sshguard-users — User questions and answers, bugs, and general support

Re: [SSHGuard-users] Fwd-Debian: sshguard is marked for autoremoval from testing

[hvjunk <hv...@gm...>]

Thank you,

I’ve asked/included the Debian SSHGuard maintainer to request that update :)

> On 21 Sep 2025, at 19:56, Kevin Zheng <kev...@gm...> wrote:
> 
> Hi Hendrik,
> 
> Thanks for bringing this to our attention.
> 
> These build failures in GCC 15 were fixed since the 2.5.0 release. Can Debian update the package to 2.5.1?
> 
> Regards,
> Kevin
> 
> 
> _______________________________________________
> sshguard-users mailing list
> ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [SSHGuard-users] Fwd: Fwd-Debian: sshguard is marked for autoremoval from testing

[Kevin Z. <kev...@gm...>]

Hi Hendrik,

Thanks for bringing this to our attention.

These build failures in GCC 15 were fixed since the 2.5.0 release. Can 
Debian update the package to 2.5.1?

Regards,
Kevin

[SSHGuard-users] Fwd: Fwd-Debian: sshguard is marked for autoremoval from testing

[hvjunk <hv...@gm...>]

Good day,

Seems GCC15 following C23 is.. well… requiring code changes :0

> Begin forwarded message:
> 
> From: Debian testing autoremoval watch <no...@re...>
> Subject: sshguard is marked for autoremoval from testing
> Date: 06 September 2025 at 06:40:24 SAST
> To: <ssh...@pa...>
> 
> sshguard 2.4.3-1 is marked for autoremoval from testing on 2025-09-19
> 
> It is affected by these RC bugs:
> 1097932: sshguard: ftbfs with GCC-15
> 
https://bugs.debian.org/1097932
> 
> 
> 
> For more information on the autoremoval process, including hints to prevent
> autoremoval can be found on the wiki: https://wiki.debian.org/Autoremoval
> 
> This mail is generated by:
> https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl
> 
> Autoremoval data is generated by:
> https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl

[SSHGuard-users] Fwd-Debian: sshguard is marked for autoremoval from testing

[Hendrik V. <hv...@he...>]

Good day,

 Who is the Debian package maintainer to perhaps comment on this?

Begin forwarded message:

From: Debian testing autoremoval watch <no...@re...>
Subject: sshguard is marked for autoremoval from testing
Date: 06 September 2025 at 06:40:24 SAST
To: <ssh...@pa...>

sshguard 2.4.3-1 is marked for autoremoval from testing on 2025-09-19

It is affected by these RC bugs:
1097932: sshguard: ftbfs with GCC-15

https://bugs.debian.org/1097932



For more information on the autoremoval process, including hints to prevent
autoremoval can be found on the wiki: https://wiki.debian.org/Autoremoval

This mail is generated by:
https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl

Autoremoval data is generated by:
https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl


---

Hendrik Visage

hv...@he...

HeViS.Co Systems Pty Ltd

https://www.envisage.co.za

Re: [SSHGuard-users] [PATCH 1/1] sshguard.in: Fix race condition in exit trap

[Kevin Z. <kev...@gm...>]

Hi Gregor,

Oops, sorry for the delay in committing this patch. It has now been 
committed. Thanks for your contribution!

Regards,
Kevin

Re: [SSHGuard-users] [PATCH 1/1] sshguard.in: Fix race condition in exit trap

[Gregor H. <gre...@ew...>]

On Tue, May 27, 2025 at 11:11:43PM -0700, Kevin Zheng wrote:
> On 5/27/25 10:59 PM, Gregor Herburger wrote:
> > Yes I think you are right, it is more of an infinite recursion.
> > Shall I reword the commit message and resend the patch?
> > 
> > This happend on a embedded linux system with busybox ash shell. Also
> > this only happens when the system is under heavy load.
> 
> Thanks for the information. No need for an extra patch. I'll add a comment
> and include this information in the commit message.

Hi Kevin,

will you add this patch to the repository. Should I open a pull request
with the change?

Best regards
Gregor
-- 
TQ-Systems GmbH | Mühlstraße 2, Gut Delling | 82229 Seefeld, Germany
Amtsgericht München, HRB 105018
Geschäftsführer: Detlef Schneider, Rüdiger Stahl, Stefan Schneider
https://www.tq-group.com/

Re: [SSHGuard-users] [PATCH 1/1] sshguard.in: Fix race condition in exit trap

[Kevin Z. <kev...@gm...>]

On 5/27/25 10:59 PM, Gregor Herburger wrote:
> Yes I think you are right, it is more of an infinite recursion.
> Shall I reword the commit message and resend the patch?
> 
> This happend on a embedded linux system with busybox ash shell. Also
> this only happens when the system is under heavy load.

Thanks for the information. No need for an extra patch. I'll add a 
comment and include this information in the commit message.

Regards,
Kevin

Re: [SSHGuard-users] [PATCH 1/1] sshguard.in: Fix race condition in exit trap

[Gregor H. <gre...@ew...>]

On Tue, May 27, 2025 at 11:42:52AM -0700, Kevin Zheng wrote:

Hi Kevin,
> On 5/23/25 4:36 AM, Gregor Herburger wrote:
> > When the sshguard script gets an SIGNAL to exit the clean_and_exit
> > function is called which calls exit which in turn calls exit 0. This can
> > in some cases call again clean_and_exit and causes a non-zero exit code.
> Thanks for the investigation and the patch.
> 
> The patch seems correct, though would you characterize it as a race
> condition or more of infinite recursion?
> 
Yes I think you are right, it is more of an infinite recursion.
Shall I reword the commit message and resend the patch?

> Could you also advise what OS/shell you were using when you encountered the
> issue?
This happend on a embedded linux system with busybox ash shell. Also
this only happens when the system is under heavy load.

Regards,
Gregor

-- 
TQ-Systems GmbH | Mühlstraße 2, Gut Delling | 82229 Seefeld, Germany
Amtsgericht München, HRB 105018
Geschäftsführer: Detlef Schneider, Rüdiger Stahl, Stefan Schneider
https://www.tq-group.com/

Re: [SSHGuard-users] [PATCH v2 1/1] Add signature for dropbear ssh logs

[Kevin Z. <kev...@gm...>]

Thank you for your contribution!

Committed, with minor changes, in 49a2229. Thanks!

Regards,
Kevin

Re: [SSHGuard-users] [PATCH 1/1] sshguard.in: Fix race condition in exit trap

[Kevin Z. <kev...@gm...>]

Hi Gregor,

On 5/23/25 4:36 AM, Gregor Herburger wrote:
> When the sshguard script gets an SIGNAL to exit the clean_and_exit
> function is called which calls exit which in turn calls exit 0. This can
> in some cases call again clean_and_exit and causes a non-zero exit code.
Thanks for the investigation and the patch.

The patch seems correct, though would you characterize it as a race 
condition or more of infinite recursion?

Could you also advise what OS/shell you were using when you encountered 
the issue?

Regards,
Kevin

[SSHGuard-users] [PATCH 1/1] sshguard.in: Fix race condition in exit trap

[Gregor H. <gre...@ew...>]

When the sshguard script gets an SIGNAL to exit the clean_and_exit
function is called which calls exit which in turn calls exit 0. This can
in some cases call again clean_and_exit and causes a non-zero exit code.

The sh -x output looks like this in this cases:
...
+ /usr/libexec/sshg-fw-nft-sets
+ clean_and_exit
+ '[' -n  ]
+ exit
+ kill 0
+ clean_and_exit
+ '[' -n  ]
+ exit

~# echo $?
143

Disable the INT/TERM trap in clean_and_exit before exiting to allow a
clean exit.

Signed-off-by: Gregor Herburger <gre...@ew...>
---
 src/sshguard.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/sshguard.in b/src/sshguard.in
index bcc5e68ffc04..d4e59f85e1c4 100644
--- a/src/sshguard.in
+++ b/src/sshguard.in
@@ -27,6 +27,7 @@ clean_and_exit() {
     if [ -n "$PID_FILE" ]; then
         rm -f "$PID_FILE"
     fi
+    trap - INT TERM
     exit
 }
 
-- 
2.34.1

Re: [SSHGuard-users] Configuring and running with IPFilter on OmniOS (Illumos)

[Kevin Z. <kev...@gm...>]

Hi Alexei,

Sorry for the delayed response.

After you configure ipfilter on your system normally, you should only 
need to set BACKEND to the ipfilter backend in sshguard.conf.

The ipfilter backend will add rules to your active firewall rules by 
running the `ipf` command.

I have not tested the ipfilter backend on OmniOS, but I believe it 
should function just like the one on BSD.

I would suggest trying with a non-production system first. Let me know 
how it goes.

Regards,
Kevin

[SSHGuard-users] [PATCH v2 1/1] Add signature for dropbear ssh logs

[Gregor H. <gre...@ew...>]

Added Dropbear SSH service to the parser.

Signed-off-by: Gregor Herburger <gre...@ew...>
---
v2: adjust dangerousness for exit before auth to 2 (similar to ssh)

 src/common/attack.h         |  1 +
 src/common/service_names.c  |  1 +
 src/parser/attack_parser.y  | 11 +++++++++++
 src/parser/attack_scanner.l |  6 ++++++
 src/parser/tests.txt        | 21 +++++++++++++++++++++
 5 files changed, 40 insertions(+)

diff --git a/src/common/attack.h b/src/common/attack.h
index d19945cdddf4..46dfef351ab5 100644
--- a/src/common/attack.h
+++ b/src/common/attack.h
@@ -29,6 +29,7 @@ enum service {
     SERVICES_SSH            = 100,  //< ssh
     SERVICES_SSHGUARD       = 110,  //< SSHGuard
     SERVICES_BIND           = 120,  //< BIND (named)
+    SERVICES_DROPBEAR       = 130,  //< Dropbear SSH
     SERVICES_UWIMAP         = 200,  //< UWimap for imap and pop daemon
     SERVICES_DOVECOT        = 210,  //< dovecot
     SERVICES_CYRUSIMAP      = 220,  //< cyrus-imap
diff --git a/src/common/service_names.c b/src/common/service_names.c
index 174c57c7f644..beaa176a9b46 100644
--- a/src/common/service_names.c
+++ b/src/common/service_names.c
@@ -8,6 +8,7 @@ struct service_s {
 static const struct service_s services[] = {
     {SERVICES_SSH, "SSH"},
     {SERVICES_SSHGUARD, "SSHGuard"},
+    {SERVICES_DROPBEAR, "Dropbear"},
     {SERVICES_UWIMAP, "UW IMAP"},
     {SERVICES_DOVECOT, "Dovecot"},
     {SERVICES_CYRUSIMAP, "Cyrus IMAP"},
diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 0cfc5d66a74b..1b7f72630b92 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -62,6 +62,10 @@ static void yyerror(attack_t *, const char *);
 %token SSH_INVALIDFORMAT_PREF SSH_INVALIDFORMAT_SUFF
 %token SSH_BADKEX_PREF SSH_BADKEX_SUFF
 %token SSH_DISCONNECT_PREF SSH_CONNECTION_CLOSED SSH_PREAUTH_SUFF
+/* dropbear */
+%token DROPBEAR_BAD_PASSWORD
+%token DROPBEAR_BAD_USER
+%token DROPBEAR_EXIT_BEFORE_AUTH_PREF DROPBEAR_EXIT_BEFORE_AUTH_SUFF
 /* SSHGuard */
 %token SSHGUARD_ATTACK_PREF SSHGUARD_ATTACK_SUFF
 %token SSHGUARD_BLOCK_PREF SSHGUARD_BLOCK_SUFF
@@ -163,6 +167,7 @@ repetition_suffix:
 
 msg_single:
     sshmsg            { attack->service = SERVICES_SSH; }
+  | dropbearmsg       { attack->service = SERVICES_DROPBEAR; }
   | sshguardmsg       { attack->service = SERVICES_SSHGUARD; }
   | bindmsg           { attack->service = SERVICES_BIND; }
   | dovecotmsg        { attack->service = SERVICES_DOVECOT; }
@@ -254,6 +259,12 @@ ssh_badkex:
     SSH_BADKEX_PREF addr SSH_BADKEX_SUFF
   ;
 
+dropbearmsg:
+    DROPBEAR_BAD_PASSWORD addr ':' INTEGER
+  | DROPBEAR_BAD_USER addr ':' INTEGER
+  | DROPBEAR_EXIT_BEFORE_AUTH_PREF addr ':' INTEGER DROPBEAR_EXIT_BEFORE_AUTH_SUFF { attack->dangerousness = 2; }
+ ;
+
 /* attacks and blocks from SSHGuard */
 sshguardmsg:
     SSHGUARD_ATTACK_PREF addr SSHGUARD_ATTACK_SUFF
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 9857cb3affec..6dfde151ff10 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -192,6 +192,12 @@ HTTP_LOGIN_200OK_BAD       .*({WORDPRESS_LOGIN}|{TYPO3_LOGIN}|{CONTAO_LOGIN}).*
 "fatal: "?"Unable to negotiate with "                                     { BEGIN(ssh_badkex); return SSH_BADKEX_PREF; }
 <ssh_badkex>(" port ".*)?[: ].*"no matching ".*" found".*       { BEGIN(INITIAL); return SSH_BADKEX_SUFF; }
 
+[Bb]"ad "("PAM ")?"password attempt for "[^ ]+" from "                      { return DROPBEAR_BAD_PASSWORD; }
+[Ll]"ogin attempt for nonexistent user from"                     { return DROPBEAR_BAD_USER; }
+[Ee]"xit before auth from <"                                     { return DROPBEAR_EXIT_BEFORE_AUTH_PREF; }
+">:".*                                                           { return DROPBEAR_EXIT_BEFORE_AUTH_SUFF; }
+
+
  /* SSHGuard */
 "Attack from \""                                                { BEGIN(sshguard_attack); return SSHGUARD_ATTACK_PREF; }
 <sshguard_attack>"\" on service "{NUMBER}" with danger "{NUMBER}"."    { BEGIN(INITIAL); return SSHGUARD_ATTACK_SUFF; }
diff --git a/src/parser/tests.txt b/src/parser/tests.txt
index eaba934a035a..497c34111793 100644
--- a/src/parser/tests.txt
+++ b/src/parser/tests.txt
@@ -177,6 +177,27 @@ Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20
 M
 # }}}
 
+# Dropbear {{{
+Bad password attempt for 'root' from ::ffff:1.2.3.4:55990
+130 1.2.3.4 4 10
+M
+Bad PAM password attempt for 'user23' from ::ffff:1.2.3.4:55992
+130 1.2.3.4 4 10
+M
+Login attempt for nonexistent user from 1.2.3.4:60794
+130 1.2.3.4 4 10
+M
+May 08 09:49:25 hostname dropbear[1773]: Exit before auth from <::ffff:10.42.42.135:46154>: (user 'root', 0 fails): Exited normally
+130 10.42.42.135 4 2
+M
+May 08 10:02:05 server dropbear[1977]: Exit before auth from <::ffff:10.42.63.135:50288>: Exited normally
+130 10.42.63.135 4 2
+M
+Exit before auth from <::ffff:1.2.3.4:47810>: (user 'root', 0 fails): Error reading: Connection reset by peer
+130 1.2.3.4 4 2
+M
+# }}}
+
 #### Remote SSHGuard {{{
 Attack from "2001:db8::a11:beef:456e" on service 100 with danger 10.
 110 2001:db8::a11:beef:456e 6 10
-- 
2.34.1

[SSHGuard-users] Configuring and running with IPFilter on OmniOS (Illumos)

[Alexei A. <ale...@gm...>]

Hi !

Continuing the saga on this :)

So initially we found this how to -
https://blog.up-link.ro/ssh-security-how-to-block-ssh-brute-force-attacks-with-sshguard/
- however this seems to be too BSD specific, doesn't look like it is
applicable anymore.

Current documentation doesn't explicitly mention how to configure ipfilter
also - https://www.sshguard.net/docs/sshguard-setup.html#backends

I found this post from 2015 - about sshg-fw wrapper -
https://sourceforge.net/p/sshguard/mailman/sshguard-users/thread/558FD077.4040002%40gmail.com/#msg34247782

What is the best way to proceed with this?

Logging is enabled to /var/adm/auth.log and btw port is also non standard
for SSH (but I think this is now supported OK also).

# tail  /var/adm/auth.log
May  6 13:09:27 test sshd-session[6430]: [ID 800047 auth.error] error: PAM:
Authentication failed for root from ****
May  6 13:09:31 test sshd-session[6430]: [ID 800047 auth.info] Connection
closed by authenticating user root **** port 45283 [preauth]
May  6 13:09:38 test sshd-session[6434]: [ID 800047 auth.info] Connection
closed by authenticating user root **** port 33144 [preauth]
May  6 13:09:45 test sshd-session[6436]: [ID 800047 auth.error] error: PAM:
Authentication failed for root from ****
May  6 13:09:46 test last message repeated 1 time
May  6 13:09:46 test sshd-session[6436]: [ID 800047 auth.info] Postponed
keyboard-interactive for root from **** port 52220 ssh2 [preauth]
May  6 13:09:46 test sshd-session[6436]: [ID 800047 auth.error] error: PAM:
Authentication failed for root from ****
May  6 13:09:47 test sshd-session[6436]: [ID 800047 auth.info] Failed
password for root from **** port 52220 ssh2
May  6 13:09:47 test last message repeated 1 time
May  6 13:09:47 test sshd-session[6436]: [ID 800047 auth.error] error:
maximum authentication attempts exceeded for root from **** port 52220 ssh2
[preauth]
May  6 13:09:47 test sshd-session[6436]: [ID 800047 auth.info]
Disconnecting authenticating user root **** port 52220: Too many
authentication failures [preauth]


--
Best regards,
Aleksey Anisimov

Re: [SSHGuard-users] make error with 2.5.0 on OmniOS r151052u - 'LOG_PERROR' undeclared

[Alexei A. <ale...@gm...>]

OK this is now build and installed also :)

did the following change as per below and had to configure with different
prefix

now I'm sort of afraid to run it - will it actually run alright on OmniOS -
given all the differences? :)

please let me know what you think guys!

# ./configure --prefix=/opt/local

# diff src/common/sandbox.c src/common/sandbox.c.orig
23,25c23
<       #ifdef LOG_PERROR
<                flags |= LOG_PERROR;
<       #endif
---
>         flags |= LOG_PERROR;


--
Best regards,
Aleksey Anisimov


On Mon, 28 Apr 2025 at 20:41, Alexei Anisimov <ale...@gm...>
wrote:

> hi guys !
>
> anyone could make provide a hint about this?
>
> interestingly enough, not much comes up in Google by this, I thought this
> would be something fairly common actually
>
> does it even work on OmniOS ? thanks for any help !
>
> root@test:~/sshguard-2.5.0# make
> Making all in src
> make[1]: Entering directory '/root/sshguard-2.5.0/src'
> Making all in blocker
> make[2]: Entering directory '/root/sshguard-2.5.0/src/blocker'
>   CC       sandbox.o
> ../common/sandbox.c: In function 'init_log':
> ../common/sandbox.c:23:18: error: 'LOG_PERROR' undeclared (first use in
> this function); did you mean 'LOG_ERR'?
>    23 |         flags |= LOG_PERROR;
>       |                  ^~~~~~~~~~
>       |                  LOG_ERR
> ../common/sandbox.c:23:18: note: each undeclared identifier is reported
> only once for each function it appears in
> ../common/sandbox.c: In function 'droproot':
> ../common/sandbox.c:43:9: warning: implicit declaration of function
> 'setresgid'; did you mean 'setregid'? [-Wimplicit-function-declaration]
>    43 |     if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
>       |         ^~~~~~~~~
>       |         setregid
> ../common/sandbox.c:46:9: warning: implicit declaration of function
> 'setresuid'; did you mean 'setreuid'? [-Wimplicit-function-declaration]
>    46 |     if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) {
>       |         ^~~~~~~~~
>       |         setreuid
> make[2]: *** [Makefile:408: sandbox.o] Error 1
> make[2]: Leaving directory '/root/sshguard-2.5.0/src/blocker'
> make[1]: *** [Makefile:430: all-recursive] Error 1
> make[1]: Leaving directory '/root/sshguard-2.5.0/src'
> make: *** [Makefile:481: all-recursive] Error 1
> root@test:~/sshguard-2.5.0#
> root@test:~/sshguard-2.5.0# cat /etc/*release
> NAME="OmniOS"
> PRETTY_NAME="OmniOS Community Edition v11 r151052u"
> CPE_NAME="cpe:/o:omniosce:omnios:11:151052:21"
> ID=omnios
> VERSION=r151052u
> VERSION_ID=r151052u
> BUILD_ID=151052.21.2025.03.27
> HOME_URL="https://omnios.org/"
> SUPPORT_URL="https://omnios.org/"
> BUG_REPORT_URL="https://github.com/omniosorg/omnios-build/issues/new"
>   OmniOS v11 r151052u
>   Copyright (c) 2012-2017 OmniTI Computer Consulting, Inc.
>   Copyright (c) 2017-2025 OmniOS Community Edition (OmniOSce) Association.
>   All rights reserved. Use is subject to licence terms.
> root@test:~/sshguard-2.5.0#
> root@test:~/sshguard-2.5.0#
> root@test:~/sshguard-2.5.0#
> root@test:~/sshguard-2.5.0# uname -a
> SunOS test 5.11 omnios-r151052-5ce47a2ab6 i86pc i386 i86pc
>
> --
> Best regards,
> Aleksey Anisimov
>

Re: [SSHGuard-users] SSHGuard 2.5.0 build issue

[Alexei A. <ale...@gm...>]

Hi Kevin and thanks !

so I managed to compile it by adding this ifdef to the sandbox.c (see
below).

However now make install is also failing - because I think in OmniOS this
is all in /opt/local/ instead

root@test:~/sshguard# make install
Making install in src
make[1]: Entering directory '/root/sshguard/src'
Making install in blocker
make[2]: Entering directory '/root/sshguard/src/blocker'
make[3]: Entering directory '/root/sshguard/src/blocker'
 mkdir -p '/usr/local/libexec'
mkdir: /usr/local: cannot create intermediate directory [No such file or
directory]
make[3]: *** [Makefile:325: install-libexecPROGRAMS] Error 1
make[3]: Leaving directory '/root/sshguard/src/blocker'
make[2]: *** [Makefile:546: install-am] Error 2
make[2]: Leaving directory '/root/sshguard/src/blocker'
make[1]: *** [Makefile:430: install-recursive] Error 1
make[1]: Leaving directory '/root/sshguard/src'
make: *** [Makefile:481: install-recursive] Error 1

--
Best regards,
Aleksey Anisimov

root@test:~/sshguard# diff src/common/sandbox.c src/common/sandbox.c.orig
23,25c23
<       #ifdef LOG_PERROR
<                flags |= LOG_PERROR;
<       #endif
---
>         flags |= LOG_PERROR;


On Tue, 29 Apr 2025 at 09:41, Kevin Zheng <kev...@gm...> wrote:

> Hi Alexei,
>
> Thanks for the report.
>
> It sounds like OmniOS requires different header files for the syslog
> functions. Could you check (via man pages) what header files are
> required for getenv() and the syslog stuff?
>
> Does OmniOS have setresgid? The version in Git now has setresgid
> detection via configure, can you double check that you're using the
> right version?
>
> Also not sure why it's complaining about missing stdlib.h, when that is
> clearly included at the top of that file...
>
> I don't run OmniOS, but if you're able to figure out what changes are
> necessary and send me a patch, I can incorporate that into the next
> release.
>
> Regards,
> Kevin
>

[SSHGuard-users] SSHGuard 2.5.1 release announcement

[Kevin Z. <kev...@gm...>]

Dear SSHGuard users,

SSHGuard 2.5.1 is now available. This bugfix release corrects a denial 
of service defect that affects users using the web log (CLF) parser.

Changes in this release:

**Fixed**

- Fix a denial of service issue in the quoted string parser
- Fix build on systems without setresgid() or setresuid()

Source tarballs for this release can be found on SourceForge:

https://sourceforge.net/projects/sshguard/files/sshguard/2.5.1/

Regards,
Kevin

Re: [SSHGuard-users] SSHGuard 2.5.0 build issue

[Kevin Z. <kev...@gm...>]

Hi Alexei,

Thanks for the report.

It sounds like OmniOS requires different header files for the syslog 
functions. Could you check (via man pages) what header files are 
required for getenv() and the syslog stuff?

Does OmniOS have setresgid? The version in Git now has setresgid 
detection via configure, can you double check that you're using the 
right version?

Also not sure why it's complaining about missing stdlib.h, when that is 
clearly included at the top of that file...

I don't run OmniOS, but if you're able to figure out what changes are 
necessary and send me a patch, I can incorporate that into the next release.

Regards,
Kevin

Re: [SSHGuard-users] SSHGuard 2.5.0 build issue

[Alexei A. <ale...@gm...>]

hi guys,

piggy backing on this thread (also posted my build error), getting this on
OmniOS - just tried with git latest, the error is slightly different from
what I got using 2.5.0 tarball.

--
Best regards,
Aleksey Anisimov


root@test:~/sshguard# make
Making all in src
make[1]: Entering directory '/root/sshguard/src'
Making all in blocker
make[2]: Entering directory '/root/sshguard/src/blocker'
  CC       sandbox.o
../common/sandbox.c: In function 'init_log':
../common/sandbox.c:14:18: warning: implicit declaration of function
'getenv' [-Wimplicit-function-declaration]
   14 |     int debug = (getenv("SSHGUARD_DEBUG") != NULL);
      |                  ^~~~~~
../common/sandbox.c:6:1: note: 'getenv' is defined in header '<stdlib.h>';
did you forget to '#include <stdlib.h>'?
    5 | #include "sandbox.h"
  +++ |+#include <stdlib.h>
    6 |
../common/sandbox.c:14:43: warning: comparison between pointer and integer
   14 |     int debug = (getenv("SSHGUARD_DEBUG") != NULL);
      |                                           ^~
../common/sandbox.c:19:18: error: 'LOG_PERROR' undeclared (first use in
this function); did you mean 'LOG_ERR'?
   19 |         flags |= LOG_PERROR;
      |                  ^~~~~~~~~~
      |                  LOG_ERR
../common/sandbox.c:19:18: note: each undeclared identifier is reported
only once for each function it appears in
../common/sandbox.c: In function 'droproot':
../common/sandbox.c:36:9: warning: implicit declaration of function
'initgroups'; did you mean 'setgroups'? [-Wimplicit-function-declaration]
   36 |     if (initgroups(user, pw->pw_gid) == -1) {
      |         ^~~~~~~~~~
      |         setgroups
../common/sandbox.c:39:9: warning: implicit declaration of function
'setresgid'; did you mean 'setregid'? [-Wimplicit-function-declaration]
   39 |     if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
      |         ^~~~~~~~~
      |         setregid
../common/sandbox.c:42:9: warning: implicit declaration of function
'setresuid'; did you mean 'setreuid'? [-Wimplicit-function-declaration]
   42 |     if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) {
      |         ^~~~~~~~~
      |         setreuid
../common/sandbox.c: In function 'sandbox_init':
../common/sandbox.c:48:18: warning: initialization of 'char *' from 'int'
makes pointer from integer without a cast [-Wint-conversion]
   48 |     char *user = getenv("SSHGUARD_USER");
      |                  ^~~~~~
make[2]: *** [Makefile:408: sandbox.o] Error 1
make[2]: Leaving directory '/root/sshguard/src/blocker'
make[1]: *** [Makefile:430: all-recursive] Error 1
make[1]: Leaving directory '/root/sshguard/src'
make: *** [Makefile:481: all-recursive] Error 1
root@test:~/sshguard#


On Tue, 29 Apr 2025 at 04:55, Kevin Zheng <kev...@gm...> wrote:

> Thanks for the report, Marius.
>
> Could you check that the latest version in Git (or any revision after
> 90df5477) fixes the issue for you?
>
> Regards,
> Kevin
>
>
> _______________________________________________
> sshguard-users mailing list
> ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>

Re: [SSHGuard-users] SSHGuard 2.5.0 build issue

[Kevin Z. <kev...@gm...>]

Thanks for the report, Marius.

Could you check that the latest version in Git (or any revision after 
90df5477) fixes the issue for you?

Regards,
Kevin

[SSHGuard-users] make error with 2.5.0 on OmniOS r151052u - 'LOG_PERROR' undeclared

[Alexei A. <ale...@gm...>]

hi guys !

anyone could make provide a hint about this?

interestingly enough, not much comes up in Google by this, I thought this
would be something fairly common actually

does it even work on OmniOS ? thanks for any help !

root@test:~/sshguard-2.5.0# make
Making all in src
make[1]: Entering directory '/root/sshguard-2.5.0/src'
Making all in blocker
make[2]: Entering directory '/root/sshguard-2.5.0/src/blocker'
  CC       sandbox.o
../common/sandbox.c: In function 'init_log':
../common/sandbox.c:23:18: error: 'LOG_PERROR' undeclared (first use in
this function); did you mean 'LOG_ERR'?
   23 |         flags |= LOG_PERROR;
      |                  ^~~~~~~~~~
      |                  LOG_ERR
../common/sandbox.c:23:18: note: each undeclared identifier is reported
only once for each function it appears in
../common/sandbox.c: In function 'droproot':
../common/sandbox.c:43:9: warning: implicit declaration of function
'setresgid'; did you mean 'setregid'? [-Wimplicit-function-declaration]
   43 |     if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
      |         ^~~~~~~~~
      |         setregid
../common/sandbox.c:46:9: warning: implicit declaration of function
'setresuid'; did you mean 'setreuid'? [-Wimplicit-function-declaration]
   46 |     if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) {
      |         ^~~~~~~~~
      |         setreuid
make[2]: *** [Makefile:408: sandbox.o] Error 1
make[2]: Leaving directory '/root/sshguard-2.5.0/src/blocker'
make[1]: *** [Makefile:430: all-recursive] Error 1
make[1]: Leaving directory '/root/sshguard-2.5.0/src'
make: *** [Makefile:481: all-recursive] Error 1
root@test:~/sshguard-2.5.0#
root@test:~/sshguard-2.5.0# cat /etc/*release
NAME="OmniOS"
PRETTY_NAME="OmniOS Community Edition v11 r151052u"
CPE_NAME="cpe:/o:omniosce:omnios:11:151052:21"
ID=omnios
VERSION=r151052u
VERSION_ID=r151052u
BUILD_ID=151052.21.2025.03.27
HOME_URL="https://omnios.org/"
SUPPORT_URL="https://omnios.org/"
BUG_REPORT_URL="https://github.com/omniosorg/omnios-build/issues/new"
  OmniOS v11 r151052u
  Copyright (c) 2012-2017 OmniTI Computer Consulting, Inc.
  Copyright (c) 2017-2025 OmniOS Community Edition (OmniOSce) Association.
  All rights reserved. Use is subject to licence terms.
root@test:~/sshguard-2.5.0#
root@test:~/sshguard-2.5.0#
root@test:~/sshguard-2.5.0#
root@test:~/sshguard-2.5.0# uname -a
SunOS test 5.11 omnios-r151052-5ce47a2ab6 i86pc i386 i86pc

--
Best regards,
Aleksey Anisimov

[SSHGuard-users] SSHGuard 2.5.0 security advisory: denial of service

[Kevin Z. <kev...@gm...>]

Hi all,

The Common Log Format (CLF, or web) parser in 2.5.0 has a defect that 
can lead to a denial of service.

Affected Versions

2.5.0

Problem

The quoted string parser echos characters from an unterminated quoted 
string to standard output due to a lex built-in default rule.

Impact

Attackers making long HTTP requests that cause the log line to exceed 
1000 characters may cause sshg-blocker to exit, resulting in SSHGuard 
not running.

Additionally, a specially-crafted invalid HTTP request may allow a 
remote attacker to trigger SSHGuard to block an attacker-specified 
address, resulting in targeted denial of service.

Workaround

Do not use SSHGuard 2.5.0 to parse CLF/web logs. If your sshguard.conf 
does not have FILES set to a log path containing CLF logs, then you are 
not affected.

Solution

A patch to correct this problem has already been committed to Git. 
Additionally, we expect to release a bug fix release 2.5.1 shortly.

If you will be impacted, do not upgrade to 2.5.0 and wait for 2.5.1. 
Those running 2.5.0 should follow use the "Workaround" or downgrade.

Regards,
Kevin

[SSHGuard-users] SSHGuard 2.5.0 build issue

[Marius S. <li...@sc...>]

This morning my FreeBSD Poudriere build system updated SSHGuard to version 2.5.0.

When I attempted to update the MacPorts Portfile (I’m the maintainer), I got the following build error:

../common/sandbox.c:43:9: error: call to undeclared function 'setresgid'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
   43 |     if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
      |         ^
../common/sandbox.c:43:9: note: did you mean 'setregid'?
/Library/Developer/CommandLineTools/SDKs/MacOSX14.sdk/usr/include/unistd.h:593:6: note: 'setregid' declared here
  593 | int      setregid(gid_t, gid_t) __DARWIN_ALIAS(setregid);
      |          ^
../common/sandbox.c:46:9: error: call to undeclared function 'setresuid'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
   46 |     if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) {
      |         ^
2 errors generated.
make[2]: *** [sandbox.o] Error 1

There is no “setresgid" function in macOS.

It should be defined in <unistd.h>, but doesn’t appear there.

It appears to be a GNU/Linux function (which FreeBSD also implements).

Marius
--
Marius Schamschula

[SSHGuard-users] SSHGuard 2.5.0 release announcement

[Kevin Z. <kev...@gm...>]

Dear SSHGuard users,

SSHGuard 2.5.0 is now available. Changes in this release:

**Added**

- Add attack signatures for Proxmox VE
- Update signatures for:
   - Cyrus
   - Exim
   - OpenSSH
   - Postfix
- Add option to write Prometheus-compatible metrics
- Add option to change sandboxable-processes to an unprivileged user

**Changed**

- Any HTTP 401 response is now recognized as an attack
- Code improvements in in log banner and web (CLF) parsers. If there are
   regressions, please file a bug report with example attacks so that
   they can be added to our tests.

**Fixed**

- Fix configure issues when the shell is not bash
- Fix false positives in web (CLF) log detection with "mail" in the
   request

Source tarballs for this release can be found on SourceForge:

https://sourceforge.net/projects/sshguard/files/sshguard/2.5.0/

Regards,
Kevin

Re: [SSHGuard-users] sshguard 2.5.0 release candidate

[Kevin B. <kev...@gm...>]

On 2025/03/20 10:00, Kevin Buckley wrote:
> 
>> Regarding initgroups(): it seems like on BSD this is available in
>> unistd.h, but on Linux it requires sys/types.h and grp.h. Could you test
>> that this fixes the problem?
>> 
>> Regarding asprintf(): This apparently requires defining the feature test
>> macro _GNU_SOURCE on Linux. Could you confirm that defining this fixes
>> the warning, and also doesn't break things?
> 
> ISTRT that _GNU_SOURCE macro has been added in, for some other
> compatability, in other source files.
> 
> I'll take a look at the remaining two and get back to you.

For the second one, I can confirm that this diff
(which is similar to an old GGC5 patch against src/blocker/sshguard_whitelist.c)


diff --git a/src/common/metrics.c b/src/common/metrics.c
index c2c854d..524eda4 100644
--- a/src/common/metrics.c
+++ b/src/common/metrics.c
@@ -1,3 +1,4 @@
+#define _GNU_SOURCE
  #include <assert.h>
  #include <signal.h>
  #include <stdbool.h>


does defeat the asprintf() warning.


For the first one, just adding in "grp.h" seemed to defeat
the initgroups() warning.

FWIW, I tried adding "sys/types.h" on its own first and that
didn't defeat the warning.


Note that the following diff includes changes from your
recently supplied patch as well as the "grp.h" inclusion.


diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 06853fe..a505831 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -1,6 +1,10 @@
  #include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
  #include <syslog.h>
+#include <time.h>
  #include <unistd.h>
+#include <grp.h>
  #include <pwd.h>
  #include "sandbox.h"
  

HTH,
Another Kevin