Menu
▾
▴
[Sshguard-users] ip addrs not being parsed from log messages
|
From: Adam C. <ada...@be...> - 2009-04-21 22:32:51
|
sshguard 1.4rc3 on rhel5
My first host is up and running great and today I went to install to a
second host. But I must have missed documenting a step in my process
because I'm having an issue. Looks like the IP address isn't being
parsed out the log message correctly. Here's a simple example, running
from the command line with debug:
[root@ebi-prod01 sbin]# sshguard -d -a 2 -p 10
Started successfully [(a,p,s)=(2, 10, 1200)], now ready to scan.
Apr 21 14:11:00 ebi-prod01 sshd[21594]: Failed password for adam from
128.32.152.8 port 61158 ssh2
Starting parse
Entering state 0
Reading a token: --accepting rule at line 96 ("Apr 21 14:11:00
ebi-prod01 sshd[21594]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 169 (" ")
--accepting rule at line 113 ("Failed password for adam from ")
Next token is token SSH_LOGINERR_PREF ()
Shifting token SSH_LOGINERR_PREF ()
Entering state 6
Reading a token: --accepting rule at line 159 ("128")
Next token is token INTEGER ()
Error: popping token SSH_LOGINERR_PREF ()
Stack now 0 1
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token INTEGER ()
Stack now 0
I've tried modifying the input but only get a reasonable response when I
use a hostname:
[root@ebi-prod01 sbin]# sshguard -d -a 2 -p 10
Started successfully [(a,p,s)=(2, 10, 1200)], now ready to scan.
Apr 21 14:11:00 ebi-prod01 sshd[21594]: Failed password for adam from
tech.dyn.berkeley.edu <http://tech.dyn.berkeley.edu> port 51152 ssh2
Starting parse
Entering state 0
Reading a token: --accepting rule at line 96 ("Apr 21 14:11:00
ebi-prod01 sshd[21594]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 169 (" ")
--accepting rule at line 113 ("Failed password for adam from ")
Next token is token SSH_LOGINERR_PREF ()
Shifting token SSH_LOGINERR_PREF ()
Entering state 6
Reading a token: --accepting rule at line 158 ("tech.dyn.berkeley.edu
<http://tech.dyn.berkeley.edu>")
Next token is token HOSTADDR ()
Shifting token HOSTADDR ()
Entering state 40
Reducing stack by rule 18 (line 115):
$1 = token HOSTADDR ()
Could not resolve hostname 'tech.dyn.berkeley.edu
<http://tech.dyn.berkeley.edu>' in IPv4 address: Unknown host.
Could not resolve hostname 'tech.dyn.berkeley.edu
<http://tech.dyn.berkeley.edu>' in IPv6 address: Unknown host.
Could not resolve hostname 'tech.dyn.berkeley.edu
<http://tech.dyn.berkeley.edu>' in IPv4 nor IPv6 address!
Stack now 0 1 6
Cleanup: popping token SSH_LOGINERR_PREF ()
Cleanup: popping token SYSLOG_BANNER_PID ()
I've also recompiled and replaced the binary to no avail. I am afraid
that I did see this symptom at one point during my first installation
but I have no notes on what cleared the problem. Any suggestions?
thanks
Adam
--
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
|
