http://bugzilla.opensuse.org/show_bug.cgi?id=1124121 Bug ID: 1124121 Summary: security/sshguard: Unable to parse SSH invalid user entries, version bump request Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: meissner@suse.com Reporter: tiziano.mueller@chem.uzh.ch QA Contact: bnc-team-screening@forge.provo.novell.com Found By: --- Blocker: --- I have the following entries in my /var/log/sshguard-journal-tail: Feb 04 09:48:04 myserv sshd[47630]: Invalid user ericsson from 68.183.117.212 port 59314 Feb 04 09:48:04 myserv sshd[47630]: Received disconnect from 68.183.117.212 port 59314:11: Bye Bye [preauth] Feb 04 09:48:04 myserv sshd[47630]: Disconnected from invalid user ericsson 68.183.117.212 port 59314 [preauth] which gives me the following when debugging SSHGuard: tail /var/log/sshguard-journal-tail | env SSHGUARD_DEBUG=foo /usr/sbin/sshguard [...] --accepting rule at line 91 ("Feb 04 09:48:04 myserv sshd[47630]: ") yydebug: state 0, reading 262 (SYSLOG_BANNER_PID) yydebug: state 0, shifting to state 1 --accepting rule at line 126 ("Invalid user ericsson from ") yydebug: state 1, reading 272 (SSH_INVALUSERPREF) yydebug: state 1, shifting to state 8 --accepting rule at line 209 ("68.183.117.212") yydebug: state 8, reading 257 (IPv4) yydebug: state 8, shifting to state 60 yydebug: state 60, reducing by rule 27 (addr : IPv4) yydebug: after reduction, shifting from state 8 to state 63 yydebug: state 63, reducing by rule 35 (ssh_illegaluser : SSH_INVALUSERPREF addr) yydebug: after reduction, shifting from state 1 to state 49 yydebug: state 49, reducing by rule 30 (sshmsg : ssh_illegaluser) yydebug: after reduction, shifting from state 1 to state 37 yydebug: state 37, reducing by rule 14 (msg_single : sshmsg) yydebug: after reduction, shifting from state 1 to state 36 yydebug: state 36, reducing by rule 12 (logmsg : msg_single) yydebug: after reduction, shifting from state 1 to state 54 yydebug: state 54, reducing by rule 6 (syslogent : SYSLOG_BANNER_PID logmsg) yydebug: after reduction, shifting from state 0 to state 31 yydebug: state 31, reducing by rule 1 (text : syslogent) yydebug: after reduction, shifting from state 0 to state 29 --accepting rule at line 232 (" ") --accepting rule at line 231 ("port") yydebug: state 29, reading 260 (WORD) yydebug: error recovery discarding state 29 yydebug: error recovery discarding state 0 [...] and the IP is therefore never blocked, rendering SSHGuard useless. This is on SLES 15 with sshguard-1.7.1-bp150.2.4 from SUSE-PackageHub-15-Standard-Pool. A short test with a manually compiled SSHGuard 2.3.1 shows that this is fixed in the most recent version of SSHGuard. Furthermore, FirewallD support is included in SSHGuard starting from 2.0, which would also be useful since you deprecated the SuSEFirewall and switched to FirewallD. -- You are receiving this mail because: You are on the CC list for the bug.