This page lists log messages recognized by sshguard as attacks. Each attack is qualified by a dangerousness.
Uses of this page:
- you want to witness that sshguard is detecting and blocking attacks successfully on your system
- you get log entries of someone disturbing your system; you want to check if sshguard could protect you from that
- you cross-check a concrete form of an unrecognized message before asking for support
Important Notes
These are pure messages as generated by a service. Sshguard takes care on its own of possible decorations (timestamp, process names, pids etc) added by logging systems.
These are approximate sample entries; they've been translated from sshguard's context-free grammar combined with extended regular expressions to be digestible by a broader audience. For the specifics, check the source code or contact the authors.
Besides other simplifications, the following keywords have special meanings in the following samples:
- 6.6.6.0: the attacker (Mallory)
- 127.0.0.1: a local address (Bob)
- mario: a user existing in the system
- inexu: a user not existing in the system
- XYZ: an irrelevant string of text
The default dangerousness as of version 1.5 is 10.
If you want further log message to be recognized by sshguard as attacks, report them to the team.
The attack signatures
| service | dangerousness | message |
|---|---|---|
| sshd | default | Invalid user inexu from 6.6.6.0 |
| sshd | default | User mario from 6.6.6.0 not allowed because XYZ |
| sshd | default | Failed XYZ for XYZ from 6.6.6.0 port 14423 ssh2 |
| sshd | default | error: PAM: authentication failure for mario from 6.6.6.0 |
| sshd | default | reverse mapping checking getaddrinfo for XYZ [6.6.6.0] XYZ POSSIBLE BREAK-IN ATTEMPT! |
| sshd | default | Did not receive identification string from 6.6.6.0 |
| sshd | default | Bad protocol version identification XYZ from 6.6.6.0 |
| Cucipop | default | authentication failure XYZ 6.6.6.0 |
| Exim | default | XYZ auth_plaintext authenticator failed for XYZ [6.6.6.0]:14432 I=XYZ : 535 Incorrect authentication data (set_id=test) |
| Sendmail | default | Relaying denied. IP name lookup failed [6.6.6.0] |
| dovecot | default | imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 |
| UWimap | default | Login failed user=XYZ auth=XYZ host=XYZ [6.6.6.0] |
| Cyrus IMAP | default | badlogin: XYZ [6.6.6.0] XYZ SASL XYZ checkpass failed |
| FreeBSD ftpd | default | FTP LOGIN FAILED FROM 6.6.6.0, XYZ |
| ProFTPd | default | foo.com (foo.com [6.6.6.0]) XYZ no such user XYZ |
| Pure-FTPd | default | (XYZ@6.6.6.0) [WARNING] Authentication failed for user XYZ |
| vsftpd | default | XYZ FAIL LOGIN: Client "6.6.6.0" |