Menu
▾
▴
[Sshguard-users] imaps is not blocked
|
From: Krzysztof K. <krz...@gm...> - 2011-07-10 09:17:28
|
Hi, I have FreeBSD 8.1 sshguard: sshguard-pf-1.5 Syslog configured like: box1# grep ssh /etc/syslog.conf auth.info;authpriv.info;mail.info | exec /usr/local/sbin/sshguard -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot/master.pid -w 127.0.0.1 -a 5 auth.info;authpriv.info;mail.info /var/log/sshguard.log box1# And at /var/log/sshguard.log comunicates are like: Jul 6 11:49:40 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS Jul 6 11:49:46 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS Jul 6 11:49:52 box1 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=91.94.202.47, lip=X.X.X.X, TLS SSH blocking is working box1# grep guard /etc/pf.conf table <sshguard> persist block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "sshguard ssh bruteforce" block in quick on $ext_if proto tcp from <sshguard> to any port 993 label "sshguard imap bruteforce" box1# Accodring to: http://www.sshguard.net/docs/reference/attack-signatures/ It should be something like: dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=6.6.6.0, lip=127.0.0.1 Even when I try to login many times it always report 1 login. Disconnected (auth failed, 1 attempts) Any idea where can be an issue? -- Best Regards / Pozdrawiam Krzysztof |
