sshguard not working in recent version
sshguard in alpine 3.2.2 is not working as opposed to 1.5-r1 in alpine 3.1.4
Teststring: Jul 24 11:29:08 vpn auth.info sshd[7870]: Failed password for root from 210.245.80.192 port 1160 ssh2
alpine 3.1.4 / sshguard 1.5 (working)
xxx:~# SSHGUARD_DEBUG=“” sshguard
whitelist: add ‘127.0.0.1’ as plain IPv4.
whitelist: add plain IPv4 127.0.0.1.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Run command “iptables -L”: exited 0.
Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Jul 24 11:29:08 vpn auth.info sshd[7870]: Failed password for root
from 210.245.80.192 port 1160 ssh2
Starting parse
Entering state 0
Reading a token: —accepting rule at line 110 (“Jul 24 11:29:08 vpn
auth.info sshd[7870]: ”)
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: —accepting rule at line 142 (“Failed password for root
from ”)
Next token is token SSH_LOGINERR_PREF ()
Shifting token SSH_LOGINERR_PREF ()
Entering state 8
Reading a token: —accepting rule at line 201 (“210.245.80.192”)
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
$1 = token IPv4 ()
->$$ = nterm addr ()
Stack now 0 1 8
Entering state 55
Reading a token: —accepting rule at line 221 (" “)
—accepting rule at line 143 (”port 1160 ssh2“)
Next token is token SSH_LOGINERR_SUFF ()
Shifting token SSH_LOGINERR_SUFF ()
Entering state 72
Reducing stack by rule 33 (line 278):
$1 = token SSH_LOGINERR_PREF ()
$2 = nterm addr ()
$3 = token SSH_LOGINERR_SUFF ()
->$$ = nterm ssh_authfail ()
Stack now 0 1
Entering state 32
Reducing stack by rule 27 (line 264):
$1 = nterm ssh_authfail ()
->$$ = nterm sshmsg ()
Stack now 0 1
Entering state 30
Reducing stack by rule 11 (line 169):
$1 = nterm sshmsg ()
->$$ = nterm msg_single ()
Stack now 0 1
Entering state 28
Reducing stack by rule 9 (line 163):
$1 = nterm msg_single ()
->$$ = nterm logmsg ()
Stack now 0 1
Entering state 46
Reducing stack by rule 5 (line 138):
$1 = token SYSLOG_BANNER_PID ()
$2 = nterm logmsg ()
->$$ = nterm syslogent ()
Stack now 0
Entering state 24
Reducing stack by rule 1 (line 122):
$1 = nterm syslogent ()
->$$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: —(end of buffer or a NUL)
—accepting rule at line 221 (”
")
—(end of buffer or a NUL)
—EOF (start condition 0)
Now at end of input.
Stack now 0 23
Cleanup: popping nterm text ()
Matched address 210.245.80.192:4 attacking service 100, dangerousness
10.
Purging stale attackers.
alpine v3.2.2 /sshguard 1.6.0-r0 (not working)
xxx~:# SSHGUARD_DEBUG=“” sshguard
whitelist: add ‘127.0.0.1’ as plain IPv4.
whitelist: add plain IPv4 127.0.0.1.
Set environment: SSHG_ACTION=init;SSHG_PID=1450
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Run command “iptables -w -L -n”: exited 0.
Started with danger threshold=40 ; minimum block=420 seconds
Jul 24 11:29:08 vpn auth.info sshd[7870]: Failed password for root
from 210.245.80.192 port 1160 ssh2
Starting parse
Entering state 0
Reading a token: —accepting rule at line 96 (“Jul 24 11:29:08 vpn ”)
Next token is token SYSLOG_BANNER ()
Shifting token SYSLOG_BANNER ()
Entering state 3
Reading a token: —accepting rule at line 197 (“auth.info”)
Next token is token HOSTADDR ()
Error: popping token SYSLOG_BANNER ()
Stack now 0
Cleanup: discarding lookahead token HOSTADDR ()
Stack now 0
(from redmine: issue id 4467, created on 2015-07-24)