Imported Upstream version 1.4

parents
* 1.4 Aug 2009
- add touchiness: block repeated abusers for longer
- add blacklisting: store frequent abusers for permanent blocking
- add support for IPv6 in whitelisting (experimental)
- sshguard ignores interrupted fgets() and reloads more seldom (thanks Keven Tipping)
- debug mode now enabled with SSHGUARD_DEBUG environment variable (no "-d")
- support non-POSIX libCs that require getopt.h (thanks Nobuhiro Iwamatsu)
- import newer SimCList containing a number of fixes and improvements
- firewall backends now block all traffic from attackers by default, not per-service
- netfilter/iptables backend now verifies credentials at initialization
- parser accepts "-" and "_" chars in process names
- fix detection of some ProFTPd and pure-ftp messages
- support log formats of new versions of ProFTPd
- fix one dovecot pattern
- correctly handle abuse threshold = 1 (thanks K. Tipping)
- fix handling of IPv6 with IPFW under Mac OS X Leopard (thanks David Horn)
- fix cmdline argument BoF exploitable by local users when sshguard is setuid
- support blocking IPv6 addrs in backed "hosts.allow"
- extend hosts.allow backend to support all service types
- localhost addresses are now whitelisted a priori
- extend IPv6 pattern for matching special addresses (eg, IPv4 embedded)
- fix grammar to be insensitive to a log injection in sshd (thanks J. Oosterveen)
* 1.3 Oct 2008
- fix autoconf problem
- automatically detect when ipfw supports IPv6 (thanks David Horn)
- be sensitive to proftpd messages to auth facility, not daemon (thanks Andy Berkvam)
- add sshd pattern for "Bad protocol" and "Did not receive identif string"
* 1.2 Sep 2008
- support for Cyrus IMAP
- support for SSH "possible break-in attempt" messages
- updated support for dovecot to include logging format of new versions
- (thanks Michael Maynard) fix of IPF backend causing sshguard not to
update /etc/ipf.rules (disallow IPv6)
- fix detection of password when sshd doesn't log anything more than PAM
* 1.1 Jul 2008 (midway releases from Jul 2007 to Jun 2008)
- support suspension
- support debug mode at runtime (-d) for helping users in problem solving
- support for metalog logging format
- fix parser bug when recognizing certain IPv6 addresses
- fix segfault when the pipe to sshguard is closed unexpectedly
- support for ipfilter as blocking backend (thanks Hellmuth Michaelis for feedback)
- support for log messages authentication
- support for AIX genfilt firewall (thanks Gabor Szittner)
- fix "hosts" backend bug not discarding temporary files
- add monitoring support for new services:
@ dovecot imap
@ UWimap imap and pop
@ FreeBSD's ftpd
@ ProFTPd
@ pure-ftpd
* 1.0 May 2007
- address whitelisting for protecting friend addressess
- support for IPv6
- support for service multiplexing (behave differently for different services)
- more powerful parsing (context-free): support multilog, autotranslate
hostnames and easily extends to a lot of services
- new blocking backend: "hosts" for /etc/hosts.deny
- paths autodetected and adjustable from ./configure
- script for trivially generating new custom backends
* 0.91 Mar 2007
- run away from scons and use autotools as building system
* 0.9 Feb 2007
- first public release
AUTOMAKE_OPTIONS = foreign
SUBDIRS = src man
This diff is collapsed.
===================
SSHGUARD
===================
version: 1.4
date: Aug 2009
authors: Mij <mij@bitchx.it>, T.J. Jones <tjjones03@gmail.com>
See http://www.sshguard.net for information about sshguard, including
technical documentation and licensing.
All the documentation is available at http://www.sshguard.net/doc/
This diff is collapsed.
/* config.h.in. Generated from configure.ac by autoheader. */
/* Define to 1 if you have the <arpa/inet.h> header file. */
#undef HAVE_ARPA_INET_H
/* Define to 1 if you have the `fork' function. */
#undef HAVE_FORK
/* Define to 1 if you have the `gethostbyname' function. */
#undef HAVE_GETHOSTBYNAME
/* Define to 1 if you have the `inet_ntoa' function. */
#undef HAVE_INET_NTOA
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the `pthread' library (-lpthread). */
#undef HAVE_LIBPTHREAD
/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
to 0 otherwise. */
#undef HAVE_MALLOC
/* Define to 1 if you have the <malloc.h> header file. */
#undef HAVE_MALLOC_H
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the `strerror' function. */
#undef HAVE_STRERROR
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the `strstr' function. */
#undef HAVE_STRSTR
/* Define to 1 if you have the `strtol' function. */
#undef HAVE_STRTOL
/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have <sys/wait.h> that is POSIX.1 compatible. */
#undef HAVE_SYS_WAIT_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the `vfork' function. */
#undef HAVE_VFORK
/* Define to 1 if you have the <vfork.h> header file. */
#undef HAVE_VFORK_H
/* Define to 1 if `fork' works. */
#undef HAVE_WORKING_FORK
/* Define to 1 if `vfork' works. */
#undef HAVE_WORKING_VFORK
/* path for the iptables command */
#undef IPTABLES_PATH
/* Name of package */
#undef PACKAGE
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Version number of package */
#undef VERSION
/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
`char[]'. */
#undef YYTEXT_POINTER
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
/* Define to `__inline__' or `__inline' if that's what the C compiler
calls it, or to nothing if 'inline' is not supported under any name. */
#ifndef __cplusplus
#undef inline
#endif
/* Define to rpl_malloc if the replacement function should be used. */
#undef malloc
/* Define to `long' if <sys/types.h> does not define. */
#undef off_t
/* Define to `int' if <sys/types.h> does not define. */
#undef pid_t
/* Define to `unsigned' if <sys/types.h> does not define. */
#undef size_t
/* Define as `fork' if `vfork' does not work. */
#undef vfork
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
# comment line (a '#' as very first character)
# a single IPv4 and IPv6 address
1.2.3.4
2001:0db8:85a3:08d3:1319:8a2e:0370:7344
# address blocks in CIDR notation
127.0.0.0/8
10.11.128.0/17
192.168.0.0/24
# hostnames
rome-fw.enterprise.com
hosts.friends.com
This diff is collapsed.
man_MANS = sshguard.8
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
#! /bin/sh
# mkinstalldirs --- make directory hierarchy
scriptversion=2006-05-11.19
# Original author: Noah Friedman <friedman@prep.ai.mit.edu>
# Created: 1993-05-16
# Public domain.
#
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
nl='
'
IFS=" "" $nl"
errstatus=0
dirmode=
usage="\
Usage: mkinstalldirs [-h] [--help] [--version] [-m MODE] DIR ...
Create each directory DIR (with mode MODE, if specified), including all
leading file name components.
Report bugs to <bug-automake@gnu.org>."
# process command line arguments
while test $# -gt 0 ; do
case $1 in
-h | --help | --h*) # -h for help
echo "$usage"
exit $?
;;
-m) # -m PERM arg
shift
test $# -eq 0 && { echo "$usage" 1>&2; exit 1; }
dirmode=$1
shift
;;
--version)
echo "$0 $scriptversion"
exit $?
;;
--) # stop option processing
shift
break
;;
-*) # unknown option
echo "$usage" 1>&2
exit 1
;;
*) # first non-opt arg
break
;;
esac
done
for file
do
if test -d "$file"; then
shift
else
break
fi
done
case $# in
0) exit 0 ;;
esac
# Solaris 8's mkdir -p isn't thread-safe. If you mkdir -p a/b and
# mkdir -p a/c at the same time, both will detect that a is missing,
# one will create a, then the other will try to create a and die with
# a "File exists" error. This is a problem when calling mkinstalldirs
# from a parallel make. We use --version in the probe to restrict
# ourselves to GNU mkdir, which is thread-safe.
case $dirmode in
'')
if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
echo "mkdir -p -- $*"
exec mkdir -p -- "$@"
else
# On NextStep and OpenStep, the `mkdir' command does not
# recognize any option. It will interpret all options as
# directories to create, and then abort because `.' already
# exists.
test -d ./-p && rmdir ./-p
test -d ./--version && rmdir ./--version
fi
;;
*)
if mkdir -m "$dirmode" -p --version . >/dev/null 2>&1 &&
test ! -d ./--version; then
echo "mkdir -m $dirmode -p -- $*"
exec mkdir -m "$dirmode" -p -- "$@"
else
# Clean up after NextStep and OpenStep mkdir.
for d in ./-m ./-p ./--version "./$dirmode";
do
test -d $d && rmdir $d
done
fi
;;
esac
for file
do
case $file in
/*) pathcomp=/ ;;
*) pathcomp= ;;
esac
oIFS=$IFS
IFS=/
set fnord $file
shift
IFS=$oIFS
for d
do
test "x$d" = x && continue
pathcomp=$pathcomp$d
case $pathcomp in
-*) pathcomp=./$pathcomp ;;
esac
if test ! -d "$pathcomp"; then
echo "mkdir $pathcomp"
mkdir "$pathcomp" || lasterr=$?
if test ! -d "$pathcomp"; then
errstatus=$lasterr
else
if test ! -z "$dirmode"; then
echo "chmod $dirmode $pathcomp"
lasterr=
chmod "$dirmode" "$pathcomp" || lasterr=$?
if test ! -z "$lasterr"; then
errstatus=$lasterr
fi
fi
fi
fi
pathcomp=$pathcomp/
done
done
exit $errstatus
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:
#! /bin/sh
cat <<-UserMessage
This script lets you generate command backends for sshguard easily.
A command-based backend is one that uses commands for blocking,
releasing, flushing block rules.
I need the following:
- a name for this backend (choose yourself)
- [possibly] a command for first inizialization of the backend
- a command for blocking an address
- a command for releasing an address
- a command for flushing the blocked addresses
- [possibly] a command for last finalization of the backend
These can all be composite with shell operators.
Press enter to continue, Ctrl-C to exit.
UserMessage
read
##############
# $1 = fwall name
# $2 = init commands
# $3 = blocking commands
# $4 = releasing commands
# $5 = flushing commands
# $6 = finalizing commands
gen_template () {
cat >command_${1}.h <<-EOF
#ifndef COMMAND_H
#define COMMAND_H
/* user-define backend $1 */
#include "../config.h"
#define COMMAND_INIT "$2"
#define COMMAND_FIN "$6"
#define COMMAND_BLOCK "$3"
#define COMMAND_RELEASE "$4"
#define COMMAND_FLUSH "$5"
#endif
EOF
}
genhttp () {
printf "fwname=%s&init=%s&fin=%s&block=%s&release=%s&flush=%s" "$1" "$2" "$6" "$3" "$4" "$5"
}
##############
# read name
echo -n "1) name (choose yourself): "
read fwname
# read init command(s)
echo -n "2) initialization command(s) (leave empty for no init commands): "
read fwinitcmd
# read blocking command(s)
echo "3) blocking command(s)"
cat <<-msg
The following variables are available in the environment of this command:
\$SSHG_ADDR the address to operate (e.g. 192.168.0.12)
\$SSHG_ADDRKIND the code of the address type [see sshguard_addresskind.h] (e.g. 2)
\$SSHG_SERVICE the code of the service attacked [see sshguard_services.h] (e.g. 10)
msg
read fwblockcmd
while test "x$fwblockcmd" = x ; do
echo -n "*need* to specify blocking command(s) (Ctrl-C to exit): "
read fwblockcmd
done
# read releasing command(s)
echo "4) releasing command(s): "
cat <<-msg
The following variables are available in the environment of this command:
\$SSHG_ADDR the address to operate (e.g. 192.168.0.12)
\$SSHG_ADDRKIND the code of the address type [see sshguard_addresskind.h] (e.g. 2)
\$SSHG_SERVICE the code of the service attacked [see sshguard_services.h] (e.g. 10)
msg
read fwreleasecmd
while test "x$fwreleasecmd" = x ; do
echo -n "*need* to specify releasing command(s) (Ctrl-C to exit): "
read fwreleasecmd
done
# read flush command(s)
echo -n "5) flushing command(s): "
read fwflushcmd
while test "x$fwflushcmd" = x ; do
echo -n "*need* to specify flushing command(s) (Ctrl-C to exit): "
read
done
# read finalization command(s)
echo -n "6) finalization command(s) (leave empty for none): "
read fwfincmd
echo "Result ======================================================="
printf "name: %s\ninit: %s\nblock: %s\nrelease: %s\nflush %s\nfin: %s\n" "$fwname" "$fwinitcmd" "$fwblockcmd" "$fwreleasecmd" "$fwflushcmd" "$fwfincmd"
echo -n "Confirm? Enter for yes, Ctrl-C to exit: "
read
echo -n "Generating backend as command_${fwname}.h ..."
gen_template "$fwname" "$fwinitcmd" "$fwblockcmd" "$fwreleasecmd" "$fwflushcmd" "$fwfincmd"
echo " done!"
echo "Do you want me to anonymously submit this to http://www.sshguard.net/newfw.php ? [y/n]"
read response
if test "x$response" = xn ; then echo "Not submitting, and terminating." ; exit 0 ; fi
# submitting backend
echo "Submitting ... "
if ! hash curl 2>/dev/null ; then
echo "Could not submit: did not find curl in PATH."
exit 2
fi
curl --silent -F"fwname=$fwname" -F"init=$fwinitcmd" -F"fin=$fwfincmd" -F"block=$fwblockcmd" -F"release=$fwreleasecmd" -F"flush=$fwflushcmd" http://www.sshguard.net/newfw.php >/dev/null
if test $? -ne 0 ; then
echo "curl failed while submitting."
exit 3
fi
echo "Submitted successfully. Thanks"
SUBDIRS = parser fwalls
AM_CFLAGS=-I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L
if DEBUG
AM_CFLAGS+= -g
endif
sbin_PROGRAMS = sshguard
sshguard_SOURCES = sshguard.c sshguard_whitelist.c sshguard_log.c sshguard_procauth.c sshguard_blacklist.c sshguard_options.c simclist.c
sshguard_LDADD = parser/libparser.a fwalls/libfwall.a
This diff is collapsed.
/* src/config.h.in. Generated from configure.ac by autoheader. */
/* path for the genfilt command */
#undef FILT_PATH
/* use ip6fw as ipfw can't take IPv6 addresses */
#undef FWALL_HAS_IP6FW
/* Define to 1 if you have the <arpa/inet.h> header file. */
#undef HAVE_ARPA_INET_H
/* Define to 1 if you have the `fork' function. */
#undef HAVE_FORK
/* Define to 1 if you have the `gethostbyname' function. */
#undef HAVE_GETHOSTBYNAME
/* Define to 1 if you have the <getopt.h> header file. */
#undef HAVE_GETOPT_H
/* Define to 1 if you have the `inet_ntoa' function. */
#undef HAVE_INET_NTOA
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the `pthread' library (-lpthread). */
#undef HAVE_LIBPTHREAD
/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
to 0 otherwise. */
#undef HAVE_MALLOC
/* Define to 1 if you have the <malloc.h> header file. */
#undef HAVE_MALLOC_H
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the `strerror' function. */
#undef HAVE_STRERROR
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the `strstr' function. */
#undef HAVE_STRSTR
/* Define to 1 if you have the `strtol' function. */
#undef HAVE_STRTOL
/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have <sys/wait.h> that is POSIX.1 compatible. */
#undef HAVE_SYS_WAIT_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the `vfork' function. */
#undef HAVE_VFORK
/* Define to 1 if you have the <vfork.h> header file. */
#undef HAVE_VFORK_H
/* Define to 1 if `fork' works. */
#undef HAVE_WORKING_FORK
/* Define to 1 if `vfork' works. */
#undef HAVE_WORKING_VFORK
/* file for /etc/hosts.allow */
#undef HOSTSFILE_PATH
/* path for ip6fw command, use null if non-existent FreeBSD >=7 */
#undef IP6FW_PATH
/* filename of the ipfilter configuration file */
#undef IPFILTER_CONFFILE
/* path for the ipf command */
#undef IPFPATH
/* path for the ipfw command */
#undef IPFW_PATH
/* maximum block rule ID to use in IPFW ruleset */
#undef IPFW_RULERANGE_MAX
/* minimum block rule ID to use in IPFW ruleset */
#undef IPFW_RULERANGE_MIN
/* path for the iptables command */
#undef IPTABLES_PATH
/* Name of package */
#undef PACKAGE
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* path for the pfctl command */
#undef PFCTL_PATH
/* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Version number of package */
#undef VERSION
/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
`char[]'. */
#undef YYTEXT_POINTER
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
/* Define to `__inline__' or `__inline' if that's what the C compiler
calls it, or to nothing if 'inline' is not supported under any name. */
#ifndef __cplusplus
#undef inline
#endif
/* Define to rpl_malloc if the replacement function should be used. */
#undef malloc
/* Define to `long int' if <sys/types.h> does not define. */
#undef off_t
/* Define to `int' if <sys/types.h> does not define. */
#undef pid_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Define as `fork' if `vfork' does not work. */
#undef vfork
AM_CFLAGS=-I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L
noinst_LIBRARIES = libfwall.a
if FWALL_HOSTS
libfwall_a_SOURCES = hosts.c
else
if FWALL_IPFW
libfwall_a_SOURCES = ipfw.c
else
# FWALL_AIX, FWALL_IPFILTER, FWALL_IPTABLES, FWALL_PF, FWALL_NULL
libfwall_a_SOURCES = command.c
endif
endif
#if FWALL_AIX
#libfwall_a_SOURCES = command.c
#else