[Sshguard-users] sshguard blocks my IP after one failed password attempt!

[Anne C. H. <or...@ug...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As the title says, I've been experiencing a weird phenomenon where sshguard
blocks my IP address for several minutes after one failed password attempt.  I
was still able to log in from a different IP address.

I'm using the Debian package version 1.5-3, which translates to sshguard version
1.5.0 (as indicated by "sshguard -v").  The relevant messages in my
/var/log/auth.log file are:

Aug 10 21:27:21 bb sshd[532]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.13  user=orion
Aug 10 21:27:23 bb sshd[532]: Failed password for orion from 192.168.1.13 port
43239 ssh2
Aug 10 21:27:23 bb sshguard[2961]: Blocking 192.168.1.13:4 for >630secs: 10
danger in 1 attacks over 0 seconds (all: 10d in 1 abuses over 0s).

When I look at the process information, I see the following:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root       609  0.0  0.0  14856  1140 ?        Sl   21:37   0:00
/usr/sbin/sshguard -i /var/run/sshguard.pid -l /var/log/auth.log -w
/etc/sshguard/whitelist -a 4 -p 420 -s 1200

As you can see, the "-a" flag has a value of 4.  As far as I know my
installation is vanilla and has not been manually reconfigured in any way.

On the sshguard version 1.5 manpage included with the package and located at:

http://www.sshguard.net/docs/man/sshguard/1_5/

this flag is is described as "sAfety_tresh" (misspelled and miscapitalized, I'd
note), and is claimed to have a default value of 40.  If this value were indeed
in play, I'd have to fail to log in 4 (5?) times to be locked out, since each
login failure increases the dangerousness by 10.

However, I notice that on another version of the manpage, located here:

http://www.sshguard.net/docs/man/sshguard/

the "-a" flag is described as the "abuse_tresh" (still misspelled), and is
claimed to have a default value of 4.  This appears to be intended as a number
of attacks rather than a "dangerousness" score.

It appears that somehow my default "-a" value is still set to 4 even though "-a"
now represents dangerousness score rather than abuse count.  I don't know if
this is a problem in the Debian package or a problem in the upstream code, but I
would like to know how I can fix this, seeing as how sshguard doesn't have a
config file and is being automatically run on boot by its init script (in which
I can't seem to figure out where the "-a" flag is being passed to the process).

Can anyone help me?

 - Anne
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5DPpEACgkQwi82URPCSX4a4gCff2knREHnR+EnOgDPeY2JuoX9
L6sAn3V5HVdtqJbTYK9YKrMF5o/ED//F
=FyyG
-----END PGP SIGNATURE-----