2007-03-12

sshguard-2

I've been experimenting with sshguard today. It turns out it won't parse the log messages when sshd is using pam for authentication. pam_tally might be used to prevent brute forces but I don't think it's as practical as sshguard so I decided to add support for PAM messages to sshguard.
On my system this is how a PAM authentication failure looks like: 
Mar 12 03:24:11 mars sshd[10656]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=hawking

I added a regex to parse the messages among with the other changes. The patch and the updated ebuild are here. It works fine now. To check just start entering wrong passwords to sshd: 
hawking@mars ~ $ ssh mars.solar
Password: ..wrong password..
Password: and again
Password: and again..
Permission denied (publickey,keyboard-interactive).
hawking@mars ~ $ ssh mars.solar
Password: ..wrong password..

After four tries sshguard blocked me :-) 
Mar 12 03:24:11 mars sshguard[10658]: Blocking 127.0.0.1: 4 failures
over 12 seconds

I think sshguard will be cool when it has a list of different regexes to parse with. I'm planning to let upstream know about it.

Posted by hawking | Permanent Link | Categories: english, linux
| | [Slashdot] [Digg] [del.icio.us] [Furl] [Reddit] [Facebook] [Google] [StumbleUpon] [Technorati]