sshguard-users Mailing List for SSHGuard (Page 63)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> You would try running "/usr/local/sbin/sshguard" from the command
> line and
> pasting this line in its input (from keyboard)
>
> Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4
>

This seems to work (compiled with debugging):

# /usr/local/sbin/sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4
Matched IP address 1.2.3.4
Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4
Matched IP address 1.2.3.4
Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4
Matched IP address 1.2.3.4
Jan 1 10:11:12 voodoo sshd[1234]: Invalid user admin from 1.2.3.4
Matched IP address 1.2.3.4
Blocking 1.2.3.4: 4 failures over 3 seconds.

Setting environment: SSHG_ADDR=1.2.3.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10.
Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard
-s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s
$SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Got exit signal, flushing blocked addresses and exiting...
ip6tables: No chain/target/match by that name
Run command "/sbin/iptables -F sshguard ; /sbin/ip6tables -F
sshguard": exited 256.

> paste it 4 times then check "iptables -L" to see if a drop rule for

This confirms that the address 1.2.3.4 is DROPed

> # tail -n0 -F /var/log/secure.log | tee -a /dev/stderr | ./src/sshguard

No luck when I use a username that exists on the system:

# tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/sbin/sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Jun 28 07:13:28 etch sshd[5789]: Failed password for robert from
192.168.2.40 port 40727 ssh2
Jun 28 07:13:34 etch sshd[5798]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au
user=robert
Jun 28 07:13:37 etch sshd[5798]: Failed password for robert from
192.168.2.40 port 40729 ssh2
Jun 28 07:13:39 etch sshd[5798]: Failed password for robert from
192.168.2.40 port 40729 ssh2
Jun 28 07:13:42 etch sshd[5798]: Failed password for robert from
192.168.2.40 port 40729 ssh2
Jun 28 07:13:48 etch sshd[5800]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au
user=robert
Jun 28 07:13:49 etch sshd[5800]: Failed password for robert from
192.168.2.40 port 40730 ssh2
Jun 28 07:13:52 etch sshd[5800]: Failed password for robert from
192.168.2.40 port 40730 ssh2
Jun 28 07:13:56 etch sshd[5800]: Failed password for robert from
192.168.2.40 port 40730 ssh2
<etc>

On the other hand - if I use a non-existent user the following happens:

# tail -n0 -F /var/log/messages | tee -a /dev/stderr | /usr/local/sbin/sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Jun 28 07:24:44 etch sshd[5922]: Invalid user foobar from 192.168.2.40
Jun 28 07:24:45 etch sshd[5922]: Failed none for invalid user foobar
from 192.168.2.40 port 58171 ssh2
Matched IP address 192.168.2.40
Jun 28 07:24:48 etch sshd[5922]: (pam_unix) check pass; user unknown
Jun 28 07:24:48 etch sshd[5922]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au
Jun 28 07:24:50 etch sshd[5922]: Failed password for invalid user
foobar from 192.168.2.40 port 58171 ssh2
Jun 28 07:24:55 etch sshd[5922]: (pam_unix) check pass; user unknown
Jun 28 07:24:56 etch sshd[5922]: Failed password for invalid user
foobar from 192.168.2.40 port 58171 ssh2
Jun 28 07:25:01 etch sshd[5922]: (pam_unix) check pass; user unknown
Jun 28 07:25:03 etch sshd[5922]: Failed password for invalid user
foobar from 192.168.2.40 port 58171 ssh2
Jun 28 07:25:04 etch sshd[5924]: Invalid user foobar from 192.168.2.40
Jun 28 07:25:04 etch sshd[5924]: Failed none for invalid user foobar
from 192.168.2.40 port 58172 ssh2
Matched IP address 192.168.2.40
Jun 28 07:25:06 etch sshd[5924]: (pam_unix) check pass; user unknown
Jun 28 07:25:06 etch sshd[5924]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au
Jun 28 07:25:09 etch sshd[5924]: Failed password for invalid user
foobar from 192.168.2.40 port 58172 ssh2
Jun 28 07:25:13 etch sshd[5924]: (pam_unix) check pass; user unknown
Jun 28 07:25:15 etch sshd[5924]: Failed password for invalid user
foobar from 192.168.2.40 port 58172 ssh2
Jun 28 07:25:16 etch sshd[5924]: (pam_unix) check pass; user unknown
Jun 28 07:25:18 etch sshd[5924]: Failed password for invalid user
foobar from 192.168.2.40 port 58172 ssh2
Jun 28 07:25:20 etch sshd[5926]: Invalid user foobar from 192.168.2.40
Jun 28 07:25:20 etch sshd[5926]: Failed none for invalid user foobar
from 192.168.2.40 port 58173 ssh2
Matched IP address 192.168.2.40
Jun 28 07:25:21 etch sshd[5926]: (pam_unix) check pass; user unknown
Jun 28 07:25:21 etch sshd[5926]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=basement.schmidli.com.au
Jun 28 07:25:23 etch sshd[5926]: Failed password for invalid user
foobar from 192.168.2.40 port 58173 ssh2
Jun 28 07:25:25 etch sshd[5928]: Invalid user foobar from 192.168.2.40
Jun 28 07:25:25 etch sshd[5928]: Failed none for invalid user foobar
from 192.168.2.40 port 58174 ssh2
Matched IP address 192.168.2.40
Blocking 192.168.2.40: 4 failures over 40 seconds.

Setting environment: SSHG_ADDR=192.168.2.40;SSHG_ADDRKIND=4;SSHG_SERVICE=10.
Run command "case $SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard
-s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -A sshguard -s
$SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.

Strangely, I am still able to log into "etch".  iptables -L gives me:

Chain sshguard (0 references)
target     prot opt source               destination
DROP       0    --  myhost.mydomain.com.au  anywhere

Further - if I run sshguard with no input, and feed it "Failed
password for robert from 192.168.2.40 port 40727 ssh2", it does
nothing:

# /usr/local/sbin/sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Failed password for robert from 192.168.2.40 port 40727 ssh2
Failed password for robert from 192.168.2.40 port 40727 ssh2
Failed password for robert from 192.168.2.40 port 40727 ssh2
Failed password for robert from 192.168.2.40 port 40727 ssh2
Failed password for robert from 192.168.2.40 port 40727 ssh2
Failed password for robert from 192.168.2.40 port 40727 ssh2

It appears to me that sshguard doesn't recognise most of my log messages??

2007	Jan	Feb	Mar (10)	Apr (7)	May (6)	Jun (13)	Jul (4)	Aug	Sep	Oct (17)	Nov (5)	Dec (4)
2008	Jan (2)	Feb	Mar	Apr (4)	May (2)	Jun (7)	Jul (10)	Aug (4)	Sep (14)	Oct	Nov (1)	Dec (7)
2009	Jan (17)	Feb (20)	Mar (11)	Apr (14)	May (8)	Jun (3)	Jul (22)	Aug (9)	Sep (8)	Oct (6)	Nov (4)	Dec (8)
2010	Jan (17)	Feb (9)	Mar (15)	Apr (24)	May (14)	Jun (1)	Jul (21)	Aug (6)	Sep (2)	Oct (2)	Nov (6)	Dec (9)
2011	Jan (11)	Feb (1)	Mar (3)	Apr (4)	May	Jun	Jul (2)	Aug (3)	Sep (2)	Oct (29)	Nov (1)	Dec (1)
2012	Jan (1)	Feb (1)	Mar	Apr (13)	May (4)	Jun (9)	Jul (2)	Aug (2)	Sep (1)	Oct (2)	Nov (11)	Dec (4)
2013	Jan (2)	Feb (2)	Mar (4)	Apr (13)	May (4)	Jun	Jul	Aug (1)	Sep (5)	Oct (3)	Nov (1)	Dec (3)
2014	Jan	Feb (3)	Mar (3)	Apr (6)	May (8)	Jun	Jul	Aug (1)	Sep (1)	Oct (3)	Nov (14)	Dec (8)
2015	Jan (16)	Feb (30)	Mar (20)	Apr (5)	May (33)	Jun (11)	Jul (15)	Aug (91)	Sep (23)	Oct (10)	Nov (7)	Dec (9)
2016	Jan (22)	Feb (8)	Mar (6)	Apr (23)	May (38)	Jun (29)	Jul (43)	Aug (43)	Sep (18)	Oct (8)	Nov (2)	Dec (25)
2017	Jan (38)	Feb (3)	Mar (1)	Apr	May (18)	Jun (2)	Jul (16)	Aug (2)	Sep	Oct (1)	Nov (4)	Dec (14)
2018	Jan (15)	Feb (2)	Mar (3)	Apr (5)	May (8)	Jun (12)	Jul (19)	Aug (16)	Sep (8)	Oct (13)	Nov (15)	Dec (10)
2019	Jan (9)	Feb (3)	Mar	Apr (2)	May	Jun (1)	Jul	Aug (5)	Sep (5)	Oct (12)	Nov (4)	Dec
2020	Jan (2)	Feb (6)	Mar	Apr	May (11)	Jun (1)	Jul (3)	Aug (22)	Sep (8)	Oct	Nov (2)	Dec
2021	Jan (7)	Feb	Mar (19)	Apr	May (10)	Jun (5)	Jul (7)	Aug (3)	Sep (1)	Oct	Nov (10)	Dec (4)
2022	Jan (17)	Feb	Mar (7)	Apr (3)	May	Jun (1)	Jul (3)	Aug	Sep	Oct (6)	Nov	Dec
2023	Jan	Feb (5)	Mar (1)	Apr (3)	May	Jun (3)	Jul (2)	Aug	Sep	Oct	Nov (6)	Dec
2024	Jan	Feb	Mar	Apr	May (3)	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar (15)	Apr (8)	May (10)	Jun	Jul	Aug	Sep (6)	Oct	Nov	Dec

sshguard-users Mailing List for SSHGuard (Page 63)

Intelligently block brute-force attacks by aggregating system logs

sshguard-users — User questions and answers, bugs, and general support