sshguard 1.6.0-1 Ubuntu 16.04 Google Compute Engine
The Nagios monitoring system is configured by default to check if ssh is working, which seems like a reasonable check. Google Compute Engine is configured by default to have sshguard installed, which also seems like a good idea. Yet the two systems don't agree with each other. Here is log output from auth.log:
May 23 08:46:50 server1 sshd: Connection closed by 10.128.0.2 port 42370 [preauth] May 23 08:51:50 server1 sshd: Connection closed by 10.128.0.2 port 42444 [preauth] May 23 08:56:50 server1 sshd: Connection closed by 10.128.0.2 port 42516 [preauth] May 23 09:01:50 server1 sshd: Connection closed by 10.128.0.2 port 42586 [preauth] May 23 09:01:50 server1 sshguard: Blocking 10.128.0.2:4 for >945secs: 40 danger in 4 attacks over 900 seconds (all: 80d in 2 abuses over 2700s).
Nagios is not being overly intrusive, this is only one check every 5 minutes, and ssh isn't failing, the connection is merely closed.
Your answer may be the host should be whitelisted. That does fix the problem. However, is it the most elegant solution? It would be nice if popular linux distro packages mostly played nicely with each other and didn't require troubleshooting. :-)
At least one person has already reported it, Issue
#53 "My problem is that I have a whitelisted host that is checking some services via nagios. Something about how it is doing things causes sshguard to want to block it. That's fine. I put it in the whitelist."
Must this be considered an attack signature? It is not a fail2ban signature... Your thoughts?