Solved SSHguard - warning

X

xy16644

I have just updated my SSHguard port and now when I restart the daemon or boot up my server I get the following message:

Code: 
Warning! Sshguard now uses *attack dangerousness*, not occurrences, to gauge threats.
Default dangerousness per attack is 10, default threshold is 40.

I have the following in /etc/rc.conf:

Code: 
sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth/auth.log:/var/log/system/messages"
sshguard_safety_thresh="3"
sshguard_pardon_min_interval="43200"
sshguard_prescribe_interval="7200"
sshguard_blacklist="40:/var/db/sshguard/blacklist.db"

I had a look in /usr/ports/UPDATING but didn't find anything. Do I need to do anything regarding this warning?
 
Sourcecode (sshguard_options.c):

Code: 
if (opts.abuse_threshold < 1) {
fprintf(stderr, "Doesn't make sense to have an abuse threshold lower than 1 attempt. Terminating.\n");
usage();
return -1;
} else if (opts.abuse_threshold < DEFAULT_ABUSE_THRESHOLD) {
fprintf(stderr, "Warning! Sshguard now uses *attack dangerousness*, not occurrences, to gauge threats.\n");
fprintf(stderr, "Default dangerousness per attack is %u, default threshold is %d.\n", DEFAULT_ATTACKS_DANGEROUSNESS, DEFAULT_ABUSE_THRESHOLD);
}

Code: 
opts.abuse_threshold < DEFAULT_ABUSE_THRESHOLD
=> DEFAULT_ABUSE_THRESHOLD is 40. You have 3.
 
Aaah, thanks. I changed it to:

Code: 
sshguard_safety_thresh="40"

and then restarted SSHguard and didn't get the warning. Thank you!
 
talsamon said:
Sourcecode (sshguard_options.c):

Code: 
if (opts.abuse_threshold < 1) {
fprintf(stderr, "Doesn't make sense to have an abuse threshold lower than 1 attempt. Terminating.\n");
usage();
return -1;
} else if (opts.abuse_threshold < DEFAULT_ABUSE_THRESHOLD) {
fprintf(stderr, "Warning! Sshguard now uses *attack dangerousness*, not occurrences, to gauge threats.\n");
fprintf(stderr, "Default dangerousness per attack is %u, default threshold is %d.\n", DEFAULT_ATTACKS_DANGEROUSNESS, DEFAULT_ABUSE_THRESHOLD);
}

Code: 
opts.abuse_threshold < DEFAULT_ABUSE_THRESHOLD
=> DEFAULT_ABUSE_THRESHOLD is 40. You have 3.
Click to expand...

Actually having given this some thought, I have a question: What exactly is "attach dangerousness"? The way I had sshguard setup, it allowed you to have 3 failed login attempts to SSH within a 2 hour window. If you logged in incorrectly for more than 3 times in 2 hours you were blacklisted for 12 hours which worked perfectly for my setup.

What does changing the following mean:

Code: 
sshguard_safety_thresh="3"

to

Code: 
sshguard_safety_thresh="40"

and how does this "attach dangerousness" work? One the website it just says:
Code: 
a (positive, integer) value associated with an attack to identify how dangerous the attack is. See sshguard's attack signatures. Intuitively, one attacker is blocked with few very dangerous attacks, or many very light ones
 
You must log in or register to reply here.
Back
Top