Menu
▾
▴
Re: [SSHGuard-users] firewall doesn't seem to be updating
|
From: Kevin Z. <kev...@gm...> - 2020-07-15 07:58:59
|
Hi there, So, a few things: On 7/14/20 2:57 PM, @lbutlr wrote: > auth.log contains entries like: > > sshd[81715] error: PAM: Authentication error for root from 116.98.172.159 > sshd[81715] Connection closed by authenticating user root 116.98.172.159 port 49832 [preauth] Are these the exact lines from your auth.log? SSHGuard is not detecting these because it does not recognize your log header. Is this syslogd? You can test the parser by itself (on FreeBSD) using: $ /usr/local/libexec/sshg-parser It reads input line by line, does nothing if it does not detect an attack, and prints something if it does. You have an example attack below: Jul 14 14:07:05 mail.covisp.net sshd[81715] error: PAM: Authentication error for root from 116.98.172.159 This is not recognized by 2.4.0 because OpenSSH recently changed their log format. The parser in Git does recognize this as an attack. I will cut a release soon. > So, I try to manually trigger it by manually appending the above bloglines back to auth.log from another session: > > # which sshguard > /usr/local/sbin/sshguard > # env SSHGUARD_DEBUG=foo /usr/local/sbin/sshguard > /usr/local/sbin/sshguard: cannot create : No such file or directory The version in FreeBSD ports has a non-standard addition that checks for the existence of the PID file. I think it's just saying it can't write to the PID file, because $PID_FILE is empty? I'll investigate further. > sshguard 94135 - - whitelist: add '***' as plain IPv4. > sshguard 94135 - - whitelist: add plain IPv4 ***. > sshguard 94135 - - whitelist: add IPv4 block: ***. > sshguard 94135 - - whitelist: add IPv4 block: ***. > sshguard 94135 - - blacklist: blocking 4832 addresses > sshguard 94135 - - whitelist: add '127.0.0.1' as plain IPv4. > sshguard 94135 - - whitelist: add plain IPv4 127.0.0.1. > sshguard 94135 - - Now monitoring attacks. SSHGuard does not accept attacks from standard input. So, seems like some things are wrong; some things that should be fixed when we cut a release. There are several things you can do to troubleshoot SSHGuard, but an easy starter is to syscall trace it: $ truss -f /usr/local/sbin/sshguard If you could trace it for 10 seconds or so and attach the output, I might be able to see what's going on. Good luck, Kevin -- Kevin Zheng kev...@gm... | ke...@be... XMPP: ke...@ee... |
