You are not logged in.
I heard about this RegreSSHion bug and was updating my server today. After the update sshguard does not detect anything anymore. I think it is because the log-line looks different "sshd" vs "sshd-session" in the process-name.
However I was wondering if the latest changes introduces in openSSH make sshguard obsolete? The has introduces a penalty system which to me look like similar to what sshguard tries to do.
For reference: "https://www.openssh.com/txt/release-9.8" in the "New Feature" section.
Last edited by coolion (2024-07-11 18:20:37)
Offline
Wow! I aged by like 6 months today trying to figure out why neither fail2ban nor sshguard were working on my newly set up server, and way past midnight I find out that this turns out to be the cause....
Thank you for mentioning this. I would've never found it.
Offline
I am afraid that this new sshd feature does not obsolete fail2ban.
After trying to configure it to mimic fail2ban's behavior (default does not quite do the job), once sshd blocks an IP I am still successfully able to nmap scan the sshd server (from the blocked IP) :-(
The workaround to allow fail2ban to block ssh'd attacks is to change the file /etc/fail2ban/filter.d/sshd.conf as per below.
- _daemon = sshd
+ _daemon = sshd-sessionLast edited by nickeP (2024-07-09 09:39:49)
Offline
So for now I keep sshguard active just to be sure.
Thank you for you answer it was helpful because I remembered the sshguard config. Where the line with the unit-name can be adopted to the new process-name.
"/etc/sshguard.conf":
- LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
+ LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd-session -o cat"Offline