[SOLVED] sshguard[59300]: Attack from "192.xx.xx.xx" on service 100 with danger 10
-
I found this in my pfSense log:
sshguard[59300]: Attack from "192.xx.xx.xx" on service 100 with danger 10
The IP address is my linux workstation.
Would I get this error from one or two typos when entering my password while logging in, or is this likely due to something more serious?
What is service 100?
What is danger 10?Is there any other places in pfSense to find more info?
Thanks in advance for any assistance.
-
@guardian said in Please tell me what this error message is likely serious?:
What is service 100?
https://www.sshguard.net/docs/reference/service-codes/
@guardian said in Please tell me what this error message is likely serious?:
What is danger 10?
https://wiki.archlinux.org/index.php/Sshguard - and search for the "danger" phrase.
@guardian said in Please tell me what this error message is likely serious?:
Is there any other places in pfSense to find more info?
sshguard is a package aviable for all Linux OS's, FreeBSD etc.
It protects the SSH - typically port 22 - access.
It's a tool with it's own doc etc.
Normally, you will not even know it exists, but when some device start to hammer the SSH access, you get a notice.
"Hammer" means failed login attempts I guess.@guardian said in Please tell me what this error message is likely serious?:
or is this likely due to something more serious?
Ask the guy that maintains that " linux workstation" device. She/He knows (should know !) what's going on.
-
@guardian said in Please tell me what this error message is likely serious?:
Would I get this error from one or two typos when entering my password while logging in
Yes, if you made multiple failed attempts in a short period of time
, or is this likely due to something more serious?
If it's coming from inside your network, then the odds are more in favor of someone accidentally trying the wrong password a few times. Unless it happens repeatedly. If it comes from outside, then it's more likely a brute force attack.
sshguard protects both ssh and the GUI
-
Thanks @Gertjan & @jimp for the replies. I only noticed the message when the I looked at the daily email report. The source was my workstation, and I think I remember accidentally typing a login into the wrong terminal window.
@jimp said in Please tell me what this error message is likely serious?:
@guardian said in Please tell me what this error message is likely serious?:
Would I get this error from one or two typos when entering my password while logging in
Yes, if you made multiple failed attempts in a short period of time
, or is this likely due to something more serious?
If it's coming from inside your network, then the odds are more in favor of someone accidentally trying the wrong password a few times. Unless it happens repeatedly. If it comes from outside, then it's more likely a brute force attack.
sshguard protects both ssh and the GUI
Any idea how many "bad attempts" are necessary to trigger the message?
How long sshguard has been part of pfSense@Gertjan said in Please tell me what this error message is likely serious?:
@guardian said in Please tell me what this error message is likely serious?:
What is service 100?
https://www.sshguard.net/docs/reference/service-codes/
Thanks very useful reference.
@guardian said in Please tell me what this error message is likely serious?:
What is danger 10?
https://wiki.archlinux.org/index.php/Sshguard - and search for the "danger" phrase.
Thanks, that helps a lot... IIUC it appears that means "one failed attempt", so it was likely me and not some roque process running from a brower window.@guardian said in Please tell me what this error message is likely serious?:
Is there any other places in pfSense to find more info?
sshguard is a package aviable for all Linux OS's, FreeBSD etc.
It protects the SSH - typically port 22 - access.
It's a tool with it's own doc etc.
Normally, you will not even know it exists, but when some device start to hammer the SSH access, you get a notice.
"Hammer" means failed login attempts I guess.@guardian said in Please tell me what this error message is likely serious?:
or is this likely due to something more serious?
Ask the guy that maintains that " linux workstation" device. She/He knows (should know !) what's going on.
It's me, and I'm pretty sure I remember a bad copy/paste when attempting to log in.Is the "user id" of the attempted login available in a log somewhere?
-
@guardian said in Please tell me what this error message is likely serious?:
Any idea how many "bad attempts" are necessary to trigger the message?
It depends on a few factors, but that's all decided by sshguard and could be found in their docs.
@guardian said in Please tell me what this error message is likely serious?:
How long sshguard has been part of pfSense
Since 2.4.4.
@guardian said in Please tell me what this error message is likely serious?:
Is the "user id" of the attempted login available in a log somewhere?
The main system log.