Menu
▾
▴
[SSHGuard-users] sshguard fails to read and understand log?
|
From: Reshey L. <re...@gm...> - 2017-01-22 20:52:36
|
I have tried with 3x OpenBSD pc, to get sshguard working. I have manage to get bruteforce table to work with pf.conf and see blocked ip with pfctl -T show - bruteforce No result with pfctl -T show sshguard Only time I got result with pfctl -T show sshguard was wile haveing one xterm with sshguard in debuge mode and feed it attack signature from sshguard.org website example list, and before closing sshguard debuge mode running in another xterm pfctl cmd. I have via OpenBSD irc channel at freenode heard a other using reporting just installing, copying the table into pf.conf, and update with pfctl, and rcctl enable sshguard, and rcctl start sshguard. While running sshguard in debuge mode it got clear to me, It does manage to read /var/log/authlog ... but I have problem with the content of authlog.. could this be something related to locals? These pc was setup during install with "no" norwegian keyboard, OpenBSD 6.0. env SSHGUARD_DEBUG=foo /usr/local/sbin/sshguard -l /var/log/authlog I then hammered ssh from putty on a windows pc, until this happend in the debug window : Stack now 0 Cleanup: discarding lookahead token WORD () Stack now 0 Checking to refresh sources... Refreshing sources showed 0 changes. Start polling. Searching for fd 4 in list. Starting parse Entering state 0 Reading a token: --accepting rule at line 116 ("Jan 22 21:26:39 skylake su:") Next token is token SYSLOG_BANNER () Shifting token SYSLOG_BANNER () Entering state 3 Reading a token: --accepting rule at line 221 (" ") --accepting rule at line 220 ("xxxxx") Next token is token WORD () Error: popping token SYSLOG_BANNER () Stack now 0 Cleanup: discarding lookahead token WORD () Stack now 0 Checking to refresh sources... Refreshing sources showed 0 changes. Start polling. |
