Menu
▾
▴
Re: [Sshguard-users] sshguard and syslog-ng on gentoo
|
From: Mij <mi...@ss...> - 2010-01-13 20:52:31
|
Hi Andreas,
1.0 is older than me, so old that it's even antecedent to the current repository :)
My best record is that the log message you are trying was removed as
redundant. I.e., when the authentication failure occurs, there is another
message generated that goes detected.
Looking through the attack submission database, I find this example:
Jan 28 18:36:57 hostname sshd[11616]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.host.cn
Jan 28 18:36:58 hostname sshd[11616]: Failed password for invalid user username from 1.2.3.4 port 43065 ssh2
Intuitively, the first message is generated by the PAM module performing the
concrete auth lookup, and the second is generated by sshd itself when pam
returns the failure to its caller.
Of course, feel free to bitch back here if your logs say anything different.
I assume that by "crash" you mean that the pattern is not recognized. The
output you paste is totally standard when a message is not recognized.
On Jan 13, 2010, at 13:37 , Andreas Schuerch wrote:
> Hi,
>
> i get an error with sshguard and syslog-ng on gentoo.
> The version 1.0 works without problems, but version 1.4 and 1.5beta2
> just seems to crash when invoked directly from the syslogger!
> If i start them via "tail -n0 -F /var/log/auth.log | tee -a
> /dev/stderr | env SSHGUARD_DEBUG="" /usr/sbin/sshguard" i get the
> following output:
>
> Run command "iptables -L": exited 0.
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Jan 13 14:10:22 sdb sshd[21506]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1
> user=root
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:22 sdb
> sshd[21506]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 186 (" ")
> --accepting rule at line 185 ("pam_unix")
> Next token is token WORD ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token WORD ()
> Stack now 0
> Jan 13 14:10:24 sdb sshd[21504]: error: PAM: Authentication failure
> for root from 192.168.0.1
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Jan 13 14:10:24 sdb
> sshd[21504]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 186 (" ")
> --accepting rule at line 185 ("error")
> Next token is token WORD ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token WORD ()
> Stack now 0
>
>
> What could be wrong here!?
>
> Thanks in advance,
> Andreas
> --------------------------
> --> NativeMail System <---
> --------------------------
>
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
