[Sshguard-users] 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

[Jo R. <jr...@ne...>]

I am running sshguard with the following options.
	root   66430  0.0  0.1  3424  1284  u0  I    10:42PM   0:00.01 /usr/local/sbin/sshguard -a 60 -p 300 -s 1200 -i /var/run/sshguard.pid -l /var/log/auth.log -w /usr/local/etc/sshguard.whitelist

However, I managed to get myself blocked today, which is a matter of two bugs:

Bug 1: seconds counting is broken

Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

Yes, I had six failed passwords.  Five of them from testing sshguard more than six hours earlier in the day.  Here in the log message you see it saying "1 second" and then reporting 15625 seconds. According to the options above it should have forgotten those attempts after 20 minutes.

# grep 99.124.207.89 /var/log/auth.log
Feb  6 15:12:04 triceratops sshd[62705]: error: PAM: authentication error for jrhett from 99.124.207.89
Feb  6 15:12:04 triceratops sshd[62705]: Failed password for jrhett from 99.124.207.89 port 59757 ssh2
Feb  6 18:12:01 triceratops sshd[64237]: error: PAM: authentication error for jrhett from 99.124.207.89
Feb  6 18:12:01 triceratops sshd[64237]: Failed password for jrhett from 99.124.207.89 port 54602 ssh2
Feb  6 18:23:04 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >450secs: 60 danger in 4 attacks over 663 seconds (all: 60d in 1 abuses over 663s).
Feb  6 21:12:00 triceratops sshd[65838]: error: PAM: authentication error for jrhett from 99.124.207.89
Feb  6 21:12:00 triceratops sshd[65838]: Failed password for jrhett from 99.124.207.89 port 53494 ssh2
Feb  6 21:38:30 triceratops sshd[65968]: Accepted publickey for jrhett from 99.124.207.89 port 61698 ssh2
Feb  6 21:38:33 triceratops sshd[65970]: Accepted publickey for jrhett from 99.124.207.89 port 61856 ssh2
Feb  6 21:47:43 triceratops sshd[66034]: Accepted publickey for jrhett from 99.124.207.89 port 50779 ssh2
Feb  6 22:32:26 triceratops sshguard[62778]: Blocking 99.124.207.89:4 for >0secs: 60 danger in 4 attacks over 1 seconds (all: 120d in 2 abuses over 15625s).

Bug 2: it timed out an address in the whitelist

If you read the log report carefully, it appears to think it is blocking 99.124.207.89:4 ... not really sure why it thinks :4 is part of the IP address, but this clearly caused it to avoid the whitelist behavior for some reason.  Contents of the whitelist include

# cat /usr/local/etc/sshguard.whitelist
99.124.207.88/29

Platform information:
# uname -a
FreeBSD triceratops.netconsonance.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011     ro...@i3...:/usr/obj/usr/src/sys/GENERIC  i386

For what it is worth, we were running this on CentOS linux at the shop and never saw this problem, so it seems to be related to FreeBSD port in some way.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness