pfSense

I can't reproduce this here on amd64, it blocks me when I try. I am on the default settings of 20/120/1800, but I also tried with your settings and it worked both ways.

Invalid user test:

Apr 22 09:54:22 rose sshd[93174]: Invalid user aelkjrgneskwlrg from 198.51.100.108 port 53292
Apr 22 09:54:22 rose sshguard[57272]: Attack from "198.51.100.108" on service SSH with danger 10.
Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class  [preauth]
Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class  [preauth]
Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class  [preauth]
Apr 22 09:54:22 rose sshd[93174]: Postponed keyboard-interactive for invalid user aelkjrgneskwlrg from 198.51.100.108 port 53292 ssh2 [preauth]
Apr 22 09:54:23 rose sshd[93174]: Connection closed by invalid user aelkjrgneskwlrg 198.51.100.108 port 53292 [preauth]
Apr 22 09:54:24 rose sshd[93713]: Invalid user aelkjrgneskwlrg from 198.51.100.108 port 53294
Apr 22 09:54:24 rose sshguard[57272]: Attack from "198.51.100.108" on service SSH with danger 10.

Incorrect password test:

Apr 22 09:59:32 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:32 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:34 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24
Apr 22 09:59:34 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:34 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10.
Apr 22 09:59:35 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24
Apr 22 09:59:35 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10.
Apr 22 09:59:35 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:36 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24
Apr 22 09:59:36 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10.
Apr 22 09:59:36 rose sshguard[40084]: Blocking "198.51.100.24/32" for 120 secs (3 attacks in 2 secs, after 1 abuses over 2 secs.)

Is sshguard running? (Check in ps uxawww output) Are you using any non-default logging options or alternate logging setups (like the syslog-ng package)?

We've been able to confirm this internally now, but it isn't consistent. Some work, some do not, across all platforms, but we haven't yet identified what is causing the difference in behavior.

I have a lead on what happened. Somehow the sshguard port is missing at least one patch, files/patch-src_sshguard.in. Working systems have an identical version of sshguard but the contents did not match. Reinstalling sshguard on a working system caused it to start failing in a manner similar to the others.

The sshguard port is now working and a new version has been built from it.

To obtain the corrected version of sshguard, sshguard-2.4.0_4,1 (or later), update the package manually:

pkg-static update -f; pkg-static upgrade -yf sshguard

No additional action is needed, the next relevant system log message will automatically re-launch sshguard. For example, log out and back into the GUI.

To check if it is running, use ps uxaww | grep sshg, which should show output similar to the following:

: ps uxaww | grep sshg
root    39577   0.0  0.0   6976     0  -  IWs  -           0:00.00 /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid
root    39742   0.0  0.4  12016  1956  -  IC   09:59       0:00.01 /usr/local/libexec/sshg-parser
root    40084   0.0  0.4   6536  1796  -  IC   09:59       0:00.09 /usr/local/libexec/sshg-blocker
root    40155   0.0  0.0   6976     0  -  IW   -           0:00.00 /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid
root    40167   0.0  0.4   6976  1744  -  I    09:59       0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf

All indications are that this is OK now. I have tested on several different platforms (amd64, SG-1000, SG-1100, SG-3100) and some of the support crew have also tested and confirmed it is working.

Marking as 2.5.0 (even though it applied to 2.4.x) for now. Will change if needed.