[Sshguard-users] Break in attempts being missed

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I'm finding that some break in attempts are being missed by sshguard while
others aren't.

I'm seeing:

Feb 11 00:00:53 server1 sshd[57146]: Invalid user www-data from
121.197.3.180
Feb 11 00:00:53 server1 sshd[57147]: Address 121.197.3.180 maps to
ip197.hichina.com, but this does not map back to the address - POSSIBLE
BREAK-IN ATTEMPT!

This IP isn't blocked and occurs hundreds of times.

But lines like:

Feb 11 13:35:36 server1 sshd[10749]: Invalid user a from 121.125.73.22
Feb 11 13:35:36 server1 sshd[10750]: Invalid user a from 121.125.73.22
Feb 11 13:35:37 server1 sshd[10751]: Invalid user a from 121.125.73.22
Feb 11 13:35:37 server1 sshd[10752]: Invalid user a from 121.125.73.22

Does result in a block

sshguard 1.5.0 on FreeBSD 8.0 RELEASE.

In interactive mode it appears that sshguard is reading both lines as one.

Thanks,
Brian

[Sshguard-users] Break in attempts being missed

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] Break in attempts being missed