Menu
▾
▴
Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed
|
From: Robert S <rob...@gm...> - 2010-05-14 09:20:05
|
Hi. I have tried this with log sucking and direct feed from a FIFO with similar results. This is certainly a lot better, but there are still some false positives: May 14 01:31:31 hostname sshd[21193]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:32 hostname sshguard[21993]: Ignore attack as pid '21193' has been forged for service 100. May 14 01:31:35 hostname sshd[21199]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:39 hostname sshd[21202]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:43 hostname sshd[21208]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:47 hostname sshd[21219]: User root from 64.179.173.93 not allowed because none of user's groups are listed in AllowGroups May 14 01:31:47 hostname sshguard[21993]: Blocking 64.179.173.93:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s). May 14 02:27:55 hostname sshd[21341]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:27:56 hostname sshguard[21993]: Ignore attack as pid '21341' has been forged for service 100. May 14 02:27:57 hostname sshd[21343]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:27:58 hostname sshd[21347]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:28:00 hostname sshd[21350]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:28:02 hostname sshd[21353]: User root from 59.188.11.38 not allowed because none of user's groups are listed in AllowGroups May 14 02:28:02 hostname sshguard[21993]: Blocking 59.188.11.38:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s). May 14 02:33:33 hostname sshd[21376]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:33 hostname sshguard[21993]: Ignore attack as pid '21376' has been forged for service 100. May 14 02:33:36 hostname sshd[21379]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:38 hostname sshd[21382]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:41 hostname sshd[21385]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:45 hostname sshd[21388]: User root from 122.166.36.130 not allowed because none of user's groups are listed in AllowGroups May 14 02:33:45 hostname sshguard[21993]: Blocking 122.166.36.130:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s). May 14 04:10:27 hostname sshd[21735]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:31 hostname sshd[21738]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:35 hostname sshd[21741]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:39 hostname sshd[21744]: User root from 122.0.19.18 not allowed because none of user's groups are listed in AllowGroups May 14 04:10:39 hostname sshguard[21993]: Blocking 122.0.19.18:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s). Robert. |
