Re: [Sshguard-users] sshguard not guarding

[Mij <mi...@ss...>]

Hi Daniel

Skimming through the output you included:
- recognition seems fine, but it appears that after your log message there is some stray
blank, so sshguard doesn't want to match that as "regular". Your log message seems
to be:
"Jun 30 18:24:57 naruto sshd[2229]: error: PAM: authentication error for \
	daniel from ec2-12-12-12-12.compute-1.amazonaws.com "
(notice the trailing " ")
Is that from your actual sshd daemon or you were injecting them manually?

- you seem not to be running a recent version of sshguard, as the rule for multiple
lines doesn't show up. Please try with a recent version.


On Jul 1, 2010, at 03:36 , Daniel wrote:

> Hi,
> 
> After using sshguard successfully for a long time with the current setup, I noticed upon reboot that it was not guarding anymore. I'm using the sshguard-ipfw version. It doesn't seem to do any detection of the login failures and so doesn't respond.
> It was working as recently as two weeks ago and my version has not changed. Below is the log. I'm more used to seeing this:
> 
> system.log.1:Jun 28 04:40:55 naruto sshguard[785]: Blocking 118.97.232.236:4 for >420secs: 4 failures over 2 seconds.
> 
> Now I get:
> 
> Successfully resolved 'ec2-12-12-12-12.compute-1.amazonaws.com' --> 4:'12.12.12.12'.
> 
> 
> Any input of why it may not be working is appriciated.
> 
> whitelist: add '127.0.0.1' as plain IPv4.
> whitelist: add plain ip 127.0.0.1.
> Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Jun 30 18:24:57 naruto sshd[2229]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 180 (" ")
> --accepting rule at line 121 ("error: PAM: authentication error for daniel from ")
> Next token is token SSH_LOGINERR_PAM ()
> Shifting token SSH_LOGINERR_PAM ()
> Entering state 7
> Reading a token: --accepting rule at line 169 ("
> ec2-12-12-12-12.compute-1.amazonaws.com
> ")
> Next token is token HOSTADDR ()
> Shifting token HOSTADDR ()
> Entering state 40
> Reducing stack by rule 18 (line 118):
>    $1 = token HOSTADDR ()
> Successfully resolved '
> ec2-12-12-12-12.compute-1.amazonaws.com
> ' --> 4:'12.12.12.12'.
> -> $$ = nterm addr ()
> Stack now 0 1 7
> Entering state 44
> Reducing stack by rule 27 (line 187):
>    $1 = token SSH_LOGINERR_PAM ()
>    $2 = nterm addr ()
> -> $$ = nterm ssh_authfail ()
> Stack now 0 1
> Entering state 25
> Reducing stack by rule 20 (line 172):
>    $1 = nterm ssh_authfail ()
> -> $$ = nterm sshmsg ()
> Stack now 0 1
> Entering state 23
> Reducing stack by rule 9 (line 99):
>    $1 = nterm sshmsg ()
> -> $$ = nterm logmsg ()
> Stack now 0 1
> Entering state 35
> Reducing stack by rule 5 (line 76):
>    $1 = token SYSLOG_BANNER_PID ()
>    $2 = nterm logmsg ()
> -> $$ = nterm syslogent ()
> Stack now 0
> Entering state 19
> Reducing stack by rule 1 (line 60):
>    $1 = nterm syslogent ()
> -> $$ = nterm text ()
> Stack now 0
> Entering state 18
> Reading a token: --accepting rule at line 180 (" ")
> --accepting rule at line 179 ("via")
> Next token is token WORD ()
> Error: popping nterm text ()
> Stack now 0
> Cleanup: discarding lookahead token WORD ()
> Stack now 0
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 102 ("Jun 30 18:24:57 naruto sshd[2235]:")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 180 (" ")
> --accepting rule at line 179 ("in")
> Next token is token WORD ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token WORD ()
> Stack now 0
> Got exit signal, flushing blocked addresses and exiting...
> 
> 
> -- 
> "America was founded by men who understood that the threat of domestic tyranny is as great as any threat from abroad. If we want to be worthy of their legacy, we must resist the rush toward ever-increasing state control of our society. Otherwise, our own government will become a greater threat to our freedoms than any foreign terrorist."
> - Ron Paul, Texas Straight Talk, May 31, 2004
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users