Persistent SSHGuard Log Messages

kristiyan.kolev · Apr 14, 2024, 7:55 AM

Hello, Netgate Community,

I'm having an issue with pfSense 2.7.2 in which SSHGuard repeatedly exits and restarts monitoring. My system logs are filling up with these entries, which show a continuous cycle of "Exiting on signal" and "Now monitoring attacks," as follows:

Apr 14 01:19:00 sshguard 62312 Exiting on signal.
Apr 14 01:19:00 sshguard 72750 Now monitoring attacks.
... [similar entries repeated with different process IDs]

I found discussions from two years ago that described similar issues, but I would have expected a solution or patch by now. Is anyone else experiencing this issue, or has it been addressed in a more recent update that I may have overlooked? Any insights or solutions would be greatly appreciated, as this issue is causing concern for both log management and system stability.

Thank you for any assistance you can offer!

pst · Apr 14, 2024, 8:18 AM

@kristiyan-kolev I can confirm I saw the same in pfSense+ 23.09.1, and it's still in 24.03-RC (24.03.r.20240410.1729). There's a new log entry roughly every 11-12 minutes.

Bob.Dig · Apr 14, 2024, 8:47 AM

@pst I don't see it.

pst · Apr 14, 2024, 9:26 AM

@Bob-Dig according to this thread: https://forum.netgate.com/topic/169923/tons-sshguard-log-entries-and-its-not-enabled it is related to the amount of logging going on and the log limits set, as it is log rotations that trigger the sshguard restarts. Which explains my case at least.

kristiyan.kolev · Apr 14, 2024, 11:53 AM

I see, so if I understand correctly, the messages are logged each time SSHGuard resets in conjunction with a log rotation. This rotation happens whenever the log reaches its size limit, at which point the current log is compressed, and a new one is started. Is that accurate?

stephenw10 · Apr 14, 2024, 2:15 PM

Yup you will see it everytime any log rotates. So you can mitigate it by increasing the log file sizes or reducing what is logged in whichever log is rotating.