Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

All of the messages you report should be recognized by sshguard. It may be a problem
in the log sucker, although I'd be surprised not to have similar reports earlier.
It's more difficult to investigate the problem here then.

Some ways you can proceed, when you notice attacks that aren't been blocked:

1) run a "grep sshguard /var/log/auth.log" (or wherever sshguard logging is sent):
	- any message besides the Blocking ones?

2) do a "ls -l" on the log files you're making sshguard monitor. Is there any fresh?
(just rotated)

3) check with top, ps, and lsof (or equivalent for your OS):
	- is sshguard taking significant CPU load? (looping)
	- what is the state reported by ps?
	- what files are open?

4) any change if you suspend and resume sshguard:
	killall -TSTP sshguard
	sleep 2
	killall -CONT sshguard


if you're up for harder stuff, you can proceed with:
1) changing sshguard_log_minloglevel to LOG_DEBUG in src/sshguard_log.c and recompile

2) compile with debug symbols:
	./configure --enable-debug --with-firewall=yours
	make
then, when observing the "downtime", attach to the running process from gdb:
	ps ax | grep sshguard    --> read the PID
	gdb
	(gdb) attach PID
	...
	(gdb) break
	(gdb) backtrace full



On Apr 11, 2010, at 10:58 , Robert S wrote:

> >> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked.  It appears that the syslog-ng config is not sending messages to sshguard.
> >>
> >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log:
> 
> >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate
> >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs.
> 
> >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle.
> >See
> >http://www.sshguard.net/docs/setup/getlogs/log-sucker/
>  
> I have reinstalled 1.5 and have it running in the background using the log sucker:
>  
> # ps ax |grep sshguard
> # 7730 ?        Sl     0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist
>  
> At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz:
>  
> Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz  user=root
> Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz
> Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2
> Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz  user=root
> Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz
> Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2
> Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds.
>  
> Later in the day there was an intrusion attempt:
>  
> Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups
> Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups
> Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups
> <etc>
>  
> .. no attempt by sshguard to block it
>  
> I've also tried logging in from www.xxx.yyy.zzz again:
>  
> Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Thus log sucking (and also the syslog) method seem to work initially, but later stop.
>  
> If I kill the sshguard process then it works again:
>  
> Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds.
> 
> I can't seem to explain this behaviour.  I've tried several versions and nothing before 1.5 seems to work consistently.