Menu
▾
▴
Re: [Sshguard-users] SSHGuard Limits
|
From: Mij <mi...@bi...> - 2009-04-17 08:17:14
|
On Apr 8, 2009, at 14:27 , Greg Parrish wrote: > I am still having this same issue as it continues every few days. This > time had about 20 entries in the iptable sshguard chain before it stop > working. > > 1. Start sshguard using init script > 2. Runs fine and stops attacks for days (verified with logwatch) > 3. New logwatch shows many ssh root login attempts from single IP > 4. Restart sshgaurd using init, clears iptables chain and begins > working > > I have verified the above using my own failed login from outside > hosts. > > Again I stopped sshguard using pkill and then the init (which clears > the > chain filter list) and ran this manually as requested and it does > nothing, no log, no screen output. Can I get some idea on how to > better > troubleshoot this issue please? this is interesting news. I have never observed this behavior and I'm very interested in it. Please do this: 1) wait until you observe this behaviour (stopping recognition) 2) locate the place in logs where sshguard started last 3) send in all the log activity related to ssh after that. You can easily use awk to obfuscate hostnames, IPs and user names. As I can't reproduce this behaviour, I don't see any other way to inspect the problem. > > [root@hostname ~]# /usr/local/sbin/sshguard -d -a 2 -p 2592000 -s 1800 > -w /etc/sshguard.whitelist > whitelist: add '192.168.122.234' as plain IPv4. > whitelist: add plain ip 192.168.122.234. > whitelist: add '127.0.0.1' as plain IPv4. > whitelist: add plain ip 127.0.0.1. > Started successfully [(a,p,s)=(2, 2592000, 1800)], now ready to scan. > > > After a few attacks from the outside (>2) there is no blocking, no > log, > nothing when running this manually as suggested previously as seen > above. > > Thanks much, > -greg |
