Menu
▾
▴
[Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"
|
From: Barry M. <bmu...@ga...> - 2015-02-02 19:06:30
|
sshd is producing the following in my system.log:
Feb 2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication
error for root from 115.239.228.9 via 10.0.1.100
sshguard is not recognizing the threat (debug output below).
If I submit the following, the attack is recognized:
Feb 2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication
error for root from 115.239.228.9
(please note "Error: popping nterm text ()" at the end of parser output...)
Ideas, anyone??
######################
# BEGIN DEBUG OUTPUT
######################
Feb 2 13:45:59 crackfox.local sshd[8027]: error: PAM: authentication error
for root from 115.239.228.9 via 10.0.1.100
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("Feb 2 13:45:59
crackfox.local sshd[8027]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 146 ("error: PAM: authentication
error for root from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 9
Reading a token: --accepting rule at line 201 ("115.239.228.9")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
$1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 1 9
Entering state 56
Reducing stack by rule 34 (line 279):
$1 = token SSH_LOGINERR_PAM ()
$2 = nterm addr ()
-> $$ = nterm ssh_authfail ()
Stack now 0 1
Entering state 32
Reducing stack by rule 27 (line 264):
$1 = nterm ssh_authfail ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
$1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
$1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
$1 = token SYSLOG_BANNER_PID ()
$2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 24
Reducing stack by rule 1 (line 122):
$1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: --accepting rule at line 221 (" ")
--accepting rule at line 220 ("via")
Next token is token WORD ()
Error: popping nterm text ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
|
