From owner-freebsd-questions@FreeBSD.ORG Tue May 5 18:05:33 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 752EE5C4 for ; Tue, 5 May 2015 18:05:33 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D00A168C for ; Tue, 5 May 2015 18:05:32 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 18442208B6 for ; Tue, 5 May 2015 14:05:25 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Tue, 05 May 2015 14:05:25 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=uDuh6vChklJ6/8MGDkyQfBUWTQA=; b=mEUtF zeyMSfDP66UxzRlHbvFfOFixg9crQz8sf/XzHexcyOvRjT697QHetsNTKctmxD4N HKPtxSvKKLzjwKHVSkhhKZ9foGoQr90w9wqv1FhsGSpVIaw6P7RoADDfqT0lO65n k9xNxmLr9fWdIgNw/J0iiX4NGBzgaLHrDZlpzM= Received: by web3.nyi.internal (Postfix, from userid 99) id DBBD0113BB6; Tue, 5 May 2015 14:05:24 -0400 (EDT) Message-Id: <1430849124.506511.263056953.227E1E7E@webmail.messagingengine.com> X-Sasl-Enc: Q8ggUJR1jDA+VHELx8k/CNY5EZkW/P9Z2Amzat4OWqgt 1430849124 From: Mark Felder To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-5db5930a Subject: security/sshguard 1.6.0 Date: Tue, 05 May 2015 13:05:24 -0500 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2015 18:05:33 -0000 Hi all, I recently updated sshguard to 1.6.0. In the changelog it mentions improved detection for SSH connections: - - Match SSH login failures with "via" suffix - - Update SSH "Bad protocol" signature This seems to detect when a machine connects to port 22 but doesn't try to login. This is what you might expect your monitoring server to do. As a result, your monitoring server will likely end up on the sshguard ban list like mine did. Make sure your monitoring server is whitelisted in the firewall or that you're using the whitelist functionality that sshguard provides. :-)