Re: [Sshguard-users] sshguard-pf 1.4 not work in FreeBSD 8.1 release, have much test, the same problem

[Mij <mi...@ss...>]

Hi Marcus,

Your logs seem to say that sshguard is not receiving those messages.

Please try out the following possibilities:

1) replace "|/usr/local/sbin/sshguard" with "|exec /usr/local/sbin/sshguard" in syslog.conf (and reload)

2) if you still see nothing, replace
"|/usr/local/sbin/sshguard" with "|tee -a /tmp/myfile | /usr/local/sbin/sshguard" (and reload) then
see with "tail -F /tmp/myfile" if log entries are actually received.

3) comment the sshguard line in syslog, try to run sshguard in this mode:
http://www.sshguard.net/docs/setup/getlogs/raw-file/

and see if /var/log/auth.log contains notifications from sshguard.
Essentially, you should find messages going:
Jan  2 18:57:40 x sshd[92019]: Invalid user heroin from 70.84.184.242
Jan  2 18:57:40 x sshd[92019]: Invalid user heroin from 70.84.184.242
Jan  2 18:57:40 x sshd[92019]: Invalid user heroin from 70.84.184.242
Jan  2 18:57:41 x sshd[92022]: Invalid user heroin from 70.84.184.242
Jan  2 18:57:41 x sshguard[92021]: Blocking 70.84.184.242:4 for >630secs: 20 danger in 2 attacks over 1 seconds (all: 20d in 1 abuses over 1s).



On Dec 28, 2010, at 02:34 , Marcus wrote:

> I have ask the same question in forums.freebsd.org, no reply solved the problem.
> 
> ------------
> 
> in /etc/syslog.conf have two lines
> 
> auth.info;authpriv.info     |/usr/local/sbin/sshguard
> auth.info;authpriv.info                         /var/log/auth.log
> 
> # /etc/rc.d/syslogd reload
> 
> 
> /etc/pf.conf  have only 5 lines
> 
> ext_if="bce1"
> table <sshguard> persist
> block in quick on $ext_if from <sshguard>
> pass in
> pass out
> 
> 
> # pfctl -f /etc/pf.conf
> 
> # top | grep sshg
> 1296 root        2  44    0  7184K  1604K nanslp  0   0:00  0.00% sshguard
> 
> 
> test the brute force ssh, nothing found excecpt
> ----------
> Dec 28 09:32:13 b sshguard[1445]: Started successfully [(a,p,s)=(4,
> 420, 1200)], now ready to scan.
> Dec 28 09:32:42 b sshd[1447]: Invalid user a from 10.0.0.88
> Dec 28 09:32:42 b sshd[1447]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:32:42 b sshd[1447]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49464 ssh2
> Dec 28 09:32:43 b sshd[1447]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:32:43 b sshd[1447]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49464 ssh2
> Dec 28 09:32:48 b sshd[1451]: Invalid user a from 10.0.0.88
> Dec 28 09:32:48 b sshd[1451]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:32:48 b sshd[1451]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49465 ssh2
> Dec 28 09:32:48 b sshd[1451]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:32:48 b sshd[1451]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49465 ssh2
> Dec 28 09:32:52 b sshd[1455]: Invalid user ab from 10.0.0.88
> Dec 28 09:32:52 b sshd[1455]: error: PAM: authentication error for
> illegal user ab from 10.0.0.88
> Dec 28 09:32:52 b sshd[1455]: Failed keyboard-interactive/pam for
> invalid user ab from 10.0.0.88 port 49466 ssh2
> Dec 28 09:32:52 b sshd[1455]: error: PAM: authentication error for
> illegal user ab from 10.0.0.88
> Dec 28 09:32:52 b sshd[1455]: Failed keyboard-interactive/pam for
> invalid user ab from 10.0.0.88 port 49466 ssh2
> Dec 28 09:32:56 b sshd[1459]: Invalid user a from 10.0.0.88
> Dec 28 09:32:56 b sshd[1459]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:32:56 b sshd[1459]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49467 ssh2
> Dec 28 09:32:56 b sshd[1459]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:32:56 b sshd[1459]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49467 ssh2
> Dec 28 09:33:00 b sshd[1463]: Invalid user a from 10.0.0.88
> Dec 28 09:33:00 b sshd[1463]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:33:00 b sshd[1463]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49468 ssh2
> Dec 28 09:33:01 b sshd[1463]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:33:01 b sshd[1463]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49468 ssh2
> Dec 28 09:33:04 b sshd[1479]: Invalid user a from 10.0.0.88
> Dec 28 09:33:05 b sshd[1479]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:33:05 b sshd[1479]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49469 ssh2
> Dec 28 09:33:05 b sshd[1479]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:33:05 b sshd[1479]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49469 ssh2
> Dec 28 09:33:09 b sshd[1483]: Invalid user a from 10.0.0.88
> Dec 28 09:33:09 b sshd[1483]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:33:09 b sshd[1483]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49470 ssh2
> Dec 28 09:33:09 b sshd[1483]: error: PAM: authentication error for
> illegal user a from 10.0.0.88
> Dec 28 09:33:09 b sshd[1483]: Failed keyboard-interactive/pam for
> invalid user a from 10.0.0.88 port 49470 ssh2
> 
> ------------------------------------------------------------------------------
> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> to consolidate database storage, standardize their database environment, and, 
> should the need arise, upgrade to a full multi-node Oracle RAC database 
> without downtime or disruption
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users