[SSHGuard-users] SSHGuard isn’t doing anything after a reinstall/upgrade

[@lbutlr <kr...@kr...>]

After updating my system to FreeBSD 12.1 and reinstalling sshguard, it is not logging at all.

First, it is running:

root     82669   0.0  0.1   4884   2372  -  Is   06:43       0:00.00 /bin/sh /usr/local/sbin/sshguard -b /usr/local/etc/sshguard.blacklist -w /usr/local/etc/sshguard.whitelist -b 120:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
root     82672   0.0  0.1   5924   3572  -  IC   06:43       0:00.00 /usr/local/libexec/sshg-parser
root     82673   0.0  0.1   5560   2712  -  IC   06:43       0:00.03 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/db/sshguard/blacklist.db -p 1200 -s 18000 -w /usr/local/etc/sshguard.whitelist
root     82674   0.0  0.1   4808   2348  -  I    06:43       0:00.19 /bin/sh /usr/local/libexec/sshg-fw-pf

Second, the config has not changed since FreeBSD 11.4:

BACKEND="/usr/local/libexec/sshg-fw-pf"
FILES="/var/log/auth.log /var/log/mail.log /var/log/debug.log /var/log/xferlog"
THRESHOLD=30
BLOCK_TIME=1200
DETECTION_TIME=18000
BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist

Third, auth.log is showing attempts to login:

sshd[74508] Invalid user andrew from 154.120.242.70 port 9226
sshd[74508] Failed unknown for invalid user andrew from 154.120.242.70 port 9226 ssh2
sshd[74508] user NOUSER login class  [preauth]
sshd[74508] Connection closed by invalid user andrew 154.120.242.70 port 9226 [preauth]

There is nothing in any /var/log//* file that mentions sshguard other than the message that I deinstalled it and reinstalled it (hoping it would fix something) in /var/log/message

rc.conf has:
sshguard_enable="YES"
sshguard_safety_thresh="30"
sshguard_pardon_min_interval="600"
sshguard_prescribe_interval="7200"
sshguard_flags="-b /usr/local/etc/sshguard.blacklist -w /usr/local/etc/sshguard.whitelist”

/var/db/sshguard/blacklist.db has not been modified since Feb 16.

However, if I check pfctl -t sshgiard -vTs I do see lines like the following:
   223.171.32.56
        Cleared:     Fri Feb 28 06:43:48 2020
   223.171.32.66
        Cleared:     Fri Feb 28 06:43:49 2020
   223.171.37.178
        Cleared:     Fri Feb 28 06:43:49 2020

But still, nothing at all is logged, where I used to get a lot of logging like:

Nov 30 03:35:19 mail sshguard[53048]: Attack from "27.69.242.187" on service SSH with danger 10.
Nov 30 03:35:49 mail sshguard[53048]: Attack from "27.69.242.187" on service SSH with danger 10.
Nov 30 03:35:54 mail sshguard[53048]: Attack from "27.69.242.187" on service SSH with danger 10.
Nov 30 03:35:54 mail sshguard[53048]: Blocking "27.69.242.187/32" for 1200 secs (3 attacks in 35 secs, after 1 abuses over 35 secs.)

If it matters, I preload pfctl with 36 thousand IP blocks Ito a different table (“badguys”)

bash -c 'pfctl -t badguys -T add $(cat /usr/local/etc/ru.zone)'
bash -c 'pfctl -t badguys -T add $(cat /usr/local/etc/cn.zone)’

So, it kind of looks like sshguard is adding IP addresses to pfctl, but not to the db file and is not logging at all?