[Sshguard-users] sshguard does not detect SMTP attack

[Robert S <rob...@gm...>]

I have the following sshguard config:

# /etc/syslog-ng/syslog-ng.conf
destination authlog { pipe("/var/log/sshguard.fifo"); };

filter f_authpriv { facility(auth, authpriv); };
log { source(src); filter(f_authpriv); destination(authlog); };

filter f_mail { facility(mail); };
log { source(src); filter(f_mail); destination(authlog); };


# cat /var/log/sshguard.fifo | /usr/sbin/sshguard -b
/var/local/sshguard/blacklist.db -w /etc/sshguard.whitelist -f
100:/var/run/sshd.pid -f 250:/var/run/sendmail.pid -f
210:/var/run/dovecot/master.pid

Recently I got a lot of these in my syslog:

Nov 20 03:10:32 myserver sm-mta[24866]: qAJGAOu7024866:
cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
SMTP attack: command=AUTH, count=3
Nov 20 03:12:43 myserver sm-mta[24906]: qAJGCZe6024906:
cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
SMTP attack: command=AUTH, count=3
Nov 20 03:12:57 myserver saslauthd[5531]: do_auth : auth failure:
[user=E!] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 20 03:14:52 myserver sm-mta[24914]: qAJGEjAF024914:
cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
SMTP attack: command=AUTH, count=3
Nov 20 03:15:08 myserver saslauthd[5528]: do_auth : auth failure:
[user=E!] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Nov 20 03:17:02 myserver sm-mta[24926]: qAJGGtse024926:
cese242.static.gvt.net.br [177.135.221.242] (may be forged): possible
SMTP attack: command=AUTH, count=3
Nov 20 03:17:17 myserver saslauthd[5532]: do_auth : auth failure:
[user=E!] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

 .. but these were not detected by sshguard.

I have run sshguard in debug mode and the messages are getting
through, and it is blocking ssh attacks successfully.  I am running
sendmail 8.14.4 and sshguard 1.5 on gentoo linux.  Can somebody tell
me where things are going wrong?