sshguard doesn't block bad guys in 15.10 with systemd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sshguard (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
I'm running sshguard using the default Ubuntu sshguard package. It runs with the following command line:
/usr/sbin/sshguard -i /run/sshguard.pid -w /etc/sshguard/
Unfortunately, /var/log/auth.log is empty. Instead, logging goes to journalctl. This means that bad guys are not getting blocked. E.g.
$ journalctl
Sep 22 13:08:50 sjr-desktop sshd[32177]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:08:51 sjr-desktop sshd[32180]: pam_unix(
Sep 22 13:08:52 sjr-desktop sshd[32177]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:08:52 sjr-desktop sshd[32181]: pam_unix(
Sep 22 13:08:54 sjr-desktop sshd[32177]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:08:54 sjr-desktop sshd[32177]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:08:54 sjr-desktop sshd[32177]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:08:55 sjr-desktop sshd[32188]: pam_unix(
Sep 22 13:08:57 sjr-desktop sshd[32186]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:08:57 sjr-desktop sshd[32189]: pam_unix(
Sep 22 13:08:59 sjr-desktop sshd[32186]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:08:59 sjr-desktop sshd[32190]: pam_unix(
Sep 22 13:09:01 sjr-desktop sshd[32186]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:01 sjr-desktop sshd[32186]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:09:01 sjr-desktop sshd[32186]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:09:01 sjr-desktop sshd[32193]: pam_unix(
Sep 22 13:09:03 sjr-desktop sshd[32191]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:03 sjr-desktop sshd[32194]: pam_unix(
Sep 22 13:09:06 sjr-desktop sshd[32191]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:06 sjr-desktop sshd[32199]: pam_unix(
Sep 22 13:09:07 sjr-desktop sshd[32191]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:07 sjr-desktop sshd[32191]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:09:07 sjr-desktop sshd[32191]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:09:08 sjr-desktop sshd[32202]: pam_unix(
Sep 22 13:09:10 sjr-desktop sshd[32200]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:10 sjr-desktop sshd[32203]: pam_unix(
Sep 22 13:09:12 sjr-desktop sshd[32200]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:12 sjr-desktop sshd[32204]: pam_unix(
Sep 22 13:09:14 sjr-desktop sshd[32200]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:14 sjr-desktop sshd[32200]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:09:14 sjr-desktop sshd[32200]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:09:14 sjr-desktop sshd[32212]: pam_unix(
Sep 22 13:09:16 sjr-desktop sshd[32210]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:16 sjr-desktop sshd[32213]: pam_unix(
Sep 22 13:09:18 sjr-desktop sshd[32210]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:18 sjr-desktop sshd[32214]: pam_unix(
Sep 22 13:09:20 sjr-desktop sshd[32210]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:20 sjr-desktop sshd[32210]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:09:20 sjr-desktop sshd[32210]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:09:21 sjr-desktop sshd[32218]: pam_unix(
Sep 22 13:09:23 sjr-desktop sshd[32216]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:23 sjr-desktop sshd[32219]: pam_unix(
Sep 22 13:09:25 sjr-desktop sshd[32216]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:25 sjr-desktop sshd[32224]: pam_unix(
Sep 22 13:09:27 sjr-desktop sshd[32216]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:27 sjr-desktop sshd[32216]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:09:27 sjr-desktop sshd[32216]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:09:27 sjr-desktop sshd[32227]: pam_unix(
Sep 22 13:09:29 sjr-desktop sshd[32225]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:29 sjr-desktop sshd[32228]: pam_unix(
Sep 22 13:09:31 sjr-desktop sshd[32225]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:31 sjr-desktop sshd[32229]: pam_unix(
Sep 22 13:09:33 sjr-desktop sshd[32225]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:33 sjr-desktop sshd[32225]: Received disconnect from 43.229.53.13: 11: [preauth]
Sep 22 13:09:33 sjr-desktop sshd[32225]: Disconnected from 43.229.53.13 [preauth]
Sep 22 13:09:34 sjr-desktop sshd[32236]: pam_unix(
Sep 22 13:09:35 sjr-desktop sshd[32230]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:35 sjr-desktop sshd[32238]: pam_unix(
Sep 22 13:09:38 sjr-desktop sshd[32230]: error: PAM: Authentication failure for root from 43.229.53.13
Sep 22 13:09:38 sjr-desktop sshd[32241]: pam_unix(
Nothing is on the sshguard chain. When I try to do a bunch of auth failures myself, I don't get blocked.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: sshguard 1.6.0-1
ProcVersionSign
Uname: Linux 4.2.0-10-generic x86_64
NonfreeKernelMo
ApportVersion: 2.18.1-0ubuntu1
Architecture: amd64
Date: Tue Sep 22 13:06:28 2015
InstallationDate: Installed on 2013-10-04 (717 days ago)
InstallationMedia: Kubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
ProcEnviron:
TERM=screen-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sshguard
UpgradeStatus: Upgraded to wily on 2015-08-19 (34 days ago)
information type: | Public → Public Security |
Changed in sshguard (Ubuntu): | |
importance: | Undecided → Critical |
Changed in sshguard (Ubuntu): | |
status: | Confirmed → Triaged |
Status changed to 'Confirmed' because the bug affects multiple users.