[Sshguard-users] sshguard ignoring entries from unnamed hosts

[Charles S. <sp...@bw...>]

This is an odd one.  I use sshguard in FreeBSD jails quite often by having the jail send all auth.info to the host.  This generally works well, but a recent new install showed that a ton of brute-force attacks were being logged but sshguard was not acting on them.  After playing around with debug mode, I found this that it's due to the logfile containing the jail's IP rather than hostname.

ignored:

Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May 21 18:35:54 10.88.77.22 sshd[39330]: error: PAM: authentication error for root from x.x.x.x
Starting parse
Entering state 0
Reading a token: --accepting rule at line 213 ("May 21 18:35:54")
Next token is token TIMESTAMP_SYSLOG ()
Cleanup: discarding lookahead token TIMESTAMP_SYSLOG ()
Stack now 0

valid:

May 21 18:35:54 foo sshd[39330]: error: PAM: authentication error for root from x.x.x.x
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("May 21 18:35:54 foo sshd[39330]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 146 ("error: PAM: authentication error for root from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 9
[…]
Now at end of input.
Stack now 0 23
Cleanup: popping nterm text ()
Matched address x.x.x.x:4 attacking service 100, dangerousness 10.

I can fix this in /etc/hosts, but why would sshguard not accept the first form by default?  I generally don't bother with dns on the internal networks.

Thanks,

Charles
--
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
sp...@bw... - 212.982.9800