This page lists log messages recognized by sshguard as attacks. Each attack is qualified by a dangerousness.

Uses of this page:

  • you want to witness that sshguard is detecting and blocking attacks successfully on your system
  • you get log entries of someone disturbing your system; you want to check if sshguard could protect you from that
  • you cross-check a concrete form of an unrecognized message before asking for support

Important Notes

These are pure messages as generated by a service. Sshguard takes care on its own of possible decorations (timestamp, process names, pids etc) added by logging systems.

These are approximate sample entries; they've been translated from sshguard's context-free grammar combined with extended regular expressions to be digestible by a broader audience. For the specifics, check the source code or contact the authors.

Besides other simplifications, the following keywords have special meanings in the following samples:

  • 6.6.6.0: the attacker (Mallory)
  • 127.0.0.1: a local address (Bob)
  • mario: a user existing in the system
  • inexu: a user not existing in the system
  • XYZ: an irrelevant string of text

The default dangerousness as of version 1.5 is 10.

If you want further log message to be recognized by sshguard as attacks, report them to the team.

The attack signatures

service dangerousness message
sshd default Invalid user inexu from 6.6.6.0
sshd default User mario from 6.6.6.0 not allowed because XYZ
sshd default Failed XYZ for XYZ from 6.6.6.0 port 14423 ssh2
sshd default error: PAM: authentication failure for mario from 6.6.6.0
sshd default reverse mapping checking getaddrinfo for XYZ [6.6.6.0] XYZ POSSIBLE BREAK-IN ATTEMPT!
sshd default Did not receive identification string from 6.6.6.0
sshd default Bad protocol version identification XYZ from 6.6.6.0
Cucipop default authentication failure XYZ 6.6.6.0
Exim default XYZ auth_plaintext authenticator failed for XYZ [6.6.6.0]:14432 I=XYZ : 535 Incorrect authentication data (set_id=test)
Sendmail default Relaying denied. IP name lookup failed [6.6.6.0]
dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1
UWimap default Login failed user=XYZ auth=XYZ host=XYZ [6.6.6.0]
Cyrus IMAP default badlogin: XYZ [6.6.6.0] XYZ SASL XYZ checkpass failed
FreeBSD ftpd default FTP LOGIN FAILED FROM 6.6.6.0, XYZ
ProFTPd default foo.com (foo.com [6.6.6.0]) XYZ no such user XYZ
Pure-FTPd default (XYZ@6.6.6.0) [WARNING] Authentication failed for user XYZ
vsftpd default XYZ FAIL LOGIN: Client "6.6.6.0"

Lates Releases View all»

  • Latest releases Latest releases are available from SourceForge. See 'News'.
  • sshguard 1.5 This is a milestone release, coming after 18 months ...
  • sshguard 1.5 Sshguard monitors services through their logging activity. It reacts ...

F.A.Q. View all»

  • What is sshguard?Sshguard is a small program that monitors services running on your machine from the log files. When it ...
  • Sshguard does not workYou have one of these problems: sshguard is not given logs correctly sshguard cannot run the commands for ...
  • What does sshguard do?The short version is: it receives log messages, it detects when a networked service has been abused based ...