Bug #10488
closedsshguard fails to run on pfSense 2.4.5
Added by Max Green over 4 years ago. Updated over 4 years ago.
0%
Description
After upgrade to 2.4.5 sshguard stop working.
To check this bug, I tried to connect using the user test. Screenshot part of the general log and login protection settings is attached.
Firewal table 'sshguard' is also clean.
I've checked 6 diferent instances (amd64) updated to 2.4.5 and all of them affected. Instances on 2.4.4-p3 working fine.
Files
sshguard_settings.jpg (169 KB) sshguard_settings.jpg | login protection settings | Max Green, 04/21/2020 08:20 PM | |
ssh_log.jpg (789 KB) ssh_log.jpg | ssh logon attempts in general log | Max Green, 04/21/2020 08:20 PM |
Updated by Jim Pingle over 4 years ago
- Status changed from New to Feedback
- Assignee set to Jim Pingle
I can't reproduce this here on amd64, it blocks me when I try. I am on the default settings of 20/120/1800, but I also tried with your settings and it worked both ways.
Invalid user test:
Apr 22 09:54:22 rose sshd[93174]: Invalid user aelkjrgneskwlrg from 198.51.100.108 port 53292 Apr 22 09:54:22 rose sshguard[57272]: Attack from "198.51.100.108" on service SSH with danger 10. Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class [preauth] Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class [preauth] Apr 22 09:54:22 rose sshd[93174]: user NOUSER login class [preauth] Apr 22 09:54:22 rose sshd[93174]: Postponed keyboard-interactive for invalid user aelkjrgneskwlrg from 198.51.100.108 port 53292 ssh2 [preauth] Apr 22 09:54:23 rose sshd[93174]: Connection closed by invalid user aelkjrgneskwlrg 198.51.100.108 port 53292 [preauth] Apr 22 09:54:24 rose sshd[93713]: Invalid user aelkjrgneskwlrg from 198.51.100.108 port 53294 Apr 22 09:54:24 rose sshguard[57272]: Attack from "198.51.100.108" on service SSH with danger 10.
Incorrect password test:
Apr 22 09:59:32 rose sshd[92790]: user jimp login class [preauth] Apr 22 09:59:32 rose sshd[92790]: user jimp login class [preauth] Apr 22 09:59:34 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24 Apr 22 09:59:34 rose sshd[92790]: user jimp login class [preauth] Apr 22 09:59:34 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10. Apr 22 09:59:35 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24 Apr 22 09:59:35 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10. Apr 22 09:59:35 rose sshd[92790]: user jimp login class [preauth] Apr 22 09:59:36 rose sshd[92790]: error: PAM: Authentication error for jimp from 198.51.100.24 Apr 22 09:59:36 rose sshguard[40084]: Attack from "198.51.100.24" on service SSH with danger 10. Apr 22 09:59:36 rose sshguard[40084]: Blocking "198.51.100.24/32" for 120 secs (3 attacks in 2 secs, after 1 abuses over 2 secs.)
Is sshguard running? (Check in ps uxawww
output) Are you using any non-default logging options or alternate logging setups (like the syslog-ng package)?
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Confirmed
- Priority changed from Normal to Urgent
- Affected Architecture All added
- Affected Architecture deleted (
amd64)
We've been able to confirm this internally now, but it isn't consistent. Some work, some do not, across all platforms, but we haven't yet identified what is causing the difference in behavior.
Updated by Jim Pingle over 4 years ago
- Assignee changed from Jim Pingle to Renato Botelho
I have a lead on what happened. Somehow the sshguard
port is missing at least one patch, files/patch-src_sshguard.in
. Working systems have an identical version of sshguard
but the contents did not match. Reinstalling sshguard
on a working system caused it to start failing in a manner similar to the others.
Updated by Jim Pingle over 4 years ago
- Status changed from Confirmed to Feedback
The sshguard port is now working and a new version has been built from it.
To obtain the corrected version of sshguard
, sshguard-2.4.0_4,1 (or later), update the package manually:
pkg-static update -f; pkg-static upgrade -yf sshguard
No additional action is needed, the next relevant system log message will automatically re-launch sshguard
. For example, log out and back into the GUI.
To check if it is running, use ps uxaww | grep sshg
, which should show output similar to the following:
: ps uxaww | grep sshg root 39577 0.0 0.0 6976 0 - IWs - 0:00.00 /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid root 39742 0.0 0.4 12016 1956 - IC 09:59 0:00.01 /usr/local/libexec/sshg-parser root 40084 0.0 0.4 6536 1796 - IC 09:59 0:00.09 /usr/local/libexec/sshg-blocker root 40155 0.0 0.0 6976 0 - IW - 0:00.00 /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid root 40167 0.0 0.4 6976 1744 - I 09:59 0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf
Updated by Jim Pingle over 4 years ago
- Subject changed from After upgrade to 2.4.5 sshguard stop working. to sshguard fails to run on pfSense 2.4.5
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Resolved
- Target version set to 2.5.0
All indications are that this is OK now. I have tested on several different platforms (amd64, SG-1000, SG-1100, SG-3100) and some of the support crew have also tested and confirmed it is working.
Marking as 2.5.0 (even though it applied to 2.4.x) for now. Will change if needed.
Updated by Jim Pingle over 4 years ago
- Target version changed from 2.5.0 to 2.4.5-p1