Bug ID 1124121
Summary security/sshguard: Unable to parse SSH invalid user entries, version bump request
Classification openSUSE
Product openSUSE.org
Version unspecified
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component 3rd party software
Assignee meissner@suse.com
Reporter tiziano.mueller@chem.uzh.ch
QA Contact bnc-team-screening@forge.provo.novell.com
Found By ---
Blocker --- 

I have the following entries in my /var/log/sshguard-journal-tail:

  Feb 04 09:48:04 myserv sshd[47630]: Invalid user ericsson from 68.183.117.212
port 59314
  Feb 04 09:48:04 myserv sshd[47630]: Received disconnect from 68.183.117.212
port 59314:11: Bye Bye [preauth]
  Feb 04 09:48:04 myserv sshd[47630]: Disconnected from invalid user ericsson
68.183.117.212 port 59314 [preauth]

which gives me the following when debugging SSHGuard:

  tail /var/log/sshguard-journal-tail | env SSHGUARD_DEBUG=foo
/usr/sbin/sshguard
  [...]
  --accepting rule at line 91 ("Feb 04 09:48:04 myserv sshd[47630]: ")
  yydebug: state 0, reading 262 (SYSLOG_BANNER_PID)
  yydebug: state 0, shifting to state 1
  --accepting rule at line 126 ("Invalid user ericsson from ")
  yydebug: state 1, reading 272 (SSH_INVALUSERPREF)
  yydebug: state 1, shifting to state 8
  --accepting rule at line 209 ("68.183.117.212")
  yydebug: state 8, reading 257 (IPv4)
  yydebug: state 8, shifting to state 60
  yydebug: state 60, reducing by rule 27 (addr : IPv4)
  yydebug: after reduction, shifting from state 8 to state 63
  yydebug: state 63, reducing by rule 35 (ssh_illegaluser : SSH_INVALUSERPREF
addr)
  yydebug: after reduction, shifting from state 1 to state 49
  yydebug: state 49, reducing by rule 30 (sshmsg : ssh_illegaluser)
  yydebug: after reduction, shifting from state 1 to state 37
  yydebug: state 37, reducing by rule 14 (msg_single : sshmsg)
  yydebug: after reduction, shifting from state 1 to state 36
  yydebug: state 36, reducing by rule 12 (logmsg : msg_single)
  yydebug: after reduction, shifting from state 1 to state 54
  yydebug: state 54, reducing by rule 6 (syslogent : SYSLOG_BANNER_PID logmsg)
  yydebug: after reduction, shifting from state 0 to state 31
  yydebug: state 31, reducing by rule 1 (text : syslogent)
  yydebug: after reduction, shifting from state 0 to state 29
  --accepting rule at line 232 (" ")
  --accepting rule at line 231 ("port")
  yydebug: state 29, reading 260 (WORD)
  yydebug: error recovery discarding state 29
  yydebug: error recovery discarding state 0
  [...]

and the IP is therefore never blocked, rendering SSHGuard useless.

This is on SLES 15 with sshguard-1.7.1-bp150.2.4 from
SUSE-PackageHub-15-Standard-Pool.

A short test with a manually compiled SSHGuard 2.3.1 shows that this is fixed
in the most recent version of SSHGuard.
Furthermore, FirewallD support is included in SSHGuard starting from 2.0, which
would also be useful since you deprecated the SuSEFirewall and switched to
FirewallD.

You are receiving this mail because: