Re: [Sshguard-users] sshguar has not stopped attack

[Mij <mi...@bi...>]

On Mar 10, 2009, at 15:53 , Leonid Shulov wrote:

> sshguar has not stopped attack from IP, which were sent 1 ssh in 1
> second - to 2-10 seconds.
> In my opinion attack needs to be stopped if from one IP more -a<> hits
> in -p<> seconds.
>
> Mar 10 14:30:27 router sshd[28492]: Invalid user raimundo from  
> 83.15.28.2
> Mar 10 14:30:28 router sshd[28494]: Invalid user joan from 83.15.28.2
> [...]
> Mar 10 14:31:17 router sshd[28550]: Invalid user altagracia from  
> 83.15.28.2
> Mar 10 14:31:19 router sshd[28552]: Invalid user piedad from  
> 83.19.51.22
> ........
>
> Now I try svn rev. 85 with:
> router:~/sshguard_svn_090310/sshguard/src# ./sshguard -d -a 2 -b
> 1:/var/cache/sshguard/blacklist

these entries are valid, they should be recognized. What does this  
latter test
say? When run regularly, you should see log entries like "Blocking  
83.15.28.2:4 for ".
If these don't appear, sshguard is probably not receiving such log  
messages. If
they do appear and the address is not blocked, there may be a problem  
with the
firewall backend (permissions, or mechanism).