[Sshguard-users] sshguard 1.4.4 blocking attempts only when "it's sunny" (lol)

[Teuxe <te...@fr...>]

Hi,

[This mail contains log dumps, I first apologize for its length.]

I installed sshguard some days ago as a sysconf-ng.log service:

destination dp_sshguard {
    program("/usr/local/sbin/sshguard -f 100:/var/run/sshd.pid"
        template("$DATE $FULLHOST $MESSAGE\n"));
};
filter f_sshlogs {
    facility(auth, authpriv)
        and not match("sshguard");
};
log {
        source(s_all);
        filter(f_sshlogs);
        destination(dp_sshguard);
};

I kept default configuration (4 failures adding an entry in table 
"sshguard") and I found it was working well (at first) since it blocked 
a login attempt from a computer connected by Ethernet.
Later on (there was a reboot on Feb 3 09:45), I noticed in auth.log that 
a first attempt is well detected:

Feb  3 18:24:04 neo sshd[3234]: Address 212.156.65.78 maps to 
static.turktelekom.com.tr, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Feb  3 18:24:04 neo sshd[3234]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
Feb  3 18:24:06 neo sshd[3234]: Failed password for root from 
212.156.65.78 port 36865 ssh2
Feb  3 18:24:07 neo sshd[3238]: Address 212.156.65.78 maps to 
static.turktelekom.com.tr, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Feb  3 18:24:07 neo sshd[3238]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
Feb  3 18:24:09 neo sshd[3238]: Failed password for root from 
212.156.65.78 port 37262 ssh2
Feb  3 18:24:10 neo sshd[3242]: Address 212.156.65.78 maps to 
static.turktelekom.com.tr, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Feb  3 18:24:10 neo sshd[3242]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
Feb  3 18:24:12 neo sshd[3242]: Failed password for root from 
212.156.65.78 port 37674 ssh2
Feb  3 18:24:13 neo sshd[3246]: Address 212.156.65.78 maps to 
static.turktelekom.com.tr, but this does not map back to the address - 
POSSIBLE BREAK-IN ATTEMPT!
Feb  3 18:24:13 neo sshd[3246]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.156.65.78  user=root
Feb  3 18:24:15 neo sshd[3246]: Failed password for root from 
212.156.65.78 port 38040 ssh2
Feb  3 18:24:15 neo sshguard[2138]: Blocking 212.156.65.78:4 for 
 >420secs: 4 failures over 9 seconds.

... but the following are not AT ALL (there are plenty of such attempts 
in bulk):

Feb  4 00:53:19 neo sshd[3927]: Did not receive identification string 
from 163.43.128.225
Feb  4 00:57:14 neo sshd[3930]: Invalid user admin from 163.43.128.225
Feb  4 00:57:14 neo sshd[3930]: pam_unix(sshd:auth): check pass; user 
unknown
Feb  4 00:57:14 neo sshd[3930]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
Feb  4 00:57:15 neo sshd[3930]: Failed password for invalid user admin 
from 163.43.128.225 port 48550 ssh2
Feb  4 00:57:23 neo sshd[3932]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225  
user=root
Feb  4 00:57:25 neo sshd[3932]: Failed password for root from 
163.43.128.225 port 49018 ssh2
Feb  4 00:57:32 neo sshd[3934]: Invalid user stud from 163.43.128.225
Feb  4 00:57:32 neo sshd[3934]: pam_unix(sshd:auth): check pass; user 
unknown
Feb  4 00:57:32 neo sshd[3934]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
Feb  4 00:57:34 neo sshd[3934]: Failed password for invalid user stud 
from 163.43.128.225 port 49488 ssh2
Feb  4 00:57:42 neo sshd[3936]: Invalid user trash from 163.43.128.225
Feb  4 00:57:42 neo sshd[3936]: pam_unix(sshd:auth): check pass; user 
unknown
Feb  4 00:57:42 neo sshd[3936]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
Feb  4 00:57:44 neo sshd[3936]: Failed password for invalid user trash 
from 163.43.128.225 port 49962 ssh2
Feb  4 00:57:51 neo sshd[3938]: Invalid user aaron from 163.43.128.225
Feb  4 00:57:51 neo sshd[3938]: pam_unix(sshd:auth): check pass; user 
unknown
Feb  4 00:57:51 neo sshd[3938]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=163.43.128.225
Feb  4 00:57:53 neo sshd[3938]: Failed password for invalid user aaron 
from 163.43.128.225 port 50460 ssh2
Feb  6 03:12:16 neo sshd[12669]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=xenmaster01.drecomm.nl  user=root
Feb  6 03:12:17 neo sshd[12669]: Failed password for root from 
91.209.192.28 port 34608 ssh2
Feb  6 03:12:17 neo sshd[12671]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=xenmaster01.drecomm.nl  user=root
Feb  6 03:12:19 neo sshd[12671]: Failed password for root from 
91.209.192.28 port 34895 ssh2
Feb  6 03:12:19 neo sshd[12673]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=xenmaster01.drecomm.nl  user=root
Feb  6 03:12:22 neo sshd[12673]: Failed password for root from 
91.209.192.28 port 35196 ssh2

However after some time, it works again once (but after... 2 failures ONLY):

Feb  6 15:13:08 neo sshd[13617]: Invalid user lucus from 92.46.123.11
Feb  6 15:13:08 neo sshd[13617]: pam_unix(sshd:auth): check pass; user 
unknown
Feb  6 15:13:08 neo sshd[13617]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.123.11
Feb  6 15:13:09 neo sshd[13617]: Failed password for invalid user lucus 
from 92.46.123.11 port 51418 ssh2
Feb  6 15:13:16 neo sshd[13623]: Invalid user luis from 92.46.123.11
Feb  6 15:13:16 neo sshd[13623]: pam_unix(sshd:auth): check pass; user 
unknown
Feb  6 15:13:16 neo sshd[13623]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.123.11
Feb  6 15:13:18 neo sshd[13623]: Failed password for invalid user luis 
from 92.46.123.11 port 55350 ssh2
Feb  6 15:13:18 neo sshguard[12878]: Blocking 92.46.123.11:4 for 
 >420secs: 4 failures over 10 seconds.


I first checked that the daemon was still running using a "ps faux | 
grep sshguard", it was still here. There was no reboot since the first 
detect:
# date -R; uptime
Sun, 07 Feb 2010, 02:27:02 +0100
 02:27:02 up 3 days, 16:40,  5 users,  load average: 0.43, 0.24, 0.20

I decided to attempt false ssh logins from localhost: none was detected, 
while entries are present in auth.log:

Feb  7 01:57:39 neo sshd[17773]: Invalid user xxx from 127.0.0.1
Feb  7 01:57:39 neo sshd[17773]: Failed none for invalid user xxx from 
127.0.0.1 port 37225 ssh2
Feb  7 01:57:40 neo sshd[17773]: Failed password for invalid user xxx 
from 127.0.0.1 port 37225 ssh2
Feb  7 01:57:41 neo sshd[17773]: Failed password for invalid user xxx 
from 127.0.0.1 port 37225 ssh2
Feb  7 01:57:41 neo sshd[17773]: Failed password for invalid user xxx 
from 127.0.0.1 port 37225 ssh2
Feb  7 01:59:37 neo sshd[17802]: Failed password for root from 127.0.0.1 
port 37232 ssh2
Feb  7 01:59:37 neo sshd[17802]: Failed password for root from 127.0.0.1 
port 37232 ssh2
Feb  7 01:59:37 neo sshd[17802]: Failed password for root from 127.0.0.1 
port 37232 ssh2
Feb  7 01:59:40 neo sshd[17806]: Failed password for root from 127.0.0.1 
port 37233 ssh2
Feb  7 01:59:41 neo sshd[17806]: Failed password for root from 127.0.0.1 
port 37233 ssh2
Feb  7 01:59:42 neo sshd[17806]: Failed password for root from 127.0.0.1 
port 37233 ssh2

--> I notice that traces are well different, pam_unix is not shown for 
localhost attempts (maybe this is normal, due to localhost?).
Currently I have no other computer to make an "external test" (the 
previous one is dead :-/ ).


Have you any idea on what can happen? Which tests can I do?
Thanks a lot,


Teuxe

PS. By the way I may have updated my standard system in-between, maybe 
ssh log formats have changed?