug 2010
17:06:24 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/sshguard_logsuck.c.origMon Aug 9 02:44:15 2010
src/sshguard_logsuck.c Mon Aug 30 13:06:02 2010
+@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
+ if (ret 0) {
+ if (kevs[0].filter == EVFILT_READ) {
+ /* got data on this one. Read from it */
+-sshguard_log(LOG_DEBUG, Searching for fd %lu in list.,
kevs[0].ident);
++sshguard_log(LOG_DEBUG, Searching for fd %u in list.,
kevs[0].ident);
+ readentry = list_seek( sources_list, kevs[0].ident);
+ assert(readentry != NULL);
+ assert(readentry-active);
Index: security/sshguard/patches/patch-src_sshguard_procauth_c
===
RCS file: security/sshguard/patches/patch-src_sshguard_procauth_c
diff -N security/sshguard/patches/patch-src_sshguard_procauth_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/patches/patch-src_sshguard_procauth_c 30 Aug 2010
17:06:24 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010
src/sshguard_procauth.cMon Aug 30 13:05:40 2010
+@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
+ dup2(ps2me[1], 1);
+
+ sshguard_log(LOG_DEBUG, Running 'ps axo pid,ppid'.);
+-execlp(ps, ps, axo, pid,ppid, NULL);
++execlp(ps, ps, axo, pid,ppid, (char *)0);
+
+ sshguard_log(LOG_ERR, Unable to run 'ps axo pid,ppid': %s.,
strerror(errno));
+ exit(-1);
Index: security/sshguard/pkg/DESCR
===
RCS file: security/sshguard/pkg/DESCR
diff -N security/sshguard/pkg/DESCR
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/pkg/DESCR 30 Aug 2010 16:52:04 -
@@ -0,0 +1,4 @@
+sshguard protects hosts from brute force attacks. It supports IPv6,
+whitelists and log authentication, interfaces with all the major
+firewalling systems, has a remarkably clever log analyzer, and is
+independent, fast and lightweight as it's written in C.
Index: security/sshguard/pkg/MESSAGE
===
RCS file: security/sshguard/pkg/MESSAGE
diff -N security/sshguard/pkg/MESSAGE
--- /dev/null 1 Jan 1970 00:00:00 -
+++ security/sshguard/pkg/MESSAGE 31 Aug 2010 22:09:09 -
@@ -0,0 +1,6 @@
+To use sshguard you must add the following to /etc/pf.conf:
+
+table sshguard persist
+
+block in quick on egress proto tcp from sshguard \
+ to
Re: NEW security/sshguard
2008/11/16 Girish Venkatachalam [EMAIL PROTECTED]: uses logfile monitoring and protects networked hosts from ssh brute force attacks. It detects such attacks and blocks the author's address with a firewall rule. What does it do that pf can't? Best Martin
Re: NEW security/sshguard
On 2008/11/17 08:42, Girish Venkatachalam wrote:
I just read the nagios README. systrace's privilege elevation does not
look messy at all.
Maybe messy enough that people will think oh I can't be bothered
with that I will just make it setuid root...and that doesn't avoid
sudo either.
Can you be more specific? What do you want added? I could simply patch
the man page. Or we could install the online html documentation in a
separate location like {PREFIX}/share/doc/sshguard/html.
Why do you want to bother upstream for this? ;)
If we were to install the online html documentation, we would need
permission to redistribute it, because they don't grant it.
But, I sort-of assumed (from the frequent references to the website)
that there was some more documentation there, and hoped it would say
a bit more about the other log formats it can parse, but now I've
looked over it I can't find any more useful information, so I'm
happy to leave those out. We do need to mention the other parsers
in the manual though, or people may be surprised if they mistype
a POP3 password and get locked out of SSH.
But actually we need to bother them anyway: there's no copyright
license in the .tar.bz2 file either, as things stand now you must
set PERMIT_*=No. The only mention is at the top of the website,
sshguard is BSD-licensed, but that is not enough. They need to
include the actual license text (since there is no single BSD
license) and it needs to be with the source code.
They might be interested in looking at the usual OpenBSD license,
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/share/misc/license.template
- it has helpful comments about formatting of dates etc.
Users also need to be reminded to use tabs not spaces in
syslog.conf, I guarantee everybody will copy-and-paste from
MESSAGE and get it wrong - if you add a reminder, only about
half the people will do that ;-)
I agree but anyone with a reasonable degree of UNIX experience should
know that tabs are the in thing for crontabs and config files. :)
By the way this is a syslog restriction and has nothing to do with the
sshguard port.
The only files I can think of where this applies are syslog.conf
and sendmail.cf, and most users who look for this software won't have
edited syslog.conf before (and wouldn't dream of touching sendmail.cf!)
Pointing it out will avoid stupid it doesn't work emails to the
maintainer :-)
Does anyone who knows yacc/regex well have time to take a
look over sshguard's pattern matchers?
No the problem if you may call it so lies elsewhere.
From whatever little I know of yacc parsing I can see the there is no
mention of tabs in attack_parser.y file.
Tabs aren't the problem there, now I have found the reference
I was looking for:
http://www.ossec.net/en/attacking-loganalysis.html
see why I keep mentioning it? :-)
Maybe their parsers are ok, but I think they need checking.
My idea is to give people a secure way to protect against the ssh
bruteforce attack.
Yes, and since many (often novice) users are looking for this
and seem to be looking for log parsers in particular (rather than
PF connection-rate checks), we need to take quite a lot of care
over it. People should not take the existence of something in
ports as a recommendation, but they will...
And we cannot help dumb users beyond a point anyway...
Sorry for the long post.
Have a nice day!
-Girish
And you :-)
Re: NEW security/sshguard
Martin Schröder wrote: 2008/11/16 Girish Venkatachalam [EMAIL PROTECTED]: uses logfile monitoring and protects networked hosts from ssh brute force attacks. It detects such attacks and blocks the author's address with a firewall rule. What does it do that pf can't? One guess would be ignoring successful connections and possibly whitelist those ip's for some time. Best Martin
Re: NEW security/sshguard
On 09:49:31 Nov 17, Martin Schr?der wrote: What does it do that pf can't? Nothing is the short answer. The long answer is that people keep wanting a tool to protect them from the now widespread ssh bruteforce attacks. Sure, the best way to protect is using a pf(4) overload rule but having an extra choice is a good thing. Moreover of all the various alternatives that exist for this(refer wikipedia), sshguard seems fairly reasonable and sound. That is why we arrived at this. Does it convince you? -Girish
Re: NEW security/sshguard
On 10:52:13 Nov 17, Alexander Hall wrote: One guess would be ignoring successful connections and possibly whitelist those ip's for some time. From my testing of sshguard I see that it strives not to lock out legitimate users. The blocked IPs get released after a configurable timeout. I would say that this tool is well engineered for this purpose. You don't get locked out if you are having a bad day... -Girish
Re: NEW security/sshguard
On 09:50:31 Nov 17, Stuart Henderson wrote: Maybe messy enough that people will think oh I can't be bothered with that I will just make it setuid root...and that doesn't avoid sudo either. Okay. But, I sort-of assumed (from the frequent references to the website) that there was some more documentation there, and hoped it would say a bit more about the other log formats it can parse, but now I've looked over it I can't find any more useful information, so I'm happy to leave those out. We do need to mention the other parsers in the manual though, or people may be surprised if they mistype a POP3 password and get locked out of SSH. I don't see this happening. sshguard is smartly written, so it won't lock IPs for long. But actually we need to bother them anyway: there's no copyright license in the .tar.bz2 file either, as things stand now you must set PERMIT_*=No. The only mention is at the top of the website, sshguard is BSD-licensed, but that is not enough. They need to include the actual license text (since there is no single BSD license) and it needs to be with the source code. I will mail the author and get back to you. Pointing it out will avoid stupid it doesn't work emails to the maintainer :-) I shall mention it in MESSAGE. http://www.ossec.net/en/attacking-loganalysis.html see why I keep mentioning it? :-) Maybe their parsers are ok, but I think they need checking. Ha ha. I shall read it thoroughly and get back to you in private. Interesting. Hmm. Yes, and since many (often novice) users are looking for this and seem to be looking for log parsers in particular (rather than PF connection-rate checks), we need to take quite a lot of care over it. People should not take the existence of something in ports as a recommendation, but they will... I see that people download and install the program anyway, so having a port at least gives them slightly more security. ;) www.openbsd.org tries in the website at least to drum into people's heads that ports have not undergone a rigorous audit process and I certainly believe that is true. Some programs are simply badly written and it is not our job to clean them. We still try our best using our excellent ports framework, systrace, non privileged users and so on. -Girish
Re: NEW security/sshguard
On Mon, Nov 17, 2008 at 2:53 AM, Girish Venkatachalam [EMAIL PROTECTED] wrote: On 09:49:31 Nov 17, Martin Schr?der wrote: What does it do that pf can't? Nothing is the short answer. The long answer is that people keep wanting a tool to protect them from the now widespread ssh bruteforce attacks. Sure, the best way to protect is using a pf(4) overload rule but having an extra choice is a good thing. Moreover of all the various alternatives that exist for this(refer wikipedia), sshguard seems fairly reasonable and sound. That is why we arrived at this. we?
NEW security/sshguard
$ cat pkg/DESCR uses logfile monitoring and protects networked hosts from ssh brute force attacks. It detects such attacks and blocks the author's address with a firewall rule. -- Port here. http://gayatri-hitech.com/Misc/sshguard.tgz I have a problem here. It works only when you give group RW permission to /dev/pf. I instrumented sshguard to use pf(4) ioctl but I think the systrace policy is not allowing it to open /dev/pf. That needs to be fixed. Otherwise it works very well. -Girish
Re: NEW security/sshguard
On 2008-11-16, Girish Venkatachalam [EMAIL PROTECTED] wrote: $ cat pkg/DESCR uses logfile monitoring and protects networked hosts from ssh brute force attacks. It detects such attacks and blocks the author's address with a firewall rule. -- Port here. http://gayatri-hitech.com/Misc/sshguard.tgz I have a problem here. It works only when you give group RW permission to /dev/pf. I instrumented sshguard to use pf(4) ioctl but I think the systrace policy is not allowing it to open /dev/pf. That needs to be fixed. Otherwise it works very well. -Girish I don't see where systrace has anything to do with it ... I think this may explain it: $ ps wwuax|grep ssh[g] _syslogd 8901 0.0 0.1 532 1264 ?? S 8:56PM0:00.00 /usr/local/sbin/sshguard i.e. syslogd is running it as the _syslogd user. However, you could use systrace to elevate privileges, see /usr/ports/net/nagios/plugins/files/README.OpenBSD. It's a bit messy but better than using a setuid binary (don't install it setuid, if people want that, they have to deliberately chmod it themselves). Maybe sudo is another option.. We should really get some documentation better than the manpage installed too, but upstream will need to help, unfortunately we can't just make a separate tar.gz of the docs on their web pages to add to the package because there is no copyright license on those pages. Users also need to be reminded to use tabs not spaces in syslog.conf, I guarantee everybody will copy-and-paste from MESSAGE and get it wrong - if you add a reminder, only about half the people will do that ;-) Does anyone who knows yacc/regex well have time to take a look over sshguard's pattern matchers?
