sshguard-users Mailing List for SSHGuard (Page 42)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all,
todays messages:
Nov 27 23:31:25 server sshguard[25526]: Releasing  after 450 seconds.
Nov 27 23:31:25 server sshguard[25526]: Setting environment:
SSHG_ADDR=SSHG_ADDR=<E8>~a^GL^?;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Nov 27 23:31:25 server sshguard[25526]: Run command "case $SSHG_ADDRKIND in
4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac":
exited 2.
Nov 27 23:31:25 server sshguard[25526]: Release command failed. Exited: -1

Other strange messages:
Nov 27 23:34:16 server sshguard[25526]: Releasing  after 621 seconds.
Nov 27 23:34:16 server sshguard[25526]: Setting environment:
SSHG_ADDR=0;SSHG_ADDRKIND=0;SSHG_SERVICE=0.
Nov 27 23:34:16 server sshguard[25526]: Run command "case $SSHG_ADDRKIND in
4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac":
exited 2.
Nov 27 23:34:16 server sshguard[25526]: Release command failed. Exited: -1

Both examples are for rules removal. There are no messages for
corresponding iptables inserts.

I do see some strange users as inputs.
"Failed password for invalid user rock123\r"

Could be that message strings are not handled appropriately and specially
crafted user accounts lead to unexpected results. Could anybody have a look
on that?

sshguard 1.4-2
syslog-ng 3.1.3-3

-- 
Peter Viskup

On Fri, Nov 14, 2014 at 9:09 PM, Peter Viskup <sku...@gm...> wrote:

> Hi Kevin,
> thanks for quick reply. Running syslog-ng version 3.1.3-3.
>
> filter sshlogs { facility(auth, authpriv) and not match("sshguard"
> value("MESSAGE")); };
> destination sshguardproc {
>         program("/usr/sbin/sshguard -w <some_IP>/24"
> log { source(s_src); filter(sshlogs); destination(sshguardproc); };
>
> No other [white,black]listing.
>
>
> On Fri, Nov 14, 2014 at 9:02 PM, Kevin Zheng <kev...@gm...> wrote:
>
>> Hi Peter,
>>
>> On 11/14/2014 13:51, Peter Viskup wrote:
>> > anybody seeing/saw similar messages? Once this occur the SSH isn't
>> > accessible at least our Zabbix monitoring reporting that.
>> >
>> > Jun  4 21:31:43 server sshguard[8003]: Releasing <B0><EB><C0>^A after
>> 1372366479 seconds.
>> > Jun  4 21:31:43 server sshguard[8003]: Setting environment:
>> SSHG_ADDR=4;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
>> > Jun  4 21:31:43 server sshguard[8003]: Run command "case $SSHG_ADDRKIND
>> in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;;
>> >  6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit
>> -2 ;; esac": exited 1.
>> > Jun  4 21:31:43 server sshguard[8003]: Release command failed. Exited:
>> -1
>>
>> This sounds like SSHGuard picking up some invalid IP addresses and
>> passing them on. Are you using Log Sucker or syslog?
>>
>> Additionally, something could have been happening with the blacklist
>> database. What whitelist/blacklist settings are you using?
>>
>> Thanks,
>> Kevin Zheng
>>
>> --
>> Kevin Zheng
>> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>
>

2007	Jan	Feb	Mar (10)	Apr (7)	May (6)	Jun (13)	Jul (4)	Aug	Sep	Oct (17)	Nov (5)	Dec (4)
2008	Jan (2)	Feb	Mar	Apr (4)	May (2)	Jun (7)	Jul (10)	Aug (4)	Sep (14)	Oct	Nov (1)	Dec (7)
2009	Jan (17)	Feb (20)	Mar (11)	Apr (14)	May (8)	Jun (3)	Jul (22)	Aug (9)	Sep (8)	Oct (6)	Nov (4)	Dec (8)
2010	Jan (17)	Feb (9)	Mar (15)	Apr (24)	May (14)	Jun (1)	Jul (21)	Aug (6)	Sep (2)	Oct (2)	Nov (6)	Dec (9)
2011	Jan (11)	Feb (1)	Mar (3)	Apr (4)	May	Jun	Jul (2)	Aug (3)	Sep (2)	Oct (29)	Nov (1)	Dec (1)
2012	Jan (1)	Feb (1)	Mar	Apr (13)	May (4)	Jun (9)	Jul (2)	Aug (2)	Sep (1)	Oct (2)	Nov (11)	Dec (4)
2013	Jan (2)	Feb (2)	Mar (4)	Apr (13)	May (4)	Jun	Jul	Aug (1)	Sep (5)	Oct (3)	Nov (1)	Dec (3)
2014	Jan	Feb (3)	Mar (3)	Apr (6)	May (8)	Jun	Jul	Aug (1)	Sep (1)	Oct (3)	Nov (14)	Dec (8)
2015	Jan (16)	Feb (30)	Mar (20)	Apr (5)	May (33)	Jun (11)	Jul (15)	Aug (91)	Sep (23)	Oct (10)	Nov (7)	Dec (9)
2016	Jan (22)	Feb (8)	Mar (6)	Apr (23)	May (38)	Jun (29)	Jul (43)	Aug (43)	Sep (18)	Oct (8)	Nov (2)	Dec (25)
2017	Jan (38)	Feb (3)	Mar (1)	Apr	May (18)	Jun (2)	Jul (16)	Aug (2)	Sep	Oct (1)	Nov (4)	Dec (14)
2018	Jan (15)	Feb (2)	Mar (3)	Apr (5)	May (8)	Jun (12)	Jul (19)	Aug (16)	Sep (8)	Oct (13)	Nov (15)	Dec (10)
2019	Jan (9)	Feb (3)	Mar	Apr (2)	May	Jun (1)	Jul	Aug (5)	Sep (5)	Oct (12)	Nov (4)	Dec
2020	Jan (2)	Feb (6)	Mar	Apr	May (11)	Jun (1)	Jul (3)	Aug (22)	Sep (8)	Oct	Nov (2)	Dec
2021	Jan (7)	Feb	Mar (19)	Apr	May (10)	Jun (5)	Jul (7)	Aug (3)	Sep (1)	Oct	Nov (10)	Dec (4)
2022	Jan (17)	Feb	Mar (7)	Apr (3)	May	Jun (1)	Jul (3)	Aug	Sep	Oct (6)	Nov	Dec
2023	Jan	Feb (5)	Mar (1)	Apr (3)	May	Jun (3)	Jul (2)	Aug	Sep	Oct	Nov (6)	Dec
2024	Jan	Feb	Mar	Apr	May (3)	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar (15)	Apr (8)	May (10)	Jun	Jul	Aug	Sep	Oct	Nov	Dec

sshguard-users Mailing List for SSHGuard (Page 42)

Intelligently block brute-force attacks by aggregating system logs

sshguard-users — User questions and answers, bugs, and general support