Public bug reported:
I'm running sshguard using the default Ubuntu sshguard package. It runs
with the following command line:
/usr/sbin/sshguard -i /run/sshguard.pid -w /etc/sshguard/whitelist -l
/var/log/auth.log -a 40 -p 420 -s 1200
Unfortunately, /var/log/auth.log is empty. Instead, logging goes to
journalctl. This means that bad guys are not getting blocked. E.g.
$ journalctl
Sep 22 13:08:50 sjr-desktop sshd[32177]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:08:51 sjr-desktop sshd[32180]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:08:52 sjr-desktop sshd[32177]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:08:52 sjr-desktop sshd[32181]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:08:54 sjr-desktop sshd[32177]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:08:54 sjr-desktop sshd[32177]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:08:54 sjr-desktop sshd[32177]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:08:55 sjr-desktop sshd[32188]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:08:57 sjr-desktop sshd[32186]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:08:57 sjr-desktop sshd[32189]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:08:59 sjr-desktop sshd[32186]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:08:59 sjr-desktop sshd[32190]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:01 sjr-desktop sshd[32186]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:01 sjr-desktop sshd[32186]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:09:01 sjr-desktop sshd[32186]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:09:01 sjr-desktop sshd[32193]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:03 sjr-desktop sshd[32191]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:03 sjr-desktop sshd[32194]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:06 sjr-desktop sshd[32191]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:06 sjr-desktop sshd[32199]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:07 sjr-desktop sshd[32191]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:07 sjr-desktop sshd[32191]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:09:07 sjr-desktop sshd[32191]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:09:08 sjr-desktop sshd[32202]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:10 sjr-desktop sshd[32200]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:10 sjr-desktop sshd[32203]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:12 sjr-desktop sshd[32200]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:12 sjr-desktop sshd[32204]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:14 sjr-desktop sshd[32200]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:14 sjr-desktop sshd[32200]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:09:14 sjr-desktop sshd[32200]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:09:14 sjr-desktop sshd[32212]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:16 sjr-desktop sshd[32210]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:16 sjr-desktop sshd[32213]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:18 sjr-desktop sshd[32210]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:18 sjr-desktop sshd[32214]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:20 sjr-desktop sshd[32210]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:20 sjr-desktop sshd[32210]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:09:20 sjr-desktop sshd[32210]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:09:21 sjr-desktop sshd[32218]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:23 sjr-desktop sshd[32216]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:23 sjr-desktop sshd[32219]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:25 sjr-desktop sshd[32216]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:25 sjr-desktop sshd[32224]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:27 sjr-desktop sshd[32216]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:27 sjr-desktop sshd[32216]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:09:27 sjr-desktop sshd[32216]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:09:27 sjr-desktop sshd[32227]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:29 sjr-desktop sshd[32225]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:29 sjr-desktop sshd[32228]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:31 sjr-desktop sshd[32225]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:31 sjr-desktop sshd[32229]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:33 sjr-desktop sshd[32225]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:33 sjr-desktop sshd[32225]: Received disconnect from 43.229.53.13:
11: [preauth]
Sep 22 13:09:33 sjr-desktop sshd[32225]: Disconnected from 43.229.53.13
[preauth]
Sep 22 13:09:34 sjr-desktop sshd[32236]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:35 sjr-desktop sshd[32230]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:35 sjr-desktop sshd[32238]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Sep 22 13:09:38 sjr-desktop sshd[32230]: error: PAM: Authentication failure for
root from 43.229.53.13
Sep 22 13:09:38 sjr-desktop sshd[32241]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.13 user=root
Nothing is on the sshguard chain. When I try to do a bunch of auth
failures myself, I don't get blocked.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: sshguard 1.6.0-1
ProcVersionSignature: Ubuntu 4.2.0-10.12-generic 4.2.0
Uname: Linux 4.2.0-10-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.18.1-0ubuntu1
Architecture: amd64
Date: Tue Sep 22 13:06:28 2015
InstallationDate: Installed on 2013-10-04 (717 days ago)
InstallationMedia: Kubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
ProcEnviron:
TERM=screen-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sshguard
UpgradeStatus: Upgraded to wily on 2015-08-19 (34 days ago)
** Affects: sshguard (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1498643
Title:
sshguard doesn't block bad guys in 15.10 with systemd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sshguard/+bug/1498643/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
