sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

> Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
> Procauth has been there for long and should be stable. Can you please try to temporary disable
> the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
> insight.
>

I'm running sshguard with these options, with the SSHGUARD_DEBUG variable set:

# sshguard -l /var/log/auth.log -b
/usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist

I've had it running for 24hr and its still running now.  There have
been two intruders blocked over this time (there seem to be much fewer
attempted logins lately!).  I think that's fixed it.

Unfortunately no sshguard activity appears in my syslog - this feature
seems to have disappeared in recent versions of the software.  It
seems to be necessary to set the SSHGUARD_DEBUG variable, which gives
an extremely verbose debug output.  I think that this has led to my
not realising that sshguard was not working for many months before
this problem cropped up.  Is it possible to enable logging to syslog -
or to another log file?

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

this should be fixed in r192


On Apr 14, 2010, at 03:51 , Robert S wrote:

> Thanks.
> 
> This seems to be an intermittent problem and can be difficult to
> reproduce.  It usually starts some time after I have invoked the
> sshguard command.
> 
> I am running sshguard in a screen session:
> 
> # export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
> 
> After a while, the logging seems to stop happening:

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

Hey robert

Your backtrace seems intresting. sshguard seems waiting while performing process authentication.
Procauth has been there for long and should be stable. Can you please try to temporary disable
the "-f 100:/var/run/sshd.pid" and observe if you still get that? The outcome will confirm/falsify the
insight.

michele


On Apr 14, 2010, at 03:51 , Robert S wrote:

> Thanks.
> 
> This seems to be an intermittent problem and can be difficult to
> reproduce.  It usually starts some time after I have invoked the
> sshguard command.
> 
> I am running sshguard in a screen session:
> 
> # export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log
> 
> After a while, the logging seems to stop happening:
> 
> Reading a token: --accepting rule at line 133 (" not allowed because
> none of user's groups are listed in AllowGroups")
> Next token is token SSH_NOTALLOWEDSUFF ()
> Shifting token SSH_NOTALLOWEDSUFF ()
> Entering state 71
> Reducing stack by rule 32 (line 275):
>   $1 = token SSH_NOTALLOWEDPREF ()
>   $2 = nterm addr ()
>   $3 = token SSH_NOTALLOWEDSUFF ()
> -> $$ = nterm ssh_illegaluser ()
> Stack now 0 1
> Entering state 31
> Reducing stack by rule 26 (line 263):
>   $1 = nterm ssh_illegaluser ()
> -> $$ = nterm sshmsg ()
> Stack now 0 1
> Entering state 30
> Reducing stack by rule 11 (line 169):
>   $1 = nterm sshmsg ()
> -> $$ = nterm msg_single ()
> Stack now 0 1
> Entering state 28
> Reducing stack by rule 9 (line 163):
>   $1 = nterm msg_single ()
> -> $$ = nterm logmsg ()
> Stack now 0 1
> Entering state 46
> Reducing stack by rule 5 (line 138):
>   $1 = token SYSLOG_BANNER_PID ()
>   $2 = nterm logmsg ()
> 
> < nothing happens from here on even if I try to log in again using ssh >
> 
> If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
> happens to the log output.
> 
> "top" does not reveal excess use of CPU.
> 
> Here is lsof output
> 
> # lsof |grep sshguard
> sshguard  6376       root  cwd       DIR                3,6      4096
>   735903 /root
> sshguard  6376       root  rtd       DIR                3,6      4096
>        2 /
> sshguard  6376       root  txt       REG                3,6    371826
>   757808 /root/sshguard/sshguard
> sshguard  6376       root  mem       REG                3,6   1399984
>   654712 /lib/libc-2.10.1.so
> sshguard  6376       root  mem       REG                3,6    137284
>   654892 /lib/libpthread-2.10.1.so
> sshguard  6376       root  mem       REG                3,6    123168
>   654880 /lib/ld-2.10.1.so
> sshguard  6376       root    0u      CHR              136,1       0t0
>        4 /dev/pts/1
> sshguard  6376       root    1w     FIFO                0,5       0t0
>    11866 pipe
> sshguard  6376       root    2w     FIFO                0,5       0t0
>    11866 pipe
> sshguard  6376       root    3r      REG                3,8    141517
>    31962 /var/log/auth.log
> sshguard  6376       root    4r     FIFO                0,5       0t0
>    14686 pipe
> sshguard  6376       root    5w     FIFO                0,5       0t0
>    14686 pipe
> tee       6377       root    3w      REG                3,6     37094
>   703149 /tmp/sshguard.log
> 
> Here is the ps and gdb output:
> 
> # ps ax |grep sshguard
> 6376 pts/1    Sl+    0:00 sshguard/sshguard -l /var/log/auth.log -f
> 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
> /etc/sshguard.whitelist
> 6377 pts/1    S+     0:00 tee /tmp/sshguard.log
> 6754 pts/0    R+     0:00 grep --colour=auto sshguard
> 
> # gdb
> warning: Can not parse XML syscalls information; XML support was
> disabled at compile time.
> GNU gdb (Gentoo 7.0 p2) 7.0
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-pc-linux-gnu".
> For bug reporting instructions, please see:
> <http://bugs.gentoo.org/>.
> (gdb) attach 6376
> Attaching to process 6376
> Reading symbols from /root/sshguard/sshguard...done.
> Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
> [Thread debugging using libthread_db enabled]
> [New Thread 0x7f997084d910 (LWP 6380)]
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
> symbols found)...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> 0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
> (gdb) break
> Breakpoint 1 at 0x7f9970bb593f
> (gdb) backtrace full
> #0  0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
> No symbol table info available.
> #1  0x0000000000403e56 in procauth_ischildof (service_code=<value
> optimized out>, pid=6453) at sshguard_procauth.c:210
>        retA = <value optimized out>
>        pidA = <value optimized out>
>        ps2grep = {4, 5}
>        pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
>        retB = <value optimized out>
>        pidB = <value optimized out>
> #2  procauth_isauthoritative (service_code=<value optimized out>,
> pid=6453) at sshguard_procauth.c:138
> No locals.
> #3  0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
>        yystate = <value optimized out>
>        yyn = 0
>        yyresult = <value optimized out>
>        yyerrstatus = 0
>        yytoken = 16
>        yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
> 28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
> 32665, 0, -11334, 28811,
>          32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
> 32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
> 28858, 32665, 0, -8081,
>          28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
> 0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
> 0, -2368, 14210, 32767, 0,
>          14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
> -2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
> 0, 24032, 101, 0, 0, 19547,
>          28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
> 28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
> 0, 0, 0, 138, 0, 0, 0, 0,
>          0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
> 32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
> 32767, 0, -23664, 100, 0, 0,
>          25386, 28812, 32665, 0}
>        yyss = 0x7fff3782f600
>        yyssp = 0x7fff3782f604
>        yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
> out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
> bounds>, num = 6453}, {
>            str = 0x638280 " not allowed because none of user's groups
> are listed in AllowGroups", num = 6521472}, {
>            str = 0x638280 " not allowed because none of user's groups
> are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
> num = 1891249760}, {
>            str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
> bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
>            str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
> {str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
>            str = 0x112 <Address 0x112 out of bounds>, num = 274},
> {str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
> "\314c", num = 931328001}, {
>            str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
> {str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
> num = 0}, {
>            str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
> 0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
> out of bounds>,
>            num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
> out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
> 0x70ba2e60 out of bounds>,
>            num = 1891249760}, {str = 0x0, num = 0}, {str =
> 0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
> {str = 0x7fff3782f7ac "",
>            num = 931329964}, {str = 0x7f9970ba2e60 "", num =
> 1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
>            str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
> 0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
> 6544752}, {
>            str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
> "H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
> "\020pf", num = 6540288}, {
>            str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
> 0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
> {
>            str = 0x63f930 "\340of", num = 6551856}, {str =
> 0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
>            str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
> 6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
> {str = 0x0, num = 0}, {
>            str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
> "", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
> {str = 0x63d208 "",
>            num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
> of bounds>, num = -1}, {str = 0x7f99708f6eb0
> "H\203\304\030\303ff.\017\037\204",
>            num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x63d110 "", num = 6541584}, {
>            str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
>            str = 0x7f99709029ac
> "I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
> num = 1888496044}, {
>            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
> ---Type <return> to continue, or q <return> to quit---
>            str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
> 0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
> of bounds>, num = 4784}, {
>            str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
> 0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
> 4}, {str = 0x7fff3782f32c "",
>            num = 931328812}, {str = 0x7fff3782f210 "", num =
> 931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
> 0x7fff3782f300 "", num = 931328768}, {
>            str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
> 931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
> 931329964}, {
>            str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
> 242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
> 0x7fff3782f720 "\b\003",
>            num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
> <Address 0x2 out of bounds>, num = 2}, {
>            str = 0x7f99708a1a8f
> "\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
> {str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
>            num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
> 931329243}, {
>            str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
> 1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
> 931329264}, {
>            str = 0x7fff3782f330 "", num = 931328816}, {str =
> 0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
> 931328752}, {
>            str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
> 0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
> = 931328848}, {
>            str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
> "p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
> = 0x0, num = 0}, {
>            str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
> 0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
> "\340\241d", num = 931316240}, {
>            str = 0x7fff3782c230 "\002", num = 931316272}, {str =
> 0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
> {str = 0x63c440 "\220\324c",
>            num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
> out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
> num = 0}, {
>            str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
> 0x2 <Address 0x2 out of bounds>, num = 2}, {
>            str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
> bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
> 0x0, num = 0}, {
>            str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
> 0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
> 0}, {str = 0x0, num = 0}, {
>            str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
> = 0}, {str = 0x0, num = 0}, {
>            str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
> bounds>, num = 0}, {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276",
>            num = 1893514675}, {str = 0x0, num = 0}, {str =
> 0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
> <Address 0x2 out of bounds>,
>            num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
> 4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
> -1313391531}, {
>            str = 0x7f9970dcc274
> "H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
> num = 1893515892}, {
>            str = 0x7f9970850328
> "U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
> \241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
> ", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
> out of bounds>, num = 21}, {
>            str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
> 46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
>            str = 0x7fff3782f518 "`\200\373p\231\177", num =
> 931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
> 1888477740}, {str = 0x0, num = 0}, {
>            str = 0x7fff3782f4b0 "", num = 931329200}, {str =
> 0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
> 0x7fff3782f470 "`\030\272p\231\177",
>            num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
> 931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
> 931329264}, {
>            str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
> 0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
> = 6742320}, {
>            str = 0x63b350 "\360me", num = 6533968}, {str =
> 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
> = 0x7fff3782c380 "\340\343f",
>            num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
> 931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
> = 0x7fff3782c3b0 "\001",
>            num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
> out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
> 6535264}, {
>            str = 0x400000001 <Address 0x400000001 out of bounds>, num
> = 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
>            str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
> 1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
>            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
> 1891244128}, {
>            str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
> 0x400 <Address 0x400 out of bounds>, num = 1024}, {
>            str = 0x7f99708bd6f5
> "H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
> 1888212725}, {
>            str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
> \373>, num = 1891244128}, {
>            str = 0x7f99708be06f
> "\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
> num = 1888215151}, {
>            str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
> \373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
> = 10}, {str = 0x0, num = 0},
>          {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
> 0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
>            num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
> num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
>            str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
> 2090683713}, {str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276",
>            num = 1893514675}, {
>            str = 0x7f9970ba7c9c
> "AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
> <return> to continue, or q <return> to quit---
> 254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
> "X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
> of bounds>, num = 1}, {
>            str = 0x7f9970dcbdb3
> "\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
> 0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
>          {str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
> 1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
> 0x4 <Address 0x4 out of bounds>,
>            num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
> bounds>, num = 1038094023}, {
>            str = 0x7f9970dcc274
> "H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
> num = 1893515892}, {
>            str = 0x7f99708501ec
> "\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
> \301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
>            str = 0x7f9900000007 <Address 0x7f9900000007 out of
> bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
> num = 16220219}, {
>            str = 0x7fff3782f570 "", num = 931329392}, {str =
> 0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
> 0x7f9970851c10 "",
>            num = 1887771664}, {str = 0x0, num = 0}, {str =
> 0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
> "", num = 1895684888}, {
>            str = 0x400f08 "realloc", num = 4198152}, {str =
> 0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
> 4197480}, {
>            str = 0x500000000 <Address 0x500000000 out of bounds>, num
> = 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
> 475}, {
>            str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
> 258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
> 1895687000}, {
>            str = 0x7fff3782f700 "d\020\272p\231\177", num =
> 931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
> 931329736}, {
>            str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
> 1038094023}, {
>            str = 0x7f9970911889
> "H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
> = 1888557193}, {str = 0x0, num = 0}, {
>            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
> 0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
> bounds>, num = 1}}
>        yyvs = 0x7fff3782efc0
>        yyvsp = 0x7fff3782efd0
>        yystacksize = 200
>        yyval = <value optimized out>
>        yylen = 2
> #4  0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
> optimized out>) at attack_parser.y:379
>        ret = <value optimized out>
> #5  0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
>        tid = 140296994478352
>        retv = <value optimized out>
>        source_id = 4100918702
>        buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
> 122.227.43.37 not allowed because none of user's groups are listed in
> AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
> \371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...
> 
> 
> HTH ;-)
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] startup

[Mikhail L. <sva...@gm...>]

Hello,

I downloaded and installed sshguard v.1.5.  on Ubuntu 9.10.  It runs fine
when I start it manually e.g.,

sudo sshguard -l /var/log/auth.log

Can you please tell me the best way to start it automatically using Log
Sucker?  An example of an init.d script?

Thank you

Re: [Sshguard-users] Cannot Download SSHguard, FreeBSD Ports

[Mij <mi...@ss...>]

I don't know why Freshmeat defaulted to "Debian package" as download resource.
I set it to Tar/BZ2. Thanks for reporting.


On Apr 20, 2010, at 16:49 , Peter Beckman wrote:

> I updated my FreeBSD ports tree this morning only to find that sshguard is
> still sitting at v1.4 there, so I hit the sshguard site to download the
> 1.5rc2.  Took me to freshmeat, where there is a download link, and that
> took me to http://packages.debian.org/lenny/sshguard which said:
> 
>     "Error: Package not available in this suite."
> 
> Well that sucks!  How should I download it?
> 
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> be...@an...                                 http://www.angryox.com/
> ---------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] Cannot Download SSHguard, FreeBSD Ports

[Peter B. <be...@an...>]

I updated my FreeBSD ports tree this morning only to find that sshguard is
still sitting at v1.4 there, so I hit the sshguard site to download the
1.5rc2.  Took me to freshmeat, where there is a download link, and that
took me to http://packages.debian.org/lenny/sshguard which said:

     "Error: Package not available in this suite."

Well that sucks!  How should I download it?

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

Thanks.

This seems to be an intermittent problem and can be difficult to
reproduce.  It usually starts some time after I have invoked the
sshguard command.

I am running sshguard in a screen session:

# export SSHGUARD_DEBUG=0; sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist 2>&1 tee /tmp/sshguard.log

After a while, the logging seems to stop happening:

Reading a token: --accepting rule at line 133 (" not allowed because
none of user's groups are listed in AllowGroups")
Next token is token SSH_NOTALLOWEDSUFF ()
Shifting token SSH_NOTALLOWEDSUFF ()
Entering state 71
Reducing stack by rule 32 (line 275):
   $1 = token SSH_NOTALLOWEDPREF ()
   $2 = nterm addr ()
   $3 = token SSH_NOTALLOWEDSUFF ()
-> $$ = nterm ssh_illegaluser ()
Stack now 0 1
Entering state 31
Reducing stack by rule 26 (line 263):
   $1 = nterm ssh_illegaluser ()
-> $$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
   $1 = nterm sshmsg ()
-> $$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
   $1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
   $1 = token SYSLOG_BANNER_PID ()
   $2 = nterm logmsg ()

< nothing happens from here on even if I try to log in again using ssh >

If I enter killall -TSTP sshguard and killall -CONT sshguard, nothing
happens to the log output.

"top" does not reveal excess use of CPU.

Here is lsof output

 # lsof |grep sshguard
sshguard  6376       root  cwd       DIR                3,6      4096
   735903 /root
sshguard  6376       root  rtd       DIR                3,6      4096
        2 /
sshguard  6376       root  txt       REG                3,6    371826
   757808 /root/sshguard/sshguard
sshguard  6376       root  mem       REG                3,6   1399984
   654712 /lib/libc-2.10.1.so
sshguard  6376       root  mem       REG                3,6    137284
   654892 /lib/libpthread-2.10.1.so
sshguard  6376       root  mem       REG                3,6    123168
   654880 /lib/ld-2.10.1.so
sshguard  6376       root    0u      CHR              136,1       0t0
        4 /dev/pts/1
sshguard  6376       root    1w     FIFO                0,5       0t0
    11866 pipe
sshguard  6376       root    2w     FIFO                0,5       0t0
    11866 pipe
sshguard  6376       root    3r      REG                3,8    141517
    31962 /var/log/auth.log
sshguard  6376       root    4r     FIFO                0,5       0t0
    14686 pipe
sshguard  6376       root    5w     FIFO                0,5       0t0
    14686 pipe
tee       6377       root    3w      REG                3,6     37094
   703149 /tmp/sshguard.log

Here is the ps and gdb output:

 # ps ax |grep sshguard
 6376 pts/1    Sl+    0:00 sshguard/sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist
 6377 pts/1    S+     0:00 tee /tmp/sshguard.log
 6754 pts/0    R+     0:00 grep --colour=auto sshguard

# gdb
warning: Can not parse XML syscalls information; XML support was
disabled at compile time.
GNU gdb (Gentoo 7.0 p2) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
(gdb) attach 6376
Attaching to process 6376
Reading symbols from /root/sshguard/sshguard...done.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
[New Thread 0x7f997084d910 (LWP 6380)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
(gdb) break
Breakpoint 1 at 0x7f9970bb593f
(gdb) backtrace full
#0  0x00007f9970bb593f in waitpid () from /lib/libpthread.so.0
No symbol table info available.
#1  0x0000000000403e56 in procauth_ischildof (service_code=<value
optimized out>, pid=6453) at sshguard_procauth.c:210
        retA = <value optimized out>
        pidA = <value optimized out>
        ps2grep = {4, 5}
        pattern = "6453[[:space:]]+4547\000\177\000\000o\340\213p\231\177"
        retB = <value optimized out>
        pidB = <value optimized out>
#2  procauth_isauthoritative (service_code=<value optimized out>,
pid=6453) at sshguard_procauth.c:138
No locals.
#3  0x0000000000407f56 in yyparse (source_id=-194048594) at attack_parser.y:140
        yystate = <value optimized out>
        yyn = 0
        yyresult = <value optimized out>
        yyerrstatus = 0
        yytoken = 16
        yyssa = {0, 1, 46, 53, 71, 28811, 32665, 0, 1, 0, 1, 0, 6240,
28858, 32665, 0, 6240, 28858, 32665, 0, 1, 0, 0, 0, 6371, 28858,
32665, 0, -11334, 28811,
          32665, 0, -7336, 28925, 32665, 0, 1, 0, 0, 0, 6240, 28858,
32665, 0, 10, 0, 0, 0, 1024, 0, 0, 0, -10507, 28811, 32665, 0, 6240,
28858, 32665, 0, -8081,
          28811, 32665, 0, 6240, 28858, 32665, 0, 10, 0, 0, 0, 24, 0,
0, 0, -2176, 14210, 32767, 0, -2384, 14210, 32767, 0, 24032, 101, 0,
0, -2368, 14210, 32767, 0,
          14856, 64, 0, 0, -30720, 0, 0, 0, -2096, 14210, 32767, 0,
-2336, 14210, 32767, 0, 29248, 99, 5, 0, 28384, 102, 0, 0, 32, 0, 0,
0, 24032, 101, 0, 0, 19547,
          28859, 32665, 0, 4196, 28858, 32665, 0, 72, 0, 0, 0, 11872,
28858, 32665, 0, 20026, 64, 0, 0, 776, 0, 0, 0, 31962, 0, 0, 0, 192,
0, 0, 0, 138, 0, 0, 0, 0,
          0, 0, 0, 19561, 28859, 32665, 0, 0, 0, 0, 0, 11872, 28858,
32665, 0, -14704, 99, 0, 0, 72, 0, 0, 0, 138, 0, 0, 0, -960, 14210,
32767, 0, -23664, 100, 0, 0,
          25386, 28812, 32665, 0}
        yyss = 0x7fff3782f600
        yyssp = 0x7fff3782f604
        yyvsa = {{str = 0x0, num = 0}, {str = 0x1935 <Address 0x1935
out of bounds>, num = 6453}, {str = 0x1935 <Address 0x1935 out of
bounds>, num = 6453}, {
            str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {
            str = 0x638280 " not allowed because none of user's groups
are listed in AllowGroups", num = 6521472}, {str = 0x7f9970ba2e60 "",
num = 1891249760}, {
            str = 0x0, num = 0}, {str = 0x4 <Address 0x4 out of
bounds>, num = 4}, {str = 0x63cc00 "\020pf", num = 6540288}, {
            str = 0x2d50 <Address 0x2d50 out of bounds>, num = 11600},
{str = 0x2b <Address 0x2b out of bounds>, num = 43}, {
            str = 0x112 <Address 0x112 out of bounds>, num = 274},
{str = 0x7fff3782f039 "\003", num = 931328057}, {str = 0x7fff3782f001
"\314c", num = 931328001}, {
            str = 0x3f0 <Address 0x3f0 out of bounds>, num = 1008},
{str = 0x3c8 <Address 0x3c8 out of bounds>, num = 968}, {str = 0x0,
num = 0}, {
            str = 0x7fff3782ef30 "\004", num = 931327792}, {str =
0x666fe0 "", num = 6713312}, {str = 0x2708f8e03 <Address 0x2708f8e03
out of bounds>,
            num = 1888456195}, {str = 0x3782f0a0 <Address 0x3782f0a0
out of bounds>, num = 931328160}, {str = 0x70ba2e60 <Address
0x70ba2e60 out of bounds>,
            num = 1891249760}, {str = 0x0, num = 0}, {str =
0x3d0063f988 <Address 0x3d0063f988 out of bounds>, num = 6551944},
{str = 0x7fff3782f7ac "",
            num = 931329964}, {str = 0x7f9970ba2e60 "", num =
1891249760}, {str = 0x50 <Address 0x50 out of bounds>, num = 80}, {
            str = 0x48 <Address 0x48 out of bounds>, num = 72}, {str =
0x63f930 "\340of", num = 6551856}, {str = 0x63dd70 " \340c", num =
6544752}, {
            str = 0x63fa48 "", num = 6552136}, {str = 0x7f99708c632a
"H\205\300H\211\305\017\204\232", num = 1888248618}, {str = 0x63cc00
"\020pf", num = 6540288}, {
            str = 0x63dd70 " \340c", num = 6544752}, {str = 0x0, num =
0}, {str = 0x300000000 <Address 0x300000000 out of bounds>, num = 0},
{
            str = 0x63f930 "\340of", num = 6551856}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
            str = 0x63d1c8 "al/var/sshguard/blacklist.db", num =
6541768}, {str = 0x7fff3782f130 "\377\377\377\377", num = 931328304},
{str = 0x0, num = 0}, {
            str = 0x63dd70 " \340c", num = 6544752}, {str = 0x63d248
"", num = 6541896}, {str = 0x3 <Address 0x3 out of bounds>, num = 3},
{str = 0x63d208 "",
            num = 6541832}, {str = 0xffffffff <Address 0xffffffff out
of bounds>, num = -1}, {str = 0x7f99708f6eb0
"H\203\304\030\303ff.\017\037\204",
            num = 1888448176}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x63d110 "", num = 6541584}, {
            str = 0xffffffff <Address 0xffffffff out of bounds>, num = -1}, {
            str = 0x7f99709029ac
"I\211\304\061\300M\205\344\017\224\300\351\024\376\377\377\061\355H\213\224$\200",
num = 1888496044}, {
            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba2e60 "", num = 1891249760}, {str = 0x0, num = 0}, {
---Type <return> to continue, or q <return> to quit---
            str = 0x4 <Address 0x4 out of bounds>, num = 4}, {str =
0x63cc00 "\020pf", num = 6540288}, {str = 0x12b0 <Address 0x12b0 out
of bounds>, num = 4784}, {
            str = 0x7fff3782f2e0 "\024", num = 931328736}, {str =
0xfffffffe00000004 <Address 0xfffffffe00000004 out of bounds>, num =
4}, {str = 0x7fff3782f32c "",
            num = 931328812}, {str = 0x7fff3782f210 "", num =
931328528}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x7fff3782f300 "", num = 931328768}, {
            str = 0x7fff3782f2b0 "0\302\202\067\377\177", num =
931328688}, {str = 0x0, num = 0}, {str = 0x7fff3782f7ac "", num =
931329964}, {
            str = 0x3b2fc <Address 0x3b2fc out of bounds>, num =
242428}, {str = 0x7fff3782f790 "\210", num = 931329936}, {str =
0x7fff3782f720 "\b\003",
            num = 931329824}, {str = 0x0, num = 0}, {str = 0x2
<Address 0x2 out of bounds>, num = 2}, {
            str = 0x7f99708a1a8f
"\351\357\362\377\377L\211\322H\213\005\022K0", num = 1888098959},
{str = 0x0, num = 0}, {str = 0x7fff3782f610 "\001",
            num = 931329552}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x0, num = 0}, {str = 0x7fff3782f4db "", num =
931329243}, {
            str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
            str = 0x7fff3782f330 "", num = 931328816}, {str =
0x7fff3782f310 "", num = 931328784}, {str = 0x7fff3782f2f0 "", num =
931328752}, {
            str = 0x7fff3782f38c "\231\177", num = 931328908}, {str =
0x7fff3782f370 "\002", num = 931328880}, {str = 0x7fff3782f350 "", num
= 931328848}, {
            str = 0x7fff3782d230 "", num = 931320368}, {str = 0x64abe0
"p}d", num = 6597600}, {str = 0x63dd70 " \340c", num = 6544752}, {str
= 0x0, num = 0}, {
            str = 0x7fff3782c1f0 "Пd", num = 931316208}, {str =
0x7fff3782c200 "\260\240d", num = 931316224}, {str = 0x7fff3782c210
"\340\241d", num = 931316240}, {
            str = 0x7fff3782c230 "\002", num = 931316272}, {str =
0x33782f5c0 <Address 0x33782f5c0 out of bounds>, num = 931329472},
{str = 0x63c440 "\220\324c",
            num = 6538304}, {str = 0x570ba2e60 <Address 0x570ba2e60
out of bounds>, num = 1891249760}, {str = 0x0, num = 0}, {str = 0x0,
num = 0}, {
            str = 0x14 <Address 0x14 out of bounds>, num = 20}, {str =
0x2 <Address 0x2 out of bounds>, num = 2}, {
            str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num = 0}, {str =
0x0, num = 0}, {
            str = 0x0, num = 0}, {str = 0x7fffffe07fffffe <Address
0x7fffffe07fffffe out of bounds>, num = 134217726}, {str = 0x0, num =
0}, {str = 0x0, num = 0}, {
            str = 0x0, num = 0}, {str = 0x0, num = 0}, {str = 0x0, num
= 0}, {str = 0x0, num = 0}, {
            str = 0x3ff200000000000 <Address 0x3ff200000000000 out of
bounds>, num = 0}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
            num = 1893514675}, {str = 0x0, num = 0}, {str =
0x7f9970fb8060 "\030\333\375p\231\177", num = 1895530592}, {str = 0x2
<Address 0x2 out of bounds>,
            num = 2}, {str = 0x4 <Address 0x4 out of bounds>, num =
4}, {str = 0xb1b73c55 <Address 0xb1b73c55 out of bounds>, num =
-1313391531}, {
            str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
            str = 0x7f9970850328
"U<\267\261}\367i\354\036\274y\207!\246>\030\203\217
\241\065'\230\312\364\027S\037\300\201\006\222\r~o\377\025\233z̗\344\020\234\344\353\362\261\222\022\260\210\337\317GF\237\006i\354\250\063\262\aEpN\375چ\375\"\321_9\017\026ϝ|\260JEK\255\350ۻ\272\206\370_\025-\313\023\204aw\375\336\266B\177\n\005\361ո+k\025\347\225
", num = 1887765288}, {str = 0x7fff00000015 <Address 0x7fff00000015
out of bounds>, num = 21}, {
            str = 0x2c6dcf1 <Address 0x2c6dcf1 out of bounds>, num =
46587121}, {str = 0x7fff3782f3c0 "", num = 931328960}, {
            str = 0x7fff3782f518 "`\200\373p\231\177", num =
931329304}, {str = 0x7f99708fe22c "\205\300\017\205\330\006", num =
1888477740}, {str = 0x0, num = 0}, {
            str = 0x7fff3782f4b0 "", num = 931329200}, {str =
0x7fff3782f490 "`\030\272p\231\177", num = 931329168}, {str =
0x7fff3782f470 "`\030\272p\231\177",
            num = 931329136}, {str = 0x7fff3782f50c "\231\177", num =
931329292}, {str = 0x7fff3782f4f0 "\234|\272p\231\177", num =
931329264}, {
            str = 0x7fff3782f4d0 "\001", num = 931329232}, {str =
0x7fff3782d3b0 "", num = 931320752}, {str = 0x66e130 "\320\343f", num
= 6742320}, {
            str = 0x63b350 "\360me", num = 6533968}, {str =
0x7fff00000000 <Address 0x7fff00000000 out of bounds>, num = 0}, {str
= 0x7fff3782c380 "\340\343f",
            num = 931316608}, {str = 0x7fff3782c388 "\340\343f", num =
931316616}, {str = 0x7fff3782c390 "\340\343f", num = 931316624}, {str
= 0x7fff3782c3b0 "\001",
            num = 931316656}, {str = 0x170ba1860 <Address 0x170ba1860
out of bounds>, num = 1891244128}, {str = 0x63b860 ".", num =
6535264}, {
            str = 0x400000001 <Address 0x400000001 out of bounds>, num
= 1}, {str = 0x7f9970ba18e3 "\n", num = 1891244259}, {
            str = 0x7f99708bd3ba "H\211\305\017\267\203\200", num =
1888211898}, {str = 0x10 <Address 0x10 out of bounds>, num = 16}, {
            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba1860 "\207(\255", <incomplete sequence \373>, num =
1891244128}, {
            str = 0xa <Address 0xa out of bounds>, num = 10}, {str =
0x400 <Address 0x400 out of bounds>, num = 1024}, {
            str = 0x7f99708bd6f5
"H9غ\377\377\377\377t\352\220\353\351fffff.\017\037\204", num =
1888212725}, {
            str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {
            str = 0x7f99708be06f
"\203\300\001\017\205Y\377\377\377\270\377\377\377\377\351S\377\377\377f\017\037D",
num = 1888215151}, {
            str = 0x7f9970ba1860 "\207(\255", <incomplete sequence
\373>, num = 1891244128}, {str = 0xa <Address 0xa out of bounds>, num
= 10}, {str = 0x0, num = 0},
          {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0x0, num = 0}, {str = 0x7f9970fb8058 "X\326\375p\231\177",
            num = 1895530584}, {str = 0x1 <Address 0x1 out of bounds>,
num = 1}, {str = 0x4 <Address 0x4 out of bounds>, num = 4}, {
            str = 0x7c9d4d41 <Address 0x7c9d4d41 out of bounds>, num =
2090683713}, {str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276",
            num = 1893514675}, {
            str = 0x7f9970ba7c9c
"AM\235|\265\351Z\361\321a\362\025\207zR\310SAM\266Q\265\250\020ٱy\227\341ڑ&\227\312\066\233m\232\277\327\215G\342)\313#\301\342\347R\222j8\265\357\060\071\265\357\060\355\256\204ͱ\246JdU\006j\354\233\017\070\001\271|\315\027\tC\351\034]\300\t>\211\307\334\310\357\361\337z\366\060\254\062\367\060\---Type
<return> to continue, or q <return> to quit---
254\062\065", num = 1891269788}, {str = 0x7f9970fb8058
"X\326\375p\231\177", num = 1895530584}, {str = 0x1 <Address 0x1 out
of bounds>, num = 1}, {
            str = 0x7f9970dcbdb3
"\205\300t\016\213C\f\205\300\017\204\276", num = 1893514675}, {str =
0xf6cf05c <Address 0xf6cf05c out of bounds>, num = 258797660},
          {str = 0x7f9970fb8060 "\030\333\375p\231\177", num =
1895530592}, {str = 0x2 <Address 0x2 out of bounds>, num = 2}, {str =
0x4 <Address 0x4 out of bounds>,
            num = 4}, {str = 0x3de00ec7 <Address 0x3de00ec7 out of
bounds>, num = 1038094023}, {
            str = 0x7f9970dcc274
"H\205\300L\213D$\020D\213L$\bL\213\034$\017\205\067\376\377\377A\213\023\353\214I\203?",
num = 1893515892}, {
            str = 0x7f99708501ec
"\307\016\340=i\177\200&\022\226\370\022\341X\037\304m\354\305\362\202\254l\001MW\211[e\345-\017\364\347\313\016\341\201/\177L־\314\352\033h\236\361\274\017\257f\177\023\376&W3\354\262\314\356Ei\344u\017P\230;\017\347+6\325\004y\247\025d\001\003\v\264\270#\375ˁ\"\b|\355\021\017gUa\020։+\243߅\351v\371\274\017\257\276\206\357\016\260\275\204
\301\256\020ia", <incomplete sequence \333>, num = 1887764972}, {
            str = 0x7f9900000007 <Address 0x7f9900000007 out of
bounds>, num = 7}, {str = 0xf7803b <Address 0xf7803b out of bounds>,
num = 16220219}, {
            str = 0x7fff3782f570 "", num = 931329392}, {str =
0x7fff3782f6c8 "\320\367\202\067\377\177", num = 931329736}, {str =
0x7f9970851c10 "",
            num = 1887771664}, {str = 0x0, num = 0}, {str =
0x7f9970fb80a0 "\355\020@", num = 1895530656}, {str = 0x7f9970fddb18
"", num = 1895684888}, {
            str = 0x400f08 "realloc", num = 4198152}, {str =
0x7f997085e558 "", num = 1887823192}, {str = 0x400c68 "P\001", num =
4197480}, {
            str = 0x500000000 <Address 0x500000000 out of bounds>, num
= 0}, {str = 0x1000001db <Address 0x1000001db out of bounds>, num =
475}, {
            str = 0xf6cf05c <Address 0xf6cf05c out of bounds>, num =
258797660}, {str = 0x7f9970fde358 "\270\342\375p\231\177", num =
1895687000}, {
            str = 0x7fff3782f700 "d\020\272p\231\177", num =
931329792}, {str = 0x7fff3782f6c8 "\320\367\202\067\377\177", num =
931329736}, {
            str = 0x3de00ec7 <Address 0x3de00ec7 out of bounds>, num =
1038094023}, {
            str = 0x7f9970911889
"H\213D$\bH\203\304(H=\001\360\377\377s\001\303H\213\r\006\367(", num
= 1888557193}, {str = 0x0, num = 0}, {
            str = 0x1 <Address 0x1 out of bounds>, num = 1}, {str =
0x7f9970ba18e3 "\n", num = 1891244259}, {str = 0x1 <Address 0x1 out of
bounds>, num = 1}}
        yyvs = 0x7fff3782efc0
        yyvsp = 0x7fff3782efd0
        yystacksize = 200
        yyval = <value optimized out>
        yylen = 2
#4  0x00000000004082e1 in parse_line (source_id=-194048594, str=<value
optimized out>) at attack_parser.y:379
        ret = <value optimized out>
#5  0x00000000004025c1 in main (argc=6803856, argv=0x0) at sshguard.c:218
        tid = 140296994478352
        retv = <value optimized out>
        source_id = 4100918702
        buf = "Apr 14 08:48:36 basement sshd[6453]: User nobody from
122.227.43.37 not allowed because none of user's groups are listed in
AllowGroups\n\000\000\000\000\000\000\000\000\207\360\226|\000\000\000\000t\302\334p\231\177\000\000\330\033\205p\231\177\000\000\a\000\000\000\000\000\000\000\302[\362\001\000\000\000\000
\371\202\067\377\177\000\000x\372\202\067\377\177\000\000\020\034\205p\231\177\000\000\000\000\000\000\000\000\000\000\300\204\373p\231\177\000\000"...


HTH ;-)

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

All of the messages you report should be recognized by sshguard. It may be a problem
in the log sucker, although I'd be surprised not to have similar reports earlier.
It's more difficult to investigate the problem here then.

Some ways you can proceed, when you notice attacks that aren't been blocked:

1) run a "grep sshguard /var/log/auth.log" (or wherever sshguard logging is sent):
	- any message besides the Blocking ones?

2) do a "ls -l" on the log files you're making sshguard monitor. Is there any fresh?
(just rotated)

3) check with top, ps, and lsof (or equivalent for your OS):
	- is sshguard taking significant CPU load? (looping)
	- what is the state reported by ps?
	- what files are open?

4) any change if you suspend and resume sshguard:
	killall -TSTP sshguard
	sleep 2
	killall -CONT sshguard


if you're up for harder stuff, you can proceed with:
1) changing sshguard_log_minloglevel to LOG_DEBUG in src/sshguard_log.c and recompile

2) compile with debug symbols:
	./configure --enable-debug --with-firewall=yours
	make
then, when observing the "downtime", attach to the running process from gdb:
	ps ax | grep sshguard    --> read the PID
	gdb
	(gdb) attach PID
	...
	(gdb) break
	(gdb) backtrace full



On Apr 11, 2010, at 10:58 , Robert S wrote:

> >> I left sshguard running overnight with the above config and recorded hundreds of attempts to log in that were not blocked.  It appears that the syslog-ng config is not sending messages to sshguard.
> >>
> >> I have just downgraded sshguard to 1.4.4 and the logging is appearing again my my system log:
> 
> >Combining the two pieces of information: if syslog-ng doesn't pass stuff to sshguard, it may not activate
> >the destination at all, that is, not start sshguard. In turn this may explain the absence of logs.
> 
> >What about running 1.5 with log sucking? The log sucker saves the syslog configuration hassle.
> >See
> >http://www.sshguard.net/docs/setup/getlogs/log-sucker/
>  
> I have reinstalled 1.5 and have it running in the background using the log sucker:
>  
> # ps ax |grep sshguard
> # 7730 ?        Sl     0:00 /usr/sbin/sshguard -l /var/log/auth.log -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist
>  
> At first this seemed to work this morning - I tried to log in from another of my servers at www.xxx.yyy.zzz:
>  
> Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz  user=root
> Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz
> Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2
> Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz  user=root
> Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for illegal user root from www.xxx.yyy.zzz
> Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for invalid user root from www.xxx.yyy.zzz port 34596 ssh2
> Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 7 seconds.
>  
> Later in the day there was an intrusion attempt:
>  
> Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups
> Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups
> Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed because none of user's groups are listed in AllowGroups
> <etc>
>  
> .. no attempt by sshguard to block it
>  
> I've also tried logging in from www.xxx.yyy.zzz again:
>  
> Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Thus log sucking (and also the syslog) method seem to work initially, but later stop.
>  
> If I kill the sshguard process then it works again:
>  
> Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not allowed because none of user's groups are listed in AllowGroups
> Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for >420secs: 40 danger over 9 seconds.
> 
> I can't seem to explain this behaviour.  I've tried several versions and nothing before 1.5 seems to work consistently.

Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Robert S <rob...@gm...>]

>> I left sshguard running overnight with the above config and recorded
hundreds of attempts to log in that were not blocked.  It appears that the
syslog-ng config is not sending messages to sshguard.
>>
>> I have just downgraded sshguard to 1.4.4 and the logging is appearing
again my my system log:

>Combining the two pieces of information: if syslog-ng doesn't pass stuff to
sshguard, it may not activate
>the destination at all, that is, not start sshguard. In turn this may
explain the absence of logs.
>What about running 1.5 with log sucking? The log sucker saves the syslog
configuration hassle.
>See
>http://www.sshguard.net/docs/setup/getlogs/log-sucker/

I have reinstalled 1.5 and have it running in the background using the log
sucker:

# ps ax |grep sshguard
# 7730 ?        Sl     0:00 /usr/sbin/sshguard -l /var/log/auth.log -f
100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w
/etc/sshguard.whitelist

At first this seemed to work this morning - I tried to log in from another
of my servers at www.xxx.yyy.zzz:

Apr 11 08:17:47 myhost sshd[7743]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 08:17:49 myhost sshd[7745]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz
user=root
Apr 11 08:17:51 myhost sshd[7743]: error: PAM: Authentication failure for
illegal user root from www.xxx.yyy.zzz
Apr 11 08:17:51 myhost sshd[7743]: Failed keyboard-interactive/pam for
invalid user root from www.xxx.yyy.zzz port 34596 ssh2
Apr 11 08:17:52 myhost sshd[7748]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.xxx.yyy.zzz
user=root
Apr 11 08:17:55 myhost sshd[7743]: error: PAM: Authentication failure for
illegal user root from www.xxx.yyy.zzz
Apr 11 08:17:55 myhost sshd[7743]: Failed keyboard-interactive/pam for
invalid user root from www.xxx.yyy.zzz port 34596 ssh2
Apr 11 08:17:55 myhost sshguard[7730]: Blocking www.xxx.yyy.zzz:4 for
>420secs: 40 danger over 7 seconds.

Later in the day there was an intrusion attempt:

Apr 11 16:02:35 myhost sshd[19986]: User root from 59.51.25.174 not allowed
because none of user's groups are listed in AllowGroups
Apr 11 16:02:38 myhost sshd[19988]: User root from 59.51.25.174 not allowed
because none of user's groups are listed in AllowGroups
Apr 11 16:02:41 myhost sshd[19990]: User root from 59.51.25.174 not allowed
because none of user's groups are listed in AllowGroups
<etc>

.. no attempt by sshguard to block it

I've also tried logging in from www.xxx.yyy.zzz again:

Apr 11 18:48:28 myhost sshd[20859]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:33 myhost sshd[20862]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:36 myhost sshd[20865]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:39 myhost sshd[20868]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:42 myhost sshd[20871]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:45 myhost sshd[20874]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:47 myhost sshd[20877]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:48:50 myhost sshd[20880]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Thus log sucking (and also the syslog) method seem to work initially, but
later stop.

If I kill the sshguard process then it works again:

Apr 11 18:52:36 myhost sshd[21020]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:52:39 myhost sshd[21025]: User root from www.xxx.yyy.zzz not
allowed because none of user's groups are listed in AllowGroups
Apr 11 18:52:40 myhost sshguard[20999]: Blocking www.xxx.yyy.zzz:4 for
>420secs: 40 danger over 9 seconds.

I can't seem to explain this behaviour.  I've tried several versions and
nothing before 1.5 seems to work consistently.

Re: [Sshguard-users] what to do if sshguard goes down

[Adam C. <ada...@be...>]

daemontools works like a charm
thanks!

-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
http://www.energybiosciencesinstitute.org

On Apr 8, 2010, at 2:29 AM, Mij wrote:

> 
> On Apr 8, 2010, at 8:46 , Adam Cohen wrote:
> 
>> occasionally i get a "real" crash and will report that when it happens next
>> but the main thing that seems to take it down is when syslogd restarts
>> 
>> im running 1.4rc3 on Redhat with the "fifo" method, here's my startup command:
>>  cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -a 3 -b  2:/var/db/sshguard/blacklist.db
>> 
>> whenever i see:
>>  syslogd 1.4.1: restart.
>> 
>> on /var/log/messages, it is immediately followed by:
>>  sshguard[pid]: Got exit signal, flushing blocked addresses and exiting...
>> 
>> makes sense why this happens, but how to restart?
> 
> Yes, intended/natural behavior.
> 
> I have a similar scenario, where I pass logs from one host to a Jail through a fifo/named pipe.
> 
> Inside the jail, a process (other than sshguard) gets logs from the fifo. I use indeed
> daemontools to restart automatically the process when the fifo is closed/reset. "supervise"
> avoid loops in case the other end of the fifo is not open as well.
> 
> http://cr.yp.to/daemontools.html
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] what to do if sshguard goes down

[Mij <mi...@ss...>]

On Apr 8, 2010, at 8:46 , Adam Cohen wrote:

> occasionally i get a "real" crash and will report that when it happens next
> but the main thing that seems to take it down is when syslogd restarts
> 
> im running 1.4rc3 on Redhat with the "fifo" method, here's my startup command:
>   cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -a 3 -b  2:/var/db/sshguard/blacklist.db
> 
> whenever i see:
>   syslogd 1.4.1: restart.
> 
> on /var/log/messages, it is immediately followed by:
>   sshguard[pid]: Got exit signal, flushing blocked addresses and exiting...
> 
> makes sense why this happens, but how to restart?

Yes, intended/natural behavior.

I have a similar scenario, where I pass logs from one host to a Jail through a fifo/named pipe.

Inside the jail, a process (other than sshguard) gets logs from the fifo. I use indeed
daemontools to restart automatically the process when the fifo is closed/reset. "supervise"
avoid loops in case the other end of the fifo is not open as well.

http://cr.yp.to/daemontools.html

Re: [Sshguard-users] what to do if sshguard goes down

[Adam C. <ada...@be...>]

occasionally i get a "real" crash and will report that when it happens next
but the main thing that seems to take it down is when syslogd restarts

im running 1.4rc3 on Redhat with the "fifo" method, here's my startup command:
  cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard -a 3 -b  2:/var/db/sshguard/blacklist.db

whenever i see:
  syslogd 1.4.1: restart.

on /var/log/messages, it is immediately followed by:
  sshguard[pid]: Got exit signal, flushing blocked addresses and exiting...

makes sense why this happens, but how to restart?

-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
http://www.energybiosciencesinstitute.org

On Apr 7, 2010, at 1:06 PM, Mij wrote:

> Understand why it goes down beats any monitoring software around :)
> - which version do you run?
> - do you run it from syslog or standalone?
> - any scoop on crashes from the logs? Any core file?
> 
> Besides, the answer you crave is probably djb's daemontools. 
> 
> 
> On 07/apr/2010, at 21.11, Adam Cohen <ada...@be...> wrote:
> 
>> from time to time sshguard will come down, is there a good way to insure that it gets restarted?
>> i see one possibility is to use inittab and the respawn option, another would be to add a piece of monitoring software
>> any thoughts?
>> thanks
>> 	
>> -- 
>> Adam Cohen / IT Manager
>> Energy Biosciences Institute / UC Berkeley
>> 109 Calvin Lab / 510-642-7709
>> http://www.energybiosciencesinstitute.org
>> 
>> ------------------------------------------------------------------------------
>> Download Intel&#174; Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] what to do if sshguard goes down

[Mij <mi...@ss...>]

Understand why it goes down beats any monitoring software around :)
- which version do you run?
- do you run it from syslog or standalone?
- any scoop on crashes from the logs? Any core file?

Besides, the answer you crave is probably djb's daemontools.


On 07/apr/2010, at 21.11, Adam Cohen <ada...@be...> wrote:

> from time to time sshguard will come down, is there a good way to  
> insure that it gets restarted?
> i see one possibility is to use inittab and the respawn option,  
> another would be to add a piece of monitoring software
> any thoughts?
> thanks
> 	
> -- 
> Adam Cohen / IT Manager
> Energy Biosciences Institute / UC Berkeley
> 109 Calvin Lab / 510-642-7709
> http://www.energybiosciencesinstitute.org
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] what to do if sshguard goes down

[Adam C. <ada...@be...>]

from time to time sshguard will come down, is there a good way to insure that it gets restarted?
i see one possibility is to use inittab and the respawn option, another would be to add a piece of monitoring software
any thoughts?
thanks
	
-- 
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
109 Calvin Lab / 510-642-7709
http://www.energybiosciencesinstitute.org

Re: [Sshguard-users] sshguard not blocking

[Mij <mi...@ss...>]

Your iptables -L output appears partial (don't see the header Chain INPUT),
but it seems that you did not hook the sshguard chain into INPUT.

See http://www.sshguard.net/docs/setup/firewall/netfilter-iptables/

beware of the notes on default allow/deny.


On Apr 2, 2010, at 19:18 , Christopher Campbell wrote:

> Hi! I've got sshguard up and running, but it's not really blocking connection attempts
> to ssh.  
> 
> To test it , I logged into a remote machine, and from that remote machine, using bogus passwords, tried logging into
> my machine which is running sshguard.  From auth.log, I can see that sshguard logged the attacks and "said" that 
> the attacking ip was being blocked.  However after multiple failed login attempts, I was still able to login.
> Below, from the output of iptables -L, it seems that the ip address is being dropped, and thus, should be blocked.  
> 
> One caveat, I was using my username, which is the only username allowed in sshd_config.  I don't know if this will override
> sshguard's blocking. 
> 
> >> From auth.log <<
> 
> Apr  1 22:44:18 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100
> Apr  1 22:44:20 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100
> Apr  1 22:44:22 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100
> Apr  1 22:44:24 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100
> Apr  1 22:44:24 sherpa sshguard[4058]: Looking for address '121.138.219.132:4'...
> Apr  1 22:44:24 sherpa sshguard[4058]: Found!
> Apr  1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for >0secs: 4 failures over 6 seconds.
> Apr  1 22:44:24 sherpa sshguard[4058]: Setting environment: SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
> Apr  1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in 4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
> 
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >> From iptables -L <<
> 
> DROP       icmp --  anywhere             anywhere            icmp echo-request
> LOG        all  --  anywhere             anywhere            limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
> DROP       all  --  anywhere             anywhere
> 
> Chain LSO (0 references)
> target     prot opt source               destination
> LOG_FILTER  all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere            limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
> REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
> 
> Chain OUTBOUND (1 references)
> target     prot opt source               destination
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere
> 
> Chain sshguard (2 references)
> target     prot opt source               destination
> 
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  121.138.219.132      anywhere
> DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
> DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
> DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
> DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
> DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
> [root@sherpa log]#
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

[Sshguard-users] sshguard not blocking

[Christopher C. <chr...@gm...>]

Hi! I've got sshguard up and running, but it's not really blocking
connection attempts
to ssh.

To test it , I logged into a remote machine, and from that remote machine,
using bogus passwords, tried logging into
my machine which is running sshguard.  From auth.log, I can see that
sshguard logged the attacks and "said" that
the attacking ip was being blocked.  However after multiple failed login
attempts, I was still able to login.
Below, from the output of iptables -L, it seems that the ip address is being
dropped, and thus, should be blocked.

One caveat, I was using my username, which is the only username allowed in
sshd_config.  I don't know if this will override
sshguard's blocking.

>> From auth.log <<

Apr  1 22:44:18 sherpa sshguard[4058]: Matched address
121.138.219.132:4attacking service 100
Apr  1 22:44:20 sherpa sshguard[4058]: Matched address
121.138.219.132:4attacking service 100
Apr  1 22:44:22 sherpa sshguard[4058]: Matched address
121.138.219.132:4attacking service 100
Apr  1 22:44:24 sherpa sshguard[4058]: Matched address
121.138.219.132:4attacking service 100
Apr  1 22:44:24 sherpa sshguard[4058]: Looking for address
'121.138.219.132:4'...
Apr  1 22:44:24 sherpa sshguard[4058]: Found!
Apr  1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for
>0secs: 4 failures over 6 seconds.
Apr  1 22:44:24 sherpa sshguard[4058]: Setting environment:
SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Apr  1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in
4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
/usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;;
esac": exited 0.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> From iptables -L <<

DROP       icmp --  anywhere             anywhere            icmp
echo-request
LOG        all  --  anywhere             anywhere            limit: avg
5/sec burst 5 LOG level info prefix `Inbound '
DROP       all  --  anywhere             anywhere

Chain LSO (0 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg
5/sec burst 5 LOG level info prefix `Outbound '
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain sshguard (2 references)
target     prot opt source               destination

DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  121.138.219.132      anywhere
DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
DROP       all  --  london.ctis.foothill.fhda.edu  anywhere
[root@sherpa log]#

Re: [Sshguard-users] Solaris 10 Build fails with sshguard-1.5rc1

[Bruno D. <bru...@op...>]

There was a compile problem of -lsocket -lnsl missing which caused this
problem. So far, the build works with the changes you suggest and the
addition of -lsocket -lnsl. Perhaps you can incorporate it as well.

Built on  SunOS sun 5.10 Generic_142900-06 sun4u sparc SUNW,Sun-Blade-2500
[bdelbono@sun ~/sshguard]
14$ gcc -v
Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath)





gcc -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2 -o sshguard
sshguard.o sshguard_whitelist.o sshguard_log.o sshguard_procauth.o
sshguard_blacklist.o sshguard_options.o sshguard_logsuck.o simclist.o
hash_32a.o parser/libparser.a fwalls/libfwall.a -lpthread
Undefined first referenced
symbol in file
__xnet_getaddrinfo sshguard_whitelist.o
freeaddrinfo sshguard_whitelist.o
inet_pton sshguard_whitelist.o
inet_ntop sshguard_whitelist.o
gai_strerror sshguard_whitelist.o
ld: fatal: Symbol referencing errors. No output written to sshguard
collect2: ld returned 1 exit status
gmake[3]: *** [sshguard] Error 1
gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
gmake[2]: *** [all-recursive] Error 1
gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
gmake[1]: *** [all] Error 2
gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
gmake: *** [all-recursive] Error 1

On Thu, Apr 1, 2010 at 4:59 PM, Mij <mi...@ss...> wrote:

> Hi Bruno,
>
> in order to avoid to commit a myriad of revisions under the umbrella
> "address Solaris compile problems", let's do it interactively -- I'll
> commit
> one transaction once it works entirely.
>
> For this one, please try:
>
> 1) edit fnv.h
> 2) before "#include <sys/types.h>" (line 79), add:
> #include <stdint.h>
>
> 3) change "typedef u_int32_t Fnv32_t;" into
> typedef uint32_t Fnv32_t;
>
> let me know if there are further problems.
> michele
>
>
> On Apr 1, 2010, at 21:42 , Bruno Delbono wrote:
>
> >
> >
> > On Thu, Apr 1, 2010 at 4:27 AM, Mij <mi...@ss...> wrote:
> > ok, r187 should generalize the change, please give it a try
> >
> > Cool. Now we're at:
> >
> > gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g
> -O2 -MT sshguard_logsuck.o -MD -MP -MF .deps/sshguard_logsuck.Tpo -c -o
> sshguard_logsuck.o sshguard_logsuck.c
> > In file included from sshguard_logsuck.c:34:
> > fnv.h:87: error: syntax error before "Fnv32_t"
> > fnv.h:87: warning: type defaults to `int' in declaration of `Fnv32_t'
> > fnv.h:87: warning: data definition has no type or storage class
> > fnv.h:124: error: syntax error before "fnv_32a_str"
> > fnv.h:124: error: syntax error before "Fnv32_t"
> > fnv.h:124: warning: type defaults to `int' in declaration of
> `fnv_32a_str'
> > fnv.h:124: warning: data definition has no type or storage class
> > gmake[3]: *** [sshguard_logsuck.o] Error 1
> > gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
> > gmake[2]: *** [all-recursive] Error 1
> > gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
> > gmake[1]: *** [all] Error 2
> > gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
> > gmake: *** [all-recursive] Error 1
> >
> > --
> > Bruno Delbono
> > Open-Systems Group
> > http://www.open-systems.org
> > http://www.mail.ac
> >
> ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> >
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>


-- 
Bruno Delbono
Open-Systems Group
http://www.open-systems.org
http://www.mail.ac

Re: [Sshguard-users] Solaris 10 Build fails with sshguard-1.5rc1

[Bruno D. <bru...@op...>]

On Thu, Apr 1, 2010 at 4:27 AM, Mij <mi...@ss...> wrote:

> ok, r187 should generalize the change, please give it a try
>

Cool. Now we're at:

gcc -DHAVE_CONFIG_H -I. -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L -g -O2
-MT sshguard_logsuck.o -MD -MP -MF .deps/sshguard_logsuck.Tpo -c -o
sshguard_logsuck.o sshguard_logsuck.c
In file included from sshguard_logsuck.c:34:
fnv.h:87: error: syntax error before "Fnv32_t"
fnv.h:87: warning: type defaults to `int' in declaration of `Fnv32_t'
fnv.h:87: warning: data definition has no type or storage class
fnv.h:124: error: syntax error before "fnv_32a_str"
fnv.h:124: error: syntax error before "Fnv32_t"
fnv.h:124: warning: type defaults to `int' in declaration of `fnv_32a_str'
fnv.h:124: warning: data definition has no type or storage class
gmake[3]: *** [sshguard_logsuck.o] Error 1
gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
gmake[2]: *** [all-recursive] Error 1
gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
gmake[1]: *** [all] Error 2
gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/src'
gmake: *** [all-recursive] Error 1

-- 
Bruno Delbono
Open-Systems Group
http://www.open-systems.org
http://www.mail.ac

Re: [Sshguard-users] sshguard 1.5rc1 Build failure on OpenBSD 4.6

[Mij <mi...@ss...>]

On Apr 1, 2010, at 11:18 , Johan Bergström wrote:

> Hey,
> 
> On 31 mar 2010, at 17.10, Mij wrote:
> 
>> Hi Johan,
>> 
>> Since that function's signature is sane, and that error doesn't occur in other versions
>> of gcc, I infer that is a compiler snap.
>> 
>> If you can't change compiler (as I guess, on your hardware), you can try to:
> 
> Regarding my setup: Flashrd/flashdist is bascially stock OpenBSD 4.6 but helps you with sticking with a read only system. I can of course add an additional compiler trough ports if needed.

you're probably better off compiling from another box then


> What compiler does sshguard recoment for OpenBSD? Perhaps this should be added as a configure check?
> 
> Afaik, GCC 2.95 and 3.3.5 are shipped with OpenBSD 4.6. OpenBSD 4.7 (soon released) also seems to ship these - which should imply that sshguard 1.5 won't run on OpenBSD.

I usually keep myself from telling people what compiler to choose; especially under
BSD, where it's so tied to the system, and especially in OpenBSD, where GCC is
usually significantly patched/extended.

What I can say is that 4.x had vast (binary) performance boosts, and much better C99
support.


>> 1) change the definition on that line in sshguard_fw.h (88) and command.c (62) with
>> 
>> int fw_block_list(const char (*restrict addresses)[], int addrkind, const int service_codes[]) {
>> or
>> int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
>> 
>> 2) remove the "restrict" qualifier from the same locations, and recompile the entire package
>> (ie,  make clean all)
> 
> I tried both of these alternatives as well as some dwelling into both but no luck. I don't think the code as is will work with OpenBSD's current compilers.

it can't be that 2) doesn't work :)

To go the radical, you can add
"-Drestrict="
(nothing after =) to gcc's cflags.

I will consider whether to remove the restrict qualifier for future versions. I'm adverse
to patch code up to compiler quirks, but for "restrict" one can be malleable.

Re: [Sshguard-users] sshguard 1.5rc1 Build failure on OpenBSD 4.6

[Johan B. <jo...@be...>]

Hey,

On 31 mar 2010, at 17.10, Mij wrote:

> Hi Johan,
> 
> Since that function's signature is sane, and that error doesn't occur in other versions
> of gcc, I infer that is a compiler snap.
> 
> If you can't change compiler (as I guess, on your hardware), you can try to:

Regarding my setup: Flashrd/flashdist is bascially stock OpenBSD 4.6 but helps you with sticking with a read only system. I can of course add an additional compiler trough ports if needed.

What compiler does sshguard recoment for OpenBSD? Perhaps this should be added as a configure check?

Afaik, GCC 2.95 and 3.3.5 are shipped with OpenBSD 4.6. OpenBSD 4.7 (soon released) also seems to ship these - which should imply that sshguard 1.5 won't run on OpenBSD.


> 
> 1) change the definition on that line in sshguard_fw.h (88) and command.c (62) with
> 
> int fw_block_list(const char (*restrict addresses)[], int addrkind, const int service_codes[]) {
> or
> int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
> 
> 2) remove the "restrict" qualifier from the same locations, and recompile the entire package
> (ie,  make clean all)

I tried both of these alternatives as well as some dwelling into both but no luck. I don't think the code as is will work with OpenBSD's current compilers.

Cheers,
Johan

> 
> 
> On Mar 30, 2010, at 16:12 , Johan Bergström wrote:
> 
>> Hey,
>> 
>> It looks like sshguard 1.5 beta 1 trough rc1 fails to build on one of my soekris boxes. Output from configure and forward (as well as uname/gcc info) below. 
>> 
>> 1.4 is currently running on this box with the same configure options.
>> 
>> I did some minor research and found this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11942 , feels very unlikely - but it's better to get it out there..
>> 
>> Cheers,
>> Johan Bergström
>> 
>> 
>> [..]
>> Making all in fwalls
>> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
>> In file included from command.c:35:
>> ../sshguard_fw.h:88: error: invalid use of `restrict'
>> command.c:62: error: invalid use of `restrict'
>> *** Error code 1
> 
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Solaris 10 Build fails with sshguard-1.5rc1

[Mij <mi...@ss...>]

ok, r187 should generalize the change, please give it a try


On Apr 1, 2010, at 24:50 , Bruno Delbono wrote:

> Hi Mij,
> 
> On Wed, Mar 31, 2010 at 11:17 AM, Mij <mi...@ss...> wrote:
> thanks for reporting. Apparently Solaris doesn't expose that definition.
> It's fixed in r186 on the SVN; you'll get it in 1.5 stable, or see
> http://www.sshguard.net/download/repository/
> 
> Check'd out r186. It now, fails further down with  sshguard_blacklist.c
> 
> [...]
> gmake[3]: Entering directory `/data/homedirs/bdelbono/sshguard/trunk/src'
> gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g -O2 -MT sshguard.o -MD -MP -MF .deps/sshguard.Tpo -c -o sshguard.o sshguard.c
> mv -f .deps/sshguard.Tpo .deps/sshguard.Po
> gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g -O2 -MT sshguard_whitelist.o -MD -MP -MF .deps/sshguard_whitelist.Tpo -c -o sshguard_whitelist.o sshguard_whitelist.c
> mv -f .deps/sshguard_whitelist.Tpo .deps/sshguard_whitelist.Po
> gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g -O2 -MT sshguard_log.o -MD -MP -MF .deps/sshguard_log.Tpo -c -o sshguard_log.o sshguard_log.c
> mv -f .deps/sshguard_log.Tpo .deps/sshguard_log.Po
> gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g -O2 -MT sshguard_procauth.o -MD -MP -MF .deps/sshguard_procauth.Tpo -c -o sshguard_procauth.o sshguard_procauth.c
> sshguard_procauth.c: In function `procauth_getprocpid':
> sshguard_procauth.c:162: warning: int format, pid_t arg (arg 3)
> sshguard_procauth.c: In function `procauth_ischildof':
> sshguard_procauth.c:177: warning: int format, pid_t arg (arg 3)
> sshguard_procauth.c:177: warning: int format, pid_t arg (arg 4)
> mv -f .deps/sshguard_procauth.Tpo .deps/sshguard_procauth.Po
> gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g -O2 -MT sshguard_blacklist.o -MD -MP -MF .deps/sshguard_blacklist.Tpo -c -o sshguard_blacklist.o sshguard_blacklist.c
> sshguard_blacklist.c: In function `attacker_serializer':
> sshguard_blacklist.c:79: error: `INET_ADDRSTRLEN' undeclared (first use in this function)
> sshguard_blacklist.c:79: error: (Each undeclared identifier is reported only once
> sshguard_blacklist.c:79: error: for each function it appears in.)
> sshguard_blacklist.c:90: warning: implicit declaration of function `htonl'
> sshguard_blacklist.c: In function `attacker_unserializer':
> sshguard_blacklist.c:129: warning: implicit declaration of function `ntohl'
> gmake[3]: *** [sshguard_blacklist.o] Error 1
> gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src'
> gmake[2]: *** [all-recursive] Error 1
> gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src'
> gmake[1]: *** [all] Error 2
> gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src'
> gmake: *** [all-recursive] Error 1
> 
> Warm regards,
> 
> -- 
> Bruno Delbono
> Open-Systems Group
> http://www.open-systems.org
> http://www.mail.ac

Re: [Sshguard-users] Solaris 10 Build fails with sshguard-1.5rc1

[Bruno D. <Bru...@Ma...>]

Hi Mij,

On Wed, Mar 31, 2010 at 11:17 AM, Mij <mi...@ss...> wrote:

> thanks for reporting. Apparently Solaris doesn't expose that definition.
> It's fixed in r186 on the SVN; you'll get it in 1.5 stable, or see
> http://www.sshguard.net/download/repository/


Check'd out r186. It now, fails further down with  sshguard_blacklist.c

[...]
gmake[3]: Entering directory `/data/homedirs/bdelbono/sshguard/trunk/src'
gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g
-O2 -MT sshguard.o -MD -MP -MF .deps/sshguard.Tpo -c -o sshguard.o
sshguard.c
mv -f .deps/sshguard.Tpo .deps/sshguard.Po
gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g
-O2 -MT sshguard_whitelist.o -MD -MP -MF .deps/sshguard_whitelist.Tpo -c -o
sshguard_whitelist.o sshguard_whitelist.c
mv -f .deps/sshguard_whitelist.Tpo .deps/sshguard_whitelist.Po
gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g
-O2 -MT sshguard_log.o -MD -MP -MF .deps/sshguard_log.Tpo -c -o
sshguard_log.o sshguard_log.c
mv -f .deps/sshguard_log.Tpo .deps/sshguard_log.Po
gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g
-O2 -MT sshguard_procauth.o -MD -MP -MF .deps/sshguard_procauth.Tpo -c -o
sshguard_procauth.o sshguard_procauth.c
sshguard_procauth.c: In function `procauth_getprocpid':
sshguard_procauth.c:162: warning: int format, pid_t arg (arg 3)
sshguard_procauth.c: In function `procauth_ischildof':
sshguard_procauth.c:177: warning: int format, pid_t arg (arg 3)
sshguard_procauth.c:177: warning: int format, pid_t arg (arg 4)
mv -f .deps/sshguard_procauth.Tpo .deps/sshguard_procauth.Po
gcc -DHAVE_CONFIG_H -I.    -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L  -g
-O2 -MT sshguard_blacklist.o -MD -MP -MF .deps/sshguard_blacklist.Tpo -c -o
sshguard_blacklist.o sshguard_blacklist.c
sshguard_blacklist.c: In function `attacker_serializer':
sshguard_blacklist.c:79: error: `INET_ADDRSTRLEN' undeclared (first use in
this function)
sshguard_blacklist.c:79: error: (Each undeclared identifier is reported only
once
sshguard_blacklist.c:79: error: for each function it appears in.)
sshguard_blacklist.c:90: warning: implicit declaration of function `htonl'
sshguard_blacklist.c: In function `attacker_unserializer':
sshguard_blacklist.c:129: warning: implicit declaration of function `ntohl'
gmake[3]: *** [sshguard_blacklist.o] Error 1
gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src'
gmake[2]: *** [all-recursive] Error 1
gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src'
gmake[1]: *** [all] Error 2
gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard/trunk/src'
gmake: *** [all-recursive] Error 1

Warm regards,

-- 
Bruno Delbono
Open-Systems Group
http://www.open-systems.org
http://www.mail.ac

Re: [Sshguard-users] Solaris 10 Build fails with sshguard-1.5rc1

[Mij <mi...@ss...>]

thanks for reporting. Apparently Solaris doesn't expose that definition.
It's fixed in r186 on the SVN; you'll get it in 1.5 stable, or see
http://www.sshguard.net/download/repository/


On Mar 31, 2010, at 5:42 , Bruno Delbono wrote:

> Hi folks,
> 
> I've been trying to get /sshguard-1.5rc1 working on my system running Solaris 10
> 
>  69$ gmake
> Making all in src
> gmake[1]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
> gmake  all-recursive
> gmake[2]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
> Making all in parser
> gmake[3]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
> gmake  all-am
> gmake[4]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
> gcc -DHAVE_CONFIG_H -I. -I../../src    -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT attack_parser.o -MD -MP -MF .deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
> In file included from ../sshguard.h:24,
>                  from attack_parser.y:42:
> ../sshguard_addresskind.h:34: error: `INET6_ADDRSTRLEN' undeclared here (not in a function)
> gmake[4]: *** [attack_parser.o] Error 1
> gmake[4]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
> gmake[3]: *** [all] Error 2
> gmake[3]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
> gmake[2]: *** [all-recursive] Error 1
> gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
> gmake[1]: *** [all] Error 2
> gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
> gmake: *** [all-recursive] Error 1
> 
> Warm regards,
> 
> 
> -- 
> Bruno Delbono
> Open-Systems Group
> http://www.open-systems.org
> http://www.mail.ac
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] sshguard 1.5rc1 Build failure on OpenBSD 4.6

[Mij <mi...@ss...>]

Hi Johan,

Since that function's signature is sane, and that error doesn't occur in other versions
of gcc, I infer that is a compiler snap.

If you can't change compiler (as I guess, on your hardware), you can try to:

1) change the definition on that line in sshguard_fw.h (88) and command.c (62) with

int fw_block_list(const char (*restrict addresses)[], int addrkind, const int service_codes[]) {
or
int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {

2) remove the "restrict" qualifier from the same locations, and recompile the entire package
(ie,  make clean all)


On Mar 30, 2010, at 16:12 , Johan Bergström wrote:

> Hey,
> 
> It looks like sshguard 1.5 beta 1 trough rc1 fails to build on one of my soekris boxes. Output from configure and forward (as well as uname/gcc info) below. 
> 
> 1.4 is currently running on this box with the same configure options.
> 
> I did some minor research and found this: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11942 , feels very unlikely - but it's better to get it out there..
> 
> Cheers,
> Johan Bergström
> 
> 
> [..]
> Making all in fwalls
> gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
> In file included from command.c:35:
> ../sshguard_fw.h:88: error: invalid use of `restrict'
> command.c:62: error: invalid use of `restrict'
> *** Error code 1

[Sshguard-users] Solaris 10 Build fails with sshguard-1.5rc1

[Bruno D. <Bru...@Ma...>]

Hi folks,

I've been trying to get /sshguard-1.5rc1 working on my system running
Solaris 10

 69$ gmake
Making all in src
gmake[1]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
gmake  all-recursive
gmake[2]: Entering directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
Making all in parser
gmake[3]: Entering directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gmake  all-am
gmake[4]: Entering directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gcc -DHAVE_CONFIG_H -I. -I../../src    -I. -I.. -Wall -std=c99
-D_POSIX_C_SOURCE=200112L -g -O2 -MT attack_parser.o -MD -MP -MF
.deps/attack_parser.Tpo -c -o attack_parser.o attack_parser.c
In file included from ../sshguard.h:24,
                 from attack_parser.y:42:
../sshguard_addresskind.h:34: error: `INET6_ADDRSTRLEN' undeclared here (not
in a function)
gmake[4]: *** [attack_parser.o] Error 1
gmake[4]: Leaving directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gmake[3]: *** [all] Error 2
gmake[3]: Leaving directory
`/data/homedirs/bdelbono/sshguard-1.5rc1/src/parser'
gmake[2]: *** [all-recursive] Error 1
gmake[2]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
gmake[1]: *** [all] Error 2
gmake[1]: Leaving directory `/data/homedirs/bdelbono/sshguard-1.5rc1/src'
gmake: *** [all-recursive] Error 1

Warm regards,


-- 
Bruno Delbono
Open-Systems Group
http://www.open-systems.org
http://www.mail.ac