Menu
▾
▴
[Sshguard-users] sshguard not blocking
|
From: Christopher C. <chr...@gm...> - 2010-04-02 17:19:23
|
Hi! I've got sshguard up and running, but it's not really blocking connection attempts to ssh. To test it , I logged into a remote machine, and from that remote machine, using bogus passwords, tried logging into my machine which is running sshguard. From auth.log, I can see that sshguard logged the attacks and "said" that the attacking ip was being blocked. However after multiple failed login attempts, I was still able to login. Below, from the output of iptables -L, it seems that the ip address is being dropped, and thus, should be blocked. One caveat, I was using my username, which is the only username allowed in sshd_config. I don't know if this will override sshguard's blocking. >> From auth.log << Apr 1 22:44:18 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:20 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:22 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:24 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:24 sherpa sshguard[4058]: Looking for address '121.138.219.132:4'... Apr 1 22:44:24 sherpa sshguard[4058]: Found! Apr 1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for >0secs: 4 failures over 6 seconds. Apr 1 22:44:24 sherpa sshguard[4058]: Setting environment: SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Apr 1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in 4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> From iptables -L << DROP icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' DROP all -- anywhere anywhere Chain LSO (0 references) target prot opt source destination LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTBOUND (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain sshguard (2 references) target prot opt source destination DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere [root@sherpa log]# |
