Menu
▾
▴
Re: [Sshguard-users] Blocking Failures
|
From: Greg P. <gre...@hc...> - 2009-02-03 12:56:46
|
Mij wrote: > Hello Greg, > > On Jan 20, 2009, at 15:34 , Greg Parrish wrote: > >> I am having two issues with the 1.3 release as seen in the logs below. >> This is on a Centos4 host using the auth.log method piped to sshguard >> and not the syslog method. >> >> 1. Here the logs all have ffff in them and I am not sure why this is >> but >> it seems normal from some other posts out there but it fails to >> block. I >> have this running on a Centos3 host and it is working fine but there >> is >> no ffff in the log entries which I assume is causing the failure. >> >> Jan 20 09:26:18 arnold sshd[9297]: Did not receive identification >> string >> from ::ffff:192.168.122.234 >> Jan 20 09:26:18 arnold sshd[9298]: Did not receive identification >> string >> from ::ffff:192.168.122.234 >> Jan 20 09:26:18 arnold sshguard[3308]: Blocking ::ffff:192: 2 failures >> over 0 seconds. >> Jan 20 09:26:18 arnold sshguard[3308]: Blocking command failed. >> Exited: -1 Hi Mij, > > do you have the system utility ip6tables ? No this package is not installed. > This is what sshguard needs to block IPv6 addresses. Ok, good to know and that makes sense. >> 2. The above is an internal host so I am not concerned about him other >> than the blocking is failing. From testing on an outside host it just >> registers the failed login but never even reports a block attempt >> there >> after I failed the login many times. Here are my params. >> >> 2 failures, in 30 minutes, block them for a month. >> /usr/local/sbin/sshguard -a 2 -p 25920000 -s 1800 > > 1) Do you have debug-level entries for when you tried this? No I dont. > 2) what kind of log messages do you expect to cause blocking? Did > you try to inject them manually in "sshguard -d" and see if it detects > them? I expect it to stop normal brute attacks that I have tested on other hosts. I did not try and inject them. > 3) "-p 25920000" : this is dangerous, use with care. If you want > blacklisting, have a look at sshguard 1.4 (from SVN) which has it out of the box Sounds good and thanks. I am okay with this as ssh is limited to just a few users. I dont want the bad guys banging on our hosts more than once a week. I was able to resolve this by disabling IPv6 in modules.conf and restarting the host so there are no IPv6 addresses on the interfaces and thus not in the logs. -greg > > >> >> >> Thanks, >> greg >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by: >> SourcForge Community >> SourceForge wants to tell your story. >> http://p.sf.net/sfu/sf-spreadtheword >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
