Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2-2-2015 20:44, Bradley Giesbrecht wrote:
> On Feb 2, 2015, at 11:05 AM, Barry Muldrey <bmu...@ga...> wrote:
> 
>> sshd is producing the following in my system.log:
>>
>>     Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication error for root from 115.239.228.9 via 10.0.1.100
>>
>> sshguard is not recognizing the threat (debug output below).
>> If I submit the following, the attack is recognized:
>>
>>     Feb  2 13:45:59 myhost.local sshd[8027]: error: PAM: authentication error for root from 115.239.228.9
>>
>> (please note "Error: popping nterm text ()" at the end of parser output...)
>>
>> Ideas, anyone??
> 
> I'm seeing the same thing. No answer but your not alone.
> 
> Regards,
> Bradley Giesbrecht (pixilla)

The parsing trace tells you that it accepts the ipnr as ipnr, but then
then next word is unexpected in the grammar.
So the via 10.0.1.100 is creating a "syntax error"

This is inherent to the way the syntax rules are build.
And the syntax rules are only modifiable at compile time.
And need to be written 101% matching, otherwise the line will be skipped.

I'm still not very shure if this is really a desired concept for logfile
parsing. E.g. openssh changes its log format, and "all of a sudden" log
output is no longer generating desired reactions.

It requires "flexible" ways of specifying scanner and parser input,
which is not really a trivial thing.

--WjW

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"