hawking's weblog
quark! quark! beware the quantum duck!March 12, 2007 Archives
2007-03-12
sshguard-2
I've been experimenting with sshguard
today. It turns out it won't parse the log messages when sshd is
using pam for authentication. pam_tally might be used to
prevent brute forces but I don't think it's as practical as
sshguard so I decided to add support for PAM messages to
sshguard.
On my system this is how a PAM authentication failure looks like:
I added a regex to parse the messages among with the other changes. The patch and the updated ebuild are here. It works fine now. To check just start entering wrong passwords to sshd:
After four tries sshguard blocked me :-)
I think sshguard will be cool when it has a list of different regexes to parse with. I'm planning to let upstream know about it.
On my system this is how a PAM authentication failure looks like:
Mar 12 03:24:11 mars sshd[10656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=hawking
I added a regex to parse the messages among with the other changes. The patch and the updated ebuild are here. It works fine now. To check just start entering wrong passwords to sshd:
hawking@mars ~ $ ssh mars.solar Password: ..wrong password.. Password: and again Password: and again.. Permission denied (publickey,keyboard-interactive). hawking@mars ~ $ ssh mars.solar Password: ..wrong password..
After four tries sshguard blocked me :-)
Mar 12 03:24:11 mars sshguard[10658]: Blocking 127.0.0.1: 4 failures over 12 seconds
I think sshguard will be cool when it has a list of different regexes to parse with. I'm planning to let upstream know about it.
![[Furl]](/images/buttons/furl.png){kind=small}