Project

General

Profile

Actions

Bug #10488

closed

sshguard fails to run on pfSense 2.4.5

Added by Max Green about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Urgent
Category:
Operating System
Target version:
Start date:
04/21/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5
Affected Architecture:
All

Description

After upgrade to 2.4.5 sshguard stop working.
To check this bug, I tried to connect using the user test. Screenshot part of the general log and login protection settings is attached.
Firewal table 'sshguard' is also clean.

I've checked 6 diferent instances (amd64) updated to 2.4.5 and all of them affected. Instances on 2.4.4-p3 working fine.


Files

sshguard_settings.jpg (169 KB) sshguard_settings.jpg login protection settings Max Green, 04/21/2020 08:20 PM
ssh_log.jpg (789 KB) ssh_log.jpg ssh logon attempts in general log Max Green, 04/21/2020 08:20 PM
Actions #1

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle

I can't reproduce this here on amd64, it blocks me when I try. I am on the default settings of 20/120/1800, but I also tried with your settings and it worked both ways.

Invalid user test:

Apr 22 09:54:22 rose sshd[93174]: Invalid user aelkjrgneskwlrg from 198.51.100.108 port 53292
Apr 22 09:54:22 rose sshguard[57272]: Attack from "198.51.100.108" on service SSH with danger 10.
Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class  [preauth]
Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class  [preauth]
Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class  [preauth]
Apr 22 09:54:22 rose sshd[93174]: Postponed keyboard-interactive for invalid user aelkjrgneskwlrg from 198.51.100.108 port 53292 ssh2 [preauth]
Apr 22 09:54:23 rose sshd[93174]: Connection closed by invalid user aelkjrgneskwlrg 198.51.100.108 port 53292 [preauth]
Apr 22 09:54:24 rose sshd[93713]: Invalid user aelkjrgneskwlrg from 198.51.100.108 port 53294
Apr 22 09:54:24 rose sshguard[57272]: Attack from "198.51.100.108" on service SSH with danger 10.

Incorrect password test:

Apr 22 09:59:32 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:32 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:34 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24
Apr 22 09:59:34 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:34 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10.
Apr 22 09:59:35 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24
Apr 22 09:59:35 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10.
Apr 22 09:59:35 rose sshd[92790]: user jimp login class  [preauth]
Apr 22 09:59:36 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24
Apr 22 09:59:36 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10.
Apr 22 09:59:36 rose sshguard[40084]: Blocking "198.51.100.24/32" for 120 secs (3 attacks in 2 secs, after 1 abuses over 2 secs.)

Is sshguard running? (Check in ps uxawww output) Are you using any non-default logging options or alternate logging setups (like the syslog-ng package)?

Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Confirmed
  • Priority changed from Normal to Urgent
  • Affected Architecture All added
  • Affected Architecture deleted (amd64)

We've been able to confirm this internally now, but it isn't consistent. Some work, some do not, across all platforms, but we haven't yet identified what is causing the difference in behavior.

Actions #3

Updated by Jim Pingle about 2 years ago

  • Assignee changed from Jim Pingle to Renato Botelho

I have a lead on what happened. Somehow the sshguard port is missing at least one patch, files/patch-src_sshguard.in. Working systems have an identical version of sshguard but the contents did not match. Reinstalling sshguard on a working system caused it to start failing in a manner similar to the others.

Actions #4

Updated by Jim Pingle about 2 years ago

  • Status changed from Confirmed to Feedback

The sshguard port is now working and a new version has been built from it.

To obtain the corrected version of sshguard, sshguard-2.4.0_4,1 (or later), update the package manually:

pkg-static update -f; pkg-static upgrade -yf sshguard

No additional action is needed, the next relevant system log message will automatically re-launch sshguard. For example, log out and back into the GUI.

To check if it is running, use ps uxaww | grep sshg, which should show output similar to the following:

: ps uxaww | grep sshg
root    39577   0.0  0.0   6976     0  -  IWs  -           0:00.00 /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid
root    39742   0.0  0.4  12016  1956  -  IC   09:59       0:00.01 /usr/local/libexec/sshg-parser
root    40084   0.0  0.4   6536  1796  -  IC   09:59       0:00.09 /usr/local/libexec/sshg-blocker
root    40155   0.0  0.0   6976     0  -  IW   -           0:00.00 /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid
root    40167   0.0  0.4   6976  1744  -  I    09:59       0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf
Actions #5

Updated by Jim Pingle about 2 years ago

  • Subject changed from After upgrade to 2.4.5 sshguard stop working. to sshguard fails to run on pfSense 2.4.5
Actions #6

Updated by Max Green about 2 years ago

Yes, now its working as expected.

Actions #7

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved
  • Target version set to 2.5.0

All indications are that this is OK now. I have tested on several different platforms (amd64, SG-1000, SG-1100, SG-3100) and some of the support crew have also tested and confirmed it is working.

Marking as 2.5.0 (even though it applied to 2.4.x) for now. Will change if needed.

Actions #8

Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.5.0 to 2.4.5-p1
Actions

Also available in: Atom PDF