[Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

sshd is producing the following in my system.log:

    Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication
error for root from 115.239.228.9 via 10.0.1.100

sshguard is not recognizing the threat (debug output below).
If I submit the following, the attack is recognized:

    Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication
error for root from 115.239.228.9

(please note "Error: popping nterm text ()" at the end of parser output...)

Ideas, anyone??


######################
# BEGIN DEBUG OUTPUT
######################

Feb  2 13:45:59 crackfox.local sshd[8027]: error: PAM: authentication error
for root from 115.239.228.9 via 10.0.1.100
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("Feb  2 13:45:59
crackfox.local sshd[8027]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 146 ("error: PAM: authentication
error for root from ")
Next token is token SSH_LOGINERR_PAM ()
Shifting token SSH_LOGINERR_PAM ()
Entering state 9
Reading a token: --accepting rule at line 201 ("115.239.228.9")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
   $1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 1 9
Entering state 56
Reducing stack by rule 34 (line 279):
   $1 = token SSH_LOGINERR_PAM ()
   $2 = nterm addr ()
-> $$ = nterm ssh_authfail ()
Stack now 0 1
Entering state 32
Reducing stack by rule 27 (line 264):
   $1 = nterm ssh_authfail ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
   $1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
   $1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()
-> $$ = nterm syslogent ()
Stack now 0
Entering state 24
Reducing stack by rule 1 (line 122):
   $1 = nterm syslogent ()
-> $$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: --accepting rule at line 221 (" ")
--accepting rule at line 220 ("via")
Next token is token WORD ()
Error: popping nterm text ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0