Menu
▾
▴
Re: [Sshguard-users] sshguard not blocking proftpd & dovecot bruteforces
|
From: Tobias L. <tl...@ga...> - 2009-07-31 10:53:50
|
On Fri, 31 Jul 2009 10:47:26 +0200 Mij <mi...@bi...> wrote: > > On Jul 31, 2009, at 02:57 , Tobias Lott wrote: > > > Dovecot looks fine: > > Jul 31 02:45:28 hostname dovecot: imap-login: Aborted login (auth > > failed, 1 attempts): user=<lala@lala>, method=PLAIN, > > rip=CC.CC.CC.CC, lip=SS.SS.SS.SS > > Jul 31 02:45:28 hostname sshguard[71965]: Blocking CC.CC.CC.CC:4 for > >> 300secs: 1 failures over 0 seconds. > > > > # pfctl -t sshguard -T show > > CC.CC.CC.CC > > > > > > Proftpd doesn't look that fine: > > Jul 31 02:47:49 hostname proftpd[72114]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login > > failed): Limit access denies login > > Jul 31 02:47:49 hostname sshguard[71965]: > > Blocking ::ffff:CC.CC.CC.CC:6 for >300secs: 1 failures over 0 > > seconds. > > Jul 31 02:47:49 hostname proftpd[72114]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session closed. > > Jul 31 02:48:05 hostname proftpd[72148]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - FTP session opened. > > Jul 31 02:48:05 hostname proftpd[72148]: hostname > > (clienthostname[::ffff:CC.CC.CC.CC]) - USER mysql (Login > > failed): Limit access denies login > > Jul 31 02:48:05 hostname sshguard[71965]: > > Blocking ::ffff:CC.CC.CC.CC:6 for >600secs: 1 failures over 0 > > seconds. > > Jul 31 02:48:05 hostname sshguard[71965]: Offender > > '::ffff:CC.CC.CC.CC:6' seen 2 times. > > > > # pfctl -t sshguard -T show > > ::ffff:CC.CC.CC.CC > > looks good, what's wrong? > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day trial. Simplify your report design, integration and deployment > - and focus on what you do best, core application coding. Discover > what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users The Problem is that ::ffff:CC.CC.CC.CC is not a Valid IP Address for PF. Somehow Proftpd just puts ::ffff: in front of the real IPv4 Address so thats gotta be stripped off. Think I should dig up why proftpd is doing that. -- Tobias Lott |
