Menu
▾
▴
Re: [SSHGuard-users] sshguard fails to read and understand log?
|
From: Daniel A. <co...@da...> - 2017-01-22 21:44:56
|
On Sun, Jan 22, 2017, at 21:52, Reshey L. wrote: > I have tried with 3x OpenBSD pc, to get sshguard working. I have > manage to get bruteforce table to work with pf.conf and see blocked ip > with pfctl -T show - bruteforce No result with pfctl -T show sshguard > Only time I got result with pfctl -T show sshguard was wile haveing > one xterm with sshguard in debuge mode and feed it attack signature > from sshguard.org website example list, and before closing sshguard > debuge mode running in another xterm pfctl cmd. I have via OpenBSD > irc channel at freenode heard a other using reporting just installing, > copying the table into pf.conf, and update with pfctl, and rcctl > enable sshguard, and rcctl start sshguard. While running sshguard in > debuge mode it got clear to me, It does manage to read > /var/log/authlog ... but I have problem with the content of authlog.. > could this be something related to locals? These pc was setup during > install with "no" norwegian keyboard, OpenBSD 6.0. Could you please provide a log sample? SSHGuard has no problem with my Norwegian locale under Linux, but I’m using the 2.0 development branc. Could you please test your setup against the current master branch? You can obtain the source and install instructions from: https://bitbucket.org/sshguard/sshguard/src > env SSHGUARD_DEBUG=foo /usr/local/sbin/sshguard -l /var/log/authlog > I then hammered ssh from putty on a windows pc, until this happend in > the debug window : Stack now 0 Cleanup: discarding lookahead token > WORD () Stack now 0 Checking to refresh sources... Refreshing sources > showed 0 changes. Start polling. Searching for fd 4 in list. Starting > parse Entering state 0 Reading a token: --accepting rule at line 116 > ("Jan 22 21:26:39 skylake su:") Next token is token SYSLOG_BANNER () > Shifting token SYSLOG_BANNER () Entering state 3 Reading a token: -- > accepting rule at line 221 (" ") --accepting rule at line 220 > ("xxxxx") Next token is token WORD () Error: popping token > SYSLOG_BANNER () Stack now 0 Cleanup: discarding lookahead token WORD > () Stack now 0 Checking to refresh sources... Refreshing sources > showed 0 changes. Start polling. > -- Daniel Aleksandersen |
