[Sshguard-users] More problems catching failed password attempts for root

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I posted a message recently about having problems with sshguard on 
FreeBSD-6.x, whereby failed passwords for root were not being caught 
(everything else was).  I'm continuing to have this problem and I wonder 
if this might play into it:

/etc/syslog.conf:

auth.info;authpriv.info                         /var/log/auth.log
auth.info;authpriv.info                         
|/usr/local/sbin/sshguard -p 18000 -w /usr/local/etc/sshguard_whitelist

First entry is simply writing to auth.log, the other going to sshguard.  
Probably just a typo that needed to be corrected, though it still 
appears to work correctly.

In any case, take the log snipped below from today where this happened 
once again.

I'd be interested in any constructive feedback about fixing this.  
Notice that it seems to act on every user except "root".

Nov 16 08:20:15 gw sshd[25604]: Did not receive identification string 
from 80.53.67.35
Nov 16 08:22:04 gw sshd[25618]: Did not receive identification string 
from 85.18.101.82
Nov 16 08:25:17 gw sshd[25622]: Failed password for root from 
80.53.67.35 port 46074 ssh2
Nov 16 08:25:20 gw sshd[25624]: Invalid user admin from 80.53.67.35
Nov 16 08:25:20 gw sshd[25624]: Failed password for invalid user admin 
from 80.53.67.35 port 46136 ssh2
Nov 16 08:25:21 gw sshd[25626]: Invalid user test from 80.53.67.35
Nov 16 08:25:21 gw sshd[25626]: Failed password for invalid user test 
from 80.53.67.35 port 46209 ssh2
Nov 16 08:25:23 gw sshd[25628]: Invalid user guest from 80.53.67.35
Nov 16 08:25:23 gw sshd[25628]: Failed password for invalid user guest 
from 80.53.67.35 port 46262 ssh2
Nov 16 08:25:25 gw sshd[25630]: Invalid user webmaster from 80.53.67.35
Nov 16 08:25:25 gw sshguard[24319]: Blocking 80.53.67.35: 4 failures 
over 5 seconds.
Nov 16 08:25:25 gw sshd[25630]: Failed password for invalid user 
webmaster from 80.53.67.35 port 46314 ssh2
Nov 16 08:36:28 gw sshd[25653]: Failed password for root from 
85.18.101.82 port 33750 ssh2
Nov 16 08:36:29 gw sshd[25655]: Failed password for root from 
85.18.101.82 port 33802 ssh2
Nov 16 08:36:30 gw sshd[25657]: Failed password for root from 
85.18.101.82 port 33854 ssh2
Nov 16 08:36:31 gw sshd[25659]: Failed password for root from 
85.18.101.82 port 33909 ssh2
Nov 16 08:36:32 gw sshd[25661]: Failed password for root from 
85.18.101.82 port 33965 ssh2
Nov 16 08:36:33 gw sshd[25663]: Failed password for root from 
85.18.101.82 port 34021 ssh2
Nov 16 08:36:34 gw sshd[25665]: Failed password for root from 
85.18.101.82 port 34080 ssh2
Nov 16 08:36:35 gw sshd[25667]: Failed password for root from 
85.18.101.82 port 34134 ssh2
Nov 16 08:36:36 gw sshd[25669]: Failed password for root from 
85.18.101.82 port 34203 ssh2
Nov 16 08:36:37 gw sshd[25671]: Failed password for root from 
85.18.101.82 port 34253 ssh2
Nov 16 08:36:39 gw sshd[25673]: Failed password for root from 
85.18.101.82 port 34309 ssh2
Nov 16 08:36:40 gw sshd[25675]: Failed password for root from 
85.18.101.82 port 34373 ssh2
Nov 16 08:36:41 gw sshd[25677]: Failed password for root from 
85.18.101.82 port 34418 ssh2
Nov 16 08:36:42 gw sshd[25679]: Failed password for root from 
85.18.101.82 port 34466 ssh2
Nov 16 08:36:43 gw sshd[25681]: Failed password for root from 
85.18.101.82 port 34529 ssh2
Nov 16 08:36:44 gw sshd[25683]: Failed password for root from 
85.18.101.82 port 34577 ssh2
Nov 16 08:36:46 gw sshd[25685]: Failed password for root from 
85.18.101.82 port 34646 ssh2
Nov 16 08:36:47 gw sshd[25687]: Failed password for root from 
85.18.101.82 port 34727 ssh2
Nov 16 08:36:48 gw sshd[25689]: Failed password for root from 
85.18.101.82 port 34780 ssh2
Nov 16 08:36:49 gw sshd[25691]: Failed password for root from 
85.18.101.82 port 34861 ssh2
Nov 16 08:36:50 gw sshd[25693]: Failed password for root from 
85.18.101.82 port 34915 ssh2
Nov 16 08:36:52 gw sshd[25695]: Failed password for root from 
85.18.101.82 port 34964 ssh2
Nov 16 08:36:53 gw sshd[25697]: Failed password for root from 
85.18.101.82 port 35031 ssh2
Nov 16 08:36:54 gw sshd[25699]: Failed password for root from 
85.18.101.82 port 35085 ssh2
Nov 16 08:36:55 gw sshd[25701]: Failed password for root from 
85.18.101.82 port 35140 ssh2
Nov 16 08:36:56 gw sshd[25703]: Failed password for root from 
85.18.101.82 port 35190 ssh2
Nov 16 08:36:57 gw sshd[25705]: Failed password for root from 
85.18.101.82 port 35250 ssh2
Nov 16 08:36:58 gw sshd[25707]: Failed password for root from 
85.18.101.82 port 35307 ssh2
Nov 16 08:36:59 gw sshd[25709]: Failed password for root from 
85.18.101.82 port 35358 ssh2
Nov 16 08:37:01 gw sshd[25711]: Failed password for root from 
85.18.101.82 port 35434 ssh2
Nov 16 08:37:02 gw sshd[25713]: Failed password for root from 
85.18.101.82 port 35478 ssh2
Nov 16 08:37:03 gw sshd[25715]: Failed password for root from 
85.18.101.82 port 35525 ssh2
Nov 16 08:37:04 gw sshd[25717]: Failed password for root from 
85.18.101.82 port 35597 ssh2
Nov 16 08:37:05 gw sshd[25719]: Failed password for root from 
85.18.101.82 port 35652 ssh2
Nov 16 08:37:07 gw sshd[25721]: Invalid user administrator from 85.18.101.82
Nov 16 08:37:07 gw sshd[25721]: Failed password for invalid user 
administrator from 85.18.101.82 port 35714 ssh2
Nov 16 08:37:08 gw sshd[25723]: Invalid user administrator from 85.18.101.82
Nov 16 08:37:08 gw sshd[25723]: Failed password for invalid user 
administrator from 85.18.101.82 port 35787 ssh2
Nov 16 08:37:09 gw sshd[25725]: Invalid user administrator from 85.18.101.82
Nov 16 08:37:09 gw sshd[25725]: Failed password for invalid user 
administrator from 85.18.101.82 port 35837 ssh2
Nov 16 08:37:10 gw sshd[25727]: Invalid user administrator from 85.18.101.82
Nov 16 08:37:10 gw sshguard[24319]: Blocking 85.18.101.82: 4 failures 
over 3 seconds.
Nov 16 08:37:10 gw sshd[25727]: Failed password for invalid user 
administrator from 85.18.101.82 port 35888 ssh2

[Sshguard-users] More problems catching failed password attempts for root

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] More problems catching failed password attempts for root