Package: sshguard
Version: 1.7.1-1
Severity: important
Tags: patch
Dear maintainer,
Quite a long ago, I've noticed that sshguard stopped detecting one of the
most popular lines in auth.log for ssh, which looks like that:
Jun 1 00:02:59 server sshd[15980]: Failed password for invalid user student
from 119.28.7.243 port 60902 ssh2
Not being able to detect these lines renders sshguard pretty much
useless for detecting ssh attacks.
Until now I managed to mitigate that via rsyslog rewriting template, but
now I decided to do things properly and send you a patch that makes
sshguard detect lines like these. I'm not very good with flex, but I've
tested it on sshguard debug mode, and it seems to work OK.
Please see the patch enclosed. It should be applied to the file
src/parser/attack_scanner.l. Is it possible that it will be accepted
in stretch? Thanks in advance!
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 4.9.0-6-686 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages sshguard depends on:
ii init-system-helpers 1.48
ii iptables 1.6.0+snapshot20161117-6
ii libc6 2.24-11+deb9u3
ii lsb-base 9.20161125
sshguard recommends no packages.
sshguard suggests no packages.
-- no debconf information
--- attack_scanner.orig.l 2016-10-11 19:22:37.000000000 +0300
+++ attack_scanner.l 2018-06-01 01:35:52.000000000 +0300
@@ -38,7 +38,7 @@
/* Start Conditions */
/* for Login services */
-%s ssh_notallowed ssh_loginerr ssh_reversemap ssh_disconnect ssh_badproto
ssh_badkex
+%s ssh_invaluser ssh_notallowed ssh_loginerr ssh_reversemap ssh_disconnect
ssh_badproto ssh_badkex
/* for Mail services */
%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied
sendmail_authfailure postfix_loginerr
/* for FTP services */
@@ -124,6 +124,8 @@
/* SSH: invalid or rejected user (cross platform [generated by openssh]) */
[Ii]"nvalid user ".+" from " { return
SSH_INVALUSERPREF; }
+"Failed password for "?[Ii]"nvalid user ".+" from " {
BEGIN(ssh_invaluser); return SSH_INVALUSERPREF; }
+<ssh_invaluser>"port "{NUMBER}" ssh".? {
BEGIN(INITIAL); }
/* match disallowed user (not in AllowUsers/AllowGroups or in
DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
/* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
"User ".+" from " {
BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
