[Sshguard-users] sshguard add multiple lines to sshguard chain

[Leonid S. <Leo...@en...>]

Hi,

If my router attack with ssh user list in sshguard chain I see some 
lines, and I am forced to delete superfluous lines every day.
It bug or so should be?

Why sshguard don't find '78.135.0.30' in sshguard chain:
Feb 13 06:29:44 asroute1 sshguard[12567]: Looking for address 
'78.135.0.30:4'...
Feb 13 06:29:44 asroute1 sshguard[12567]: Not found.



iptables -L:
....
Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  221.130.187.174      anywhere
DROP       all  --  63.138.202.103       anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
DROP       all  --  78-135-0-30.extend   anywhere
....

iptables -L -n:
....
Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  221.130.187.174      0.0.0.0/0
DROP       all  --  63.138.202.103       0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
DROP       all  --  78.135.0.30          0.0.0.0/0
....

/var/log/auth.log:
Feb 13 06:29:19 asroute1 sshd[19796]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:19 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:20 asroute1 sshd[19798]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:21 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:22 asroute1 sshd[19800]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:22 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:25 asroute1 sshd[19802]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:25 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:25 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >420secs: 4 failures over 6 seconds.
Feb 13 06:29:26 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:26 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:26 asroute1 sshguard[12567]: First sight of offender 
'78.135.0.30:4', adding to offenders list.
Feb 13 06:29:27 asroute1 sshd[19805]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:27 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:29 asroute1 sshd[19807]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:29 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:31 asroute1 sshd[19809]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:31 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:34 asroute1 sshd[19811]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:34 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:35 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >840secs: 4 failures over 7 seconds.
Feb 13 06:29:35 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:35 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:35 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
2 times.
Feb 13 06:29:36 asroute1 sshd[19813]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:36 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:38 asroute1 sshd[19816]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:38 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:40 asroute1 sshd[19818]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:40 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:42 asroute1 sshd[19820]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:43 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:43 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >1680secs: 4 failures over 7 seconds.
Feb 13 06:29:43 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:44 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:44 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
3 times (threshold 3) -> blacklisted.
Feb 13 06:29:44 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:44 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.
Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >0secs: 4 failures over 5 seconds.
Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $SSHG_ADDR -j DROP ;; *) 
exit -2 ;; esac": exited 0.
Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
4 times (threshold 3) -> blacklisted.
Feb 13 06:29:51 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:44 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:44 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.
Feb 13 06:29:45 asroute1 sshd[19822]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:45 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:46 asroute1 sshd[19825]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:46 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:49 asroute1 sshd[19827]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:49 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshd[19829]: reverse mapping checking 
getaddrinfo for 78-135-0-30.extend [78.135.0.30] failed - POSSIBLE 
BREAK-IN ATTEMPT!
Feb 13 06:29:50 asroute1 sshguard[12567]: Matched address 78.135.0.30:4 
attacking service 100
Feb 13 06:29:50 asroute1 sshguard[12567]: Blocking 78.135.0.30:4 for 
 >0secs: 4 failures over 5 seconds.
Feb 13 06:29:51 asroute1 sshguard[12567]: Setting environment: 
SSHG_ADDR=78.135.0.30;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
Feb 13 06:29:51 asroute1 sshguard[12567]: Run command "case 
$SSHG_ADDRKIND in 4) exec /sbin/iptables -A sshguard -s $SSHG_ADDR -j 
DROP ;; 6) exec /sbin/ip6tables -A sshguard -s $S
SHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0.
Feb 13 06:29:51 asroute1 sshguard[12567]: Offender '78.135.0.30:4' seen 
4 times (threshold 3) -> blacklisted.
Feb 13 06:29:51 asroute1 sshguard[12567]: *Looking for address 
'78.135.0.30:4'...*
Feb 13 06:29:51 asroute1 sshguard[12567]: *Not found.*
Feb 13 06:29:51 asroute1 sshguard[12567]: Attacked '78.135.0.30:4' 
blacklisted. Blacklist now 1 entries.


-- 
Leonid Shulov <Leo...@en...>
Entropic Communications Israel