[Sshguard-users] sshguard only blocks LAN attackers

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

Trying to get sshguard to work, I've come to a strange problem.
Testing it from LAN environment, sshguard successfully blocks the LAN 
attacker.

In the case the attacker is from an non LAN IP, it detects the attack 
and applies the IPTABLE rule

/var/log/auth.log:

Jun 17 23:46:48 sextus sshd[4590]: Invalid user avl from 194.24.158.16
Jun 17 23:46:48 sextus sshd[4590]: Failed none for invalid user avl from 
194.24.158.16 port 28446 ssh2
Jun 17 23:46:49 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:46:49 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:47:49 sextus sshd(pam_unix)[4590]: check pass; user unknown
Jun 17 23:47:49 sextus sshd(pam_unix)[4590]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=194.24.158.16
Jun 17 23:47:51 sextus sshd[4590]: Failed password for invalid user avl 
from 194.24.158.16 port 28446 ssh2
Jun 17 23:47:52 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:47:52 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 63 seconds.
Jun 17 23:47:52 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:49:07 sextus sshd[4609]: Invalid user avl from 194.24.158.16
Jun 17 23:49:07 sextus sshd[4609]: Failed none for invalid user avl from 
194.24.158.16 port 28723 ssh2
Jun 17 23:49:08 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:08 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:44 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:49:44 sextus sshd(pam_unix)[4609]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:49:46 sextus sshd[4609]: Failed password for invalid user avl 
from 194.24.158.16 port 28723 ssh2
Jun 17 23:49:47 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:49:47 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 39 seconds.
Jun 17 23:49:47 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:49:57 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:49:58 sextus sshd[4609]: Failed password for invalid user avl 
from 194.24.158.16 port 28723 ssh2
Jun 17 23:49:59 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:10 sextus sshd(pam_unix)[4609]: check pass; user unknown
Jun 17 23:50:13 sextus sshd[4609]: Failed password for invalid user avl 
from 194.24.158.16 port 28723 ssh2
Jun 17 23:50:14 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:29 sextus sshd[4631]: Invalid user avl from 194.24.158.16
Jun 17 23:50:29 sextus sshd[4631]: Failed none for invalid user avl from 
194.24.158.16 port 28926 ssh2
Jun 17 23:50:30 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:30 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 31 seconds.
Jun 17 23:50:30 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:50:30 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:34 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:34 sextus sshd(pam_unix)[4631]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:50:36 sextus sshd[4631]: Failed password for invalid user avl 
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:37 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:43 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:45 sextus sshd[4631]: Failed password for invalid user avl 
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:46 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:50:46 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 16 seconds.
Jun 17 23:50:46 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:50:50 sextus sshd(pam_unix)[4631]: check pass; user unknown
Jun 17 23:50:52 sextus sshd[4631]: Failed password for invalid user avl 
from 194.24.158.16 port 28926 ssh2
Jun 17 23:50:53 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshd[4636]: Invalid user avl from 194.24.158.16
Jun 17 23:51:02 sextus sshd[4636]: Failed none for invalid user avl from 
194.24.158.16 port 28995 ssh2
Jun 17 23:51:02 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:02 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 9 seconds.
Jun 17 23:51:02 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:51:06 sextus sshd(pam_unix)[4636]: check pass; user unknown
Jun 17 23:51:06 sextus sshd(pam_unix)[4636]: authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=lime-gw16.one.at
Jun 17 23:51:08 sextus sshd[4636]: Failed password for invalid user avl 
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:09 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:10 sextus sshd[4636]: Failed password for invalid user avl 
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:11 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:14 sextus sshd(pam_unix)[4636]: check pass; user unknown
Jun 17 23:51:16 sextus sshd[4636]: Failed password for invalid user avl 
from 194.24.158.16 port 28995 ssh2
Jun 17 23:51:17 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:17 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 8 seconds.
Jun 17 23:51:17 sextus sshguard[3753]: Running command "/usr/sbin/iptables"
Jun 17 23:51:40 sextus sshd[4650]: Invalid user \316\261\316\262\316\273 
from 194.24.158.16
Jun 17 23:51:40 sextus sshd[4650]: Failed none for invalid user 
\316\261\316\262\316\273 from 194.24.158.16 port 29166 ssh2
Jun 17 23:51:41 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:41 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:52 sextus sshd(pam_unix)[4650]: bad username [αβλ]
Jun 17 23:51:52 sextus sshd[4650]: Failed password for invalid user 
\316\261\316\262\316\273 from 194.24.158.16 port 29166 ssh2
Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address 194.24.158.16
Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 
failures over 12 seconds.

iptables -L:

Chain sshguard (0 references)
target     prot opt source               destination                
DROP       0    --  lime-gw16.one.at     anywhere           
DROP       0    --  lime-gw16.one.at     anywhere           
DROP       0    --  lime-gw16.one.at     anywhere           
DROP       0    --  lime-gw16.one.at     anywhere           
DROP       0    --  lime-gw16.one.at     anywhere           
DROP       0    --  lime-gw16.one.at     anywhere           
DROP       0    --  lime-gw16.one.at     anywhere           

The strange thing, is that the DROP Rule, contains the hostname of the 
"attacker", and NOT the IP address.
Running an nslookup  in lime-gw16.one.at gives:

Server:         193.92.150.3
Address:        193.92.150.3#53

Non-authoritative answer:
Name:   lime-gw16.one.at
Address: 194.24.158.16

Which successfully resolves to the "attacker' s" IP. But does not block 
the attacker..
What is going wrong? I guess it has something to do with the hostname 
and not the IP in the drop Rule.

P.S.
I should point out, that the detected "attacker's" IP is a friend of 
mine, trying to test the behavior of sshguard, not an actual attacker.

[Sshguard-users] sshguard only blocks LAN attackers

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] sshguard only blocks LAN attackers