[SSHGuard-users] firewall doesn't seem to be updating

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

sshguard-2.4.0_2,1 on FreeBSD 12.1

If I check my sshguard table, it returns no entries

 # pfctl -t sshguard -T show
 # 

auth.log contains entries like:

sshd[81715] error: PAM: Authentication error for root from 116.98.172.159
sshd[81715] Connection closed by authenticating user root 116.98.172.159 port 49832 [preauth]

I can manually add an IP to the sshguard table, but I cannot see any evidence that sshguard is doing anything and "sshg" appears in no log files in /var/log/.

 # pfctl -t badguys -T show | grep 116.98.172.159  
 # pfctl -t sshguard -T add 116.98.172.159
1/1 addresses added.
 # pfctl -t sshguard -T show
   116.98.172.159

So, PF appears to be fine.

So, I try to manually trigger it by manually appending the above bloglines back to auth.log from another session:

 # which sshguard
/usr/local/sbin/sshguard
 # env SSHGUARD_DEBUG=foo /usr/local/sbin/sshguard 
/usr/local/sbin/sshguard: cannot create : No such file or directory
sshguard 94135 - - whitelist: add '***' as plain IPv4.
sshguard 94135 - - whitelist: add plain IPv4 ***.
sshguard 94135 - - whitelist: add IPv4 block: ***.
sshguard 94135 - - whitelist: add IPv4 block: ***.
sshguard 94135 - - blacklist: blocking 4832 addresses
sshguard 94135 - - whitelist: add '127.0.0.1' as plain IPv4.
sshguard 94135 - - whitelist: add plain IPv4 127.0.0.1.
sshguard 94135 - - Now monitoring attacks.
Jul 14 14:07:05 mail.covisp.net sshd[81715] error: PAM: Authentication error for root from 116.98.172.159
Jul 14 14:07:08 mail.covisp.net sshd[81715] Connection closed by authenticating user root 116.98.172.159 port 49832 [preauth]

Nothing. ??

ps output
root       843   0.0  0.1   4884   1928  -  Is    7Jun20      0:00.00 /bin/sh /usr/local/sbin/sshguard -b /usr/local/etc/sshguard.blacklist -w /usr/local/etc/sshguard.whitelist -b 120:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
root       848   0.0  0.1   5560   2692  -  IC    7Jun20      0:00.15 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/db/sshguard/blacklist.db -p 1200 -s 18000 -w /usr/local/etc/sshguard.whitelist

/usr/local/etc/sshguard.conf:
BACKEND="/usr/local/libexec/sshg-fw-pf"
FILES="/var/log/auth.log /var/log/mail.log /var/log/debug.log /var/log/xferlog"
THRESHOLD=30
BLOCK_TIME=1200
DETECTION_TIME=18000
BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
#EOF

/etc/pf.conf:
ext=em0

table <goodguys> { **someIPs** } persist
table <badguys> { } persist
table <sshguard> persist

block in quick on $ext from <sshguard> label "sshguardblock"
block in quick on $ext from <badguys> label "COUNTRY BLOCKS"

pass in quick on $ext proto tcp from <goodguys> to ($ext) port ssh keep state
pass in on $ext proto tcp from any to ($ext) port ssh keep state (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
#EOF

[SSHGuard-users] firewall doesn't seem to be updating

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] firewall doesn't seem to be updating