Package: sshguard
Version: 2.3.1-1
Severity: important
Dear Maintainer,
the default configuration shipped with the Debian package causes
sshguard to count it's own attach messages as another attack and hence
all hosts are blocked on their first login failure, e.g.:
Apr 24 01:42:52 vsn sshd[11354]: Failed password for root from
112.85.42.189 port 35899 ssh2
Apr 24 01:42:53 vsn sshguard[11232]: Attack from "112.85.42.189" on
service 100 with danger 10.
Apr 24 01:42:53 vsn sshguard[11232]: Attack from "112.85.42.189" on
service 110 with danger 10.
Apr 24 01:42:54 vsn sshguard[11232]: Attack from "112.85.42.189" on
service 110 with danger 10.
Apr 24 01:42:54 vsn sshguard[11232]: Blocking "112.85.42.189/32" for 120
secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Upstream ships an example configuration where this is not the case as it
uses a different journalctl syntax. It works as it does not feed the
sshguard log messages back to sshguard.
Two minor notes in addition:
- also options like IPV6_SUBNET, IPV4_SUBNET and BLACKLIST_FILE are
missing in the Debian configuration file
- journalctl should IMHO use -n0 instead of -n1 because sshg-logtail
does the same for tail
Please also consider an update for Buster to ship the package with a
working default configuration.
Thanks
Andreas
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sshguard depends on:
ii libc6 2.28-10
ii lsb-base 10.2019031300
Versions of packages sshguard recommends:
ii nftables 0.9.0-2
sshguard suggests no packages.
-- Configuration Files:
/etc/sshguard/sshguard.conf changed [not included]
/etc/sshguard/whitelist changed [not included]
-- no debconf information
