Skip to content
This repository has been archived by the owner on Nov 21, 2021. It is now read-only.

Latest commit

 

History

History
372 lines (288 loc) · 10.7 KB

CHANGELOG.rst

File metadata and controls

372 lines (288 loc) · 10.7 KB

Changes

All notable changes to this project will be documented in this file.

Note on deprecation: Deprecated features will be removed in the next non-bugfix release. If you would like to nominate a feature to be un-deprecated, contact the project mailing list.

Added

  • Match "Failed authentication attempt" for Gitea

Changed

  • Log human-readable service names instead of service code

Fixed

  • Correctly terminate child processes when sshguard is killed

Removed

  • No longer accept logs given via standard input

Fixed

  • Fix OpenSSH "Did not receive identification string"
  • Fix syslog banner detection on macOS

Added

  • Add signatures for Courier IMAP/POP and OpenVPN
  • Add signatures for TLS failures against Cyrus IMAP
  • Match more attacks against SSHD, Cockpit, and Dovecot
  • Update SSH invalid user signature for macOS

Changed

  • Add to and remove from ipfw table quietly
  • Reduce "Connection closed... [preauth]" score to 2
  • Switch ipsets to hash:net

Fixed

  • Don't recreate existing ipsets
  • Match more log banners (Fix greedy SYSLOG_BANNER)

Added

  • Add '--disable-maintainer-mode' in configure for package maintainers
  • BusyBox log banner detection
  • Match Exim "auth mechanism not supported"
  • Match Exim "auth when not advertised"
  • Match Postfix greylist early retry
  • OpenSMTPD monitoring support
  • Recognize IPv6 addresses with interface name

Changed

  • Ignore CR in addition to LF
  • Only log attacks if not already blocked or whitelisted

Fixed

  • Use correct signal names in driver shell script

2017-10-08

Added

  • Add nftables backend
  • Add monitoring support for new service: Cockpit, Linux server dashboard
  • Match "maximum authentication attempts" for SSH
  • Match Debian-style "Failed password for invalid user" for SSH
  • Add monitoring support for new service: Common webserver probes, in Common Log Format
  • Match 'Disconnecting invalid user' for SSH
  • Add monitoring support for new service: WordPress, in Common Log Format
  • Add monitoring support for new service: SSHGuard
  • Firewall backends now support blocking subnets.
  • Add new IPV6_SUBNET and IPV4_SUBNET configuration options. Defaults to traditional single-address blocking.
  • Add monitoring support for new service: OpenSMTPD

Changed

  • Log whitelist matches with higher priority

Fixed

  • Match port number in "invalid user" attack
  • FirewallD backend reloads firewall configuration less often.

2017-03-06

Added

  • Add firewalld backend
  • Add ipset backend
  • Annotate logs using -a flag to sshg-parser
  • Match "no matching cipher" for SSH
  • Preliminary support for Capsicum and pledge()
  • Resurrect ipfilter backend
  • Support reading from os_log on macOS 10.12 and systemd journal

Changed

  • Add warning when reading from standard input
  • Build and install all backends by default
  • Improve log messages and tweak logging priorities
  • Runtime flags now configurable in the configuration file
  • SSHGuard requires a configuration file to start

Removed

  • Remove process validation (-f option)

Fixed

  • Fix ipfw backend on FreeBSD 11
  • Fix initial block time
  • Update Dovecot pattern for macOS
  • Use standard score for Sendmail auth attack

2016-10-25

Changed

  • Allow multiple forward slashes in process name
  • Log released addresses only when debugging

Deprecated

  • Process validation (-f option) is deprecated

Fixed

  • Adjust TIMESTAMP_ISO8601 for Mac OS X 10.12
  • Fix build error in hosts backend
  • Fix empty functions in firewall scripts causing errors with Bash
  • Flush stdout after every line in sshg-parser

2016-08-08

Added

  • Add sshg-logtail
  • Add sshg-parser
  • Control firewall using sshg-fw
  • Match "no matching key exchange method" for SSH

Deprecated

  • Hosts backend is deprecated
  • Logsuck (-l option) is deprecated, use sshg-logtail instead
  • Process validation (-f option) is deprecated

Removed

  • Remove external hooks (-e option)
  • Remove support for genfilt and ipfilter backends

Fixed

  • Accept socklog messages without a timestamp
  • Fix excessive logging causing endless looping in logsuck
  • Fix undefined assignment of initial inode number

2016-04-28

  • Match Postfix pre-authentication disconnects
  • Fix bashisms in iptables backend
  • Fix size argument in inet_ntop() call
  • Remove excessive logging when polling from files
  • Keep looking for unreadable files while polling
  • Update Dovecot signature for POP3
  • Match "Connection reset" message for SSH
  • Resurrect PID file option by popular demand
  • Adjust default abuse threshold

2016-01-04

  • Add sample systemd(8) unit file
  • Disable blacklisting by default
  • Fix pfctl command syntax with OpenBSD 5.8
  • Implement logging as wrappers around syslog(2)
  • Improve log and error messages
  • Match sendmail authentication failures
  • Remove PID file option
  • Remove SIGTSTP and SIGCONT handler
  • Remove reverse mapping attack signature
  • Remove safe_fgets() and exit on interrupt
  • Terminate state entries for hosts blocked with pf
  • Update and shorten command-line usage
  • Use 'configure' to set feature-test macros

2015-10-12

  • Make '-w' option backwards-compatible for iptables (James Harris)
  • Remove support for ip6fw and 'ipfw-range' option
  • Rewrite ipfw backend using command framework

2015-07-20

  • Accept "Received disconnect" with optional prefix
  • Add support for socklog entries
  • Fix 'ipfw-rules-range' option in configure script
  • Fix build for 'ipfw' and 'hosts' backends
  • Fix integer comparisons of different types
  • Match attacks when syslog debugging is enabled

2015-05-02

  • Add rules for Postfix SASL login attempts
  • Add support for ISO 8601 timestamps (David Caldwell)
  • Add support for external commands run on firewall events (-e)
  • Blacklist file is now human-readable (Armando Miraglia)
  • Check tcpwrapper file permissions regardless of local umask
  • Detect additional pre-auth disconnects
  • Fix ipfw crash when loading an empty blacklist (Jin Choi)
  • Fix log parsing on days beginning with zero
  • Fix log polling on filesystems with many files (Johann H. Hauschild)
  • Fix matching for Cyrus IMAP login via SASL
  • Fix syslog format detection on hosts with undefined hostname
  • Match SSH login failures with "via" suffix
  • Remove broken kqueue(2) support
  • Tweak option names and help strings
  • Update SSH "Bad protocol" signature
  • Use case-insensitive "invalid user" signature
  • Wait for xtables lock when using iptables command (James Harris)

2011-02-10

  • logsucker: sshguard polls multiple log files at once
  • recognize syslog's "last message repeated N times" contextually and per-source
  • attackers now gauged with attack dangerousness instead of count (adjust your -a !)
  • improve IPv6 support
  • add detection for: Exim, vsftpd, Sendmail, Cucipop
  • improve Solaris support (thanks OpenCSW.org folks)
  • handle huge blacklists efficiently
  • improve logging granularity and descriptiveness
  • add -i command line option for saving PID file as an aid for startup scripts
  • update some attack signatures
  • many other improvements, see 1.5beta and 1.5rc changelogs for complete credits
  • fix a recognition problem for multilog files
  • fix log filtering on OSes with inverted priority declarations
  • fix file descriptor leak if "ps" command fails to run
  • fix whitelist module allowing some entries to be skipped (thanks Andrea Dal Farra)
  • fix segfault from invalid free() when all DNS lookups fail
  • fix assertion failure when logsucker is notified before the logging completes (thanks Colin Keith)

2009-09-23

  • add touchiness: block repeated abusers for longer
  • add blacklisting: store frequent abusers for permanent blocking
  • add support for IPv6 in whitelisting (experimental)
  • sshguard ignores interrupted fgets() and reloads more seldom (thanks Keven Tipping)
  • debug mode now enabled with SSHGUARD_DEBUG environment variable (no "-d")
  • support non-POSIX libCs that require getopt.h (thanks Nobuhiro Iwamatsu)
  • import newer SimCList containing a number of fixes and improvements
  • firewall backends now block all traffic from attackers by default, not per-service
  • netfilter/iptables backend now verifies credentials at initialization
  • parser accepts "-" and "_" chars in process names
  • fix detection of some ProFTPd and pure-ftp messages
  • support log formats of new versions of ProFTPd
  • fix one dovecot pattern
  • correctly handle abuse threshold = 1 (thanks K. Tipping)
  • fix handling of IPv6 with IPFW under Mac OS X Leopard (thanks David Horn)
  • fix cmdline argument BoF exploitable by local users when sshguard is setuid
  • support blocking IPv6 addrs in backed "hosts.allow"
  • extend hosts.allow backend to support all service types
  • localhost addresses are now whitelisted a priori
  • extend IPv6 pattern for matching special addresses (eg, IPv4 embedded)
  • fix grammar to be insensitive to a log injection in sshd (thanks J. Oosterveen)

2008-10

  • fix autoconf problem
  • automatically detect when ipfw supports IPv6 (thanks David Horn)
  • be sensitive to proftpd messages to auth facility, not daemon (thanks Andy Berkvam)
  • add sshd pattern for "Bad protocol" and "Did not receive identif string"

2008-09

  • support for Cyrus IMAP
  • support for SSH "possible break-in attempt" messages
  • updated support for dovecot to include logging format of new versions
  • (thanks Michael Maynard) fix of IPF backend causing sshguard not to update /etc/ipf.rules (disallow IPv6)
  • fix detection of password when sshd doesn't log anything more than PAM

2008-07

  • support suspension
  • support debug mode at runtime (-d) for helping users in problem solving
  • support for metalog logging format
  • fix parser bug when recognizing certain IPv6 addresses
  • fix segfault when the pipe to sshguard is closed unexpectedly
  • support for ipfilter as blocking backend (thanks Hellmuth Michaelis for feedback)
  • support for log messages authentication
  • support for AIX genfilt firewall (thanks Gabor Szittner)
  • fix "hosts" backend bug not discarding temporary files
  • add monitoring support for new services:
    • dovecot imap
    • UWimap imap and pop
    • FreeBSD's ftpd
    • ProFTPd
    • pure-ftpd

2007-05

  • address whitelisting for protecting friend addressess
  • support for IPv6
  • support for service multiplexing (behave differently for different services)
  • more powerful parsing (context-free): support multilog, autotranslate hostnames and easily extends to a lot of services
  • new blocking backend: "hosts" for /etc/hosts.deny
  • paths autodetected and adjustable from ./configure
  • script for trivially generating new custom backends

2007-03

  • run away from scons and use autotools as building system

2007-02

  • first public release