Menu
▾
▴
Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed
|
From: Robert S <rob...@gm...> - 2010-04-11 08:58:38
|
>> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked. It appears that the syslog-ng config is not sending messages to sshguard. >> >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log: >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs. >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle. >See >http://www.sshguard.net/docs/setup/getlogs/log-sucker/ I have reinstalled 1.5 and have it running in the background using the log sucker: # ps ax |grep sshguard # 7730 ? Sl 0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz: Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz user=root Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2 Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds. Later in the day there was an intrusion attempt: Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups <etc> .. no attempt by sshguard to block it I've also tried logging in from www.xxx.yyy.zzz again: Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Thus log sucking (and also the syslog) method seem to work initially, but later stop. If I kill the sshguard process then it works again: Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds. I can't seem to explain this behaviour. I've tried several versions and nothing before 1.5 seems to work consistently. |
