sshguard-pf not recognising pure-ftpd logs

[js]

I have a working sshguard-pf installed happily from ports, and successfully blocking ssh bruteforce attempts.

Using pure-ftpd from ports and now looking to get it also working with sshguard-pf as there seem to be an increasing amount of bruteforce attempts with FTP too (and sadly I can't turn that service off due to end-user requirements).

Logging of the pure-ftpd failures is working via the usual ftp syslog facility, e.g.

Nov 18 13:29:39 ftpserver pure-ftpd[4552]: (?@10.1.2.3) [WARNING] Authentication failed for user [fakeuser]

I know this isn't a problem with pf, since it is blocking the sshguard table entries just fine.

So it just seems sshguard isn't recognising the pure-ftpd logs. I've confirmed the relevant log entries are definitely being to sshguard via syslog (i.e. are in ftp.info).

Here is the current syslog.conf entry:

auth.info;authpriv.info;ftp.info                |exec /usr/local/sbin/sshguard -f 100:/var/run/sshd.pid -f 320:/var/run/pure-ftpd.pid -a 2 -p 300 -s 36000

I am using the latest sshguard from ports (sshguard-pf-1.3). I can see there is an sshguard 1.4 release now, which isn't in ports yet it seems, but pure-ftpd support looks like it should have been there since 1.1rc1 so I doubt this version is the problem.

Any help most appreciated.

 

[DutchDaemon]

Similar problems with ProFTPd:
http://forums.freebsd.org/showthread.php?t=8334

I think you'll need to inform the SSHguard author(s) as well.

 

[dennylin93]

I can confirm the bug. I'll try to inform the developers if I have time.

 

[Lego]

Yes, I've been in contact with a member of the program, he's informed me that there was issues with reading proftpd/pureftpd logs, which has been fixed in sshguard 1.4.

Here is the sshguard 1.4 changelist:

* 1.4 Aug 2009
- add touchiness: block repeated abusers for longer
- add blacklisting: store frequent abusers for permanent blocking
- add support for IPv6 in whitelisting (experimental)
- sshguard ignores interrupted fgets() and reloads more seldom
(thanks Keven Tipping)
- debug mode now enabled with SSHGUARD_DEBUG environment variable (no "-d")
- support non-POSIX libCs that require getopt.h (thanks Nobuhiro Iwamatsu)
- import newer SimCList containing a number of fixes and improvements
- firewall backends now block all traffic from attackers by
default, not per-service
- netfilter/iptables backend now verifies credentials at initialization
- parser accepts "-" and "_" chars in process names
- fix detection of some ProFTPd and pure-ftp messages
- support log formats of new versions of ProFTPd
- fix one dovecot pattern
- correctly handle abuse threshold = 1 (thanks K. Tipping)
- fix handling of IPv6 with IPFW under Mac OS X Leopard (thanks David Horn)
- fix cmdline argument BoF exploitable by local users when
sshguard is setuid
- support blocking IPv6 addrs in backed "hosts.allow"
- extend hosts.allow backend to support all service types
- localhost addresses are now whitelisted a priori
- extend IPv6 pattern for matching special addresses (eg, IPv4 embedded)
- fix grammar to be insensitive to a log injection in sshd (thanks
J. Oosterveen)

Port tree hasn't been updated yet, but you can download the source and compile/install, and have more luck then me

http://forums.freebsd.org/showthread.php?p=49961#post49961

ADDED:

Version 1.4.4 is the current stable that I have installed and it is successfully blocking ftp attempts for proftpd, so I would hope that it is also resolved for pureftpd.