Re: [Sshguard-users] More problems catching failed password attempts for root

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

thanks for your precious test data. I will look into your report in a  
couple
of week ends

On 16/nov/07, at 21:48, Forrest Aldrich wrote:

> I posted a message recently about having problems with sshguard on
> FreeBSD-6.x, whereby failed passwords for root were not being caught
> (everything else was).  I'm continuing to have this problem and I  
> wonder
> if this might play into it:
>
> /etc/syslog.conf:
>
> auth.info;authpriv.info                         /var/log/auth.log
> auth.info;authpriv.info
> |/usr/local/sbin/sshguard -p 18000 -w /usr/local/etc/ 
> sshguard_whitelist
>
> First entry is simply writing to auth.log, the other going to  
> sshguard.
> Probably just a typo that needed to be corrected, though it still
> appears to work correctly.
>
> In any case, take the log snipped below from today where this happened
> once again.
>
> I'd be interested in any constructive feedback about fixing this.
> Notice that it seems to act on every user except "root".
>
>
> Nov 16 08:20:15 gw sshd[25604]: Did not receive identification string
> from 80.53.67.35
> Nov 16 08:22:04 gw sshd[25618]: Did not receive identification string
> from 85.18.101.82
> Nov 16 08:25:17 gw sshd[25622]: Failed password for root from
> 80.53.67.35 port 46074 ssh2
> Nov 16 08:25:20 gw sshd[25624]: Invalid user admin from 80.53.67.35
> Nov 16 08:25:20 gw sshd[25624]: Failed password for invalid user admin
> from 80.53.67.35 port 46136 ssh2
> Nov 16 08:25:21 gw sshd[25626]: Invalid user test from 80.53.67.35
> Nov 16 08:25:21 gw sshd[25626]: Failed password for invalid user test
> from 80.53.67.35 port 46209 ssh2
> Nov 16 08:25:23 gw sshd[25628]: Invalid user guest from 80.53.67.35
> Nov 16 08:25:23 gw sshd[25628]: Failed password for invalid user guest
> from 80.53.67.35 port 46262 ssh2
> Nov 16 08:25:25 gw sshd[25630]: Invalid user webmaster from  
> 80.53.67.35
> Nov 16 08:25:25 gw sshguard[24319]: Blocking 80.53.67.35: 4 failures
> over 5 seconds.
> Nov 16 08:25:25 gw sshd[25630]: Failed password for invalid user
> webmaster from 80.53.67.35 port 46314 ssh2
> Nov 16 08:36:28 gw sshd[25653]: Failed password for root from
> 85.18.101.82 port 33750 ssh2
> Nov 16 08:36:29 gw sshd[25655]: Failed password for root from
> 85.18.101.82 port 33802 ssh2
> Nov 16 08:36:30 gw sshd[25657]: Failed password for root from
> 85.18.101.82 port 33854 ssh2
> Nov 16 08:36:31 gw sshd[25659]: Failed password for root from
> 85.18.101.82 port 33909 ssh2
> Nov 16 08:36:32 gw sshd[25661]: Failed password for root from
> 85.18.101.82 port 33965 ssh2
> Nov 16 08:36:33 gw sshd[25663]: Failed password for root from
> 85.18.101.82 port 34021 ssh2
> Nov 16 08:36:34 gw sshd[25665]: Failed password for root from
> 85.18.101.82 port 34080 ssh2
> Nov 16 08:36:35 gw sshd[25667]: Failed password for root from
> 85.18.101.82 port 34134 ssh2
> Nov 16 08:36:36 gw sshd[25669]: Failed password for root from
> 85.18.101.82 port 34203 ssh2
> Nov 16 08:36:37 gw sshd[25671]: Failed password for root from
> 85.18.101.82 port 34253 ssh2
> Nov 16 08:36:39 gw sshd[25673]: Failed password for root from
> 85.18.101.82 port 34309 ssh2
> Nov 16 08:36:40 gw sshd[25675]: Failed password for root from
> 85.18.101.82 port 34373 ssh2
> Nov 16 08:36:41 gw sshd[25677]: Failed password for root from
> 85.18.101.82 port 34418 ssh2
> Nov 16 08:36:42 gw sshd[25679]: Failed password for root from
> 85.18.101.82 port 34466 ssh2
> Nov 16 08:36:43 gw sshd[25681]: Failed password for root from
> 85.18.101.82 port 34529 ssh2
> Nov 16 08:36:44 gw sshd[25683]: Failed password for root from
> 85.18.101.82 port 34577 ssh2
> Nov 16 08:36:46 gw sshd[25685]: Failed password for root from
> 85.18.101.82 port 34646 ssh2
> Nov 16 08:36:47 gw sshd[25687]: Failed password for root from
> 85.18.101.82 port 34727 ssh2
> Nov 16 08:36:48 gw sshd[25689]: Failed password for root from
> 85.18.101.82 port 34780 ssh2
> Nov 16 08:36:49 gw sshd[25691]: Failed password for root from
> 85.18.101.82 port 34861 ssh2
> Nov 16 08:36:50 gw sshd[25693]: Failed password for root from
> 85.18.101.82 port 34915 ssh2
> Nov 16 08:36:52 gw sshd[25695]: Failed password for root from
> 85.18.101.82 port 34964 ssh2
> Nov 16 08:36:53 gw sshd[25697]: Failed password for root from
> 85.18.101.82 port 35031 ssh2
> Nov 16 08:36:54 gw sshd[25699]: Failed password for root from
> 85.18.101.82 port 35085 ssh2
> Nov 16 08:36:55 gw sshd[25701]: Failed password for root from
> 85.18.101.82 port 35140 ssh2
> Nov 16 08:36:56 gw sshd[25703]: Failed password for root from
> 85.18.101.82 port 35190 ssh2
> Nov 16 08:36:57 gw sshd[25705]: Failed password for root from
> 85.18.101.82 port 35250 ssh2
> Nov 16 08:36:58 gw sshd[25707]: Failed password for root from
> 85.18.101.82 port 35307 ssh2
> Nov 16 08:36:59 gw sshd[25709]: Failed password for root from
> 85.18.101.82 port 35358 ssh2
> Nov 16 08:37:01 gw sshd[25711]: Failed password for root from
> 85.18.101.82 port 35434 ssh2
> Nov 16 08:37:02 gw sshd[25713]: Failed password for root from
> 85.18.101.82 port 35478 ssh2
> Nov 16 08:37:03 gw sshd[25715]: Failed password for root from
> 85.18.101.82 port 35525 ssh2
> Nov 16 08:37:04 gw sshd[25717]: Failed password for root from
> 85.18.101.82 port 35597 ssh2
> Nov 16 08:37:05 gw sshd[25719]: Failed password for root from
> 85.18.101.82 port 35652 ssh2
> Nov 16 08:37:07 gw sshd[25721]: Invalid user administrator from  
> 85.18.101.82
> Nov 16 08:37:07 gw sshd[25721]: Failed password for invalid user
> administrator from 85.18.101.82 port 35714 ssh2
> Nov 16 08:37:08 gw sshd[25723]: Invalid user administrator from  
> 85.18.101.82
> Nov 16 08:37:08 gw sshd[25723]: Failed password for invalid user
> administrator from 85.18.101.82 port 35787 ssh2
> Nov 16 08:37:09 gw sshd[25725]: Invalid user administrator from  
> 85.18.101.82
> Nov 16 08:37:09 gw sshd[25725]: Failed password for invalid user
> administrator from 85.18.101.82 port 35837 ssh2
> Nov 16 08:37:10 gw sshd[25727]: Invalid user administrator from  
> 85.18.101.82
> Nov 16 08:37:10 gw sshguard[24319]: Blocking 85.18.101.82: 4 failures
> over 3 seconds.
> Nov 16 08:37:10 gw sshd[25727]: Failed password for invalid user
> administrator from 85.18.101.82 port 35888 ssh2
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] More problems catching failed password attempts for root

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] More problems catching failed password attempts for root