Menu
▾
▴
Re: [Sshguard-users] blacklisting IPs that are whitelisted
|
From: @lbutlr <kr...@kr...> - 2015-07-23 10:24:23
|
On Jul 22, 2015, at 8:58 PM, Kevin Zheng <kev...@gm...> wrote: > env SSHGUARD_DEBUG=yes sshguard -b 40:/var/db/sshguard/blacklist.db -l > /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w > /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid SSHGuard version sshguard-1.5_12 Adding '/var/log/auth.log' to polled files. Registering events. Setting 2 events for 1 (act+inact) files. File '/var/log/auth.log' added, fd 4, serial 5297173. Adding '/var/log/maillog' to polled files. Registering events. Setting 4 events for 2 (act+inact) files. File '/var/log/maillog' added, fd 5, serial 5297154. whitelist: add '230.240.250.260' as plain IPv4. whitelist: add plain IPv4 230.240.250.260. whitelist: add '230.240.250.261' as plain IPv4. whitelist: add plain IPv4 230.240.250.261. whitelist: add '127.0.0.1' as plain IPv4. whitelist: add plain IPv4 127.0.0.1. Blacklist loaded, blocking 56 addresses. … the behavior has changed since yesterday. Over 1200 IPs are listed in /etc/hosts.deny and /etc/hosts.allow is empty. Something else is going on here, right? sshguard 1.5.0 Copyright (c) 2007,2008 Mij <mi...@ss...> This is free software; see the source for conditions on copying. I’ve removed the hosts.deny file and started sshguard again: $ cat hosts.allow ###sshguard### ALL : 200.114.65.111 45.114.11.16 111.207.126.80 45.114.11.34 190.60.31.107 218.65.30.92 218.65.30.23 122.243.249.122 : DENY ALL : 2.115.68.148 198.252.66.108 125.69.80.32 218.65.30.73 82.208.235.94 183.60.175.149 182.100.67.114 61.36.33.233 : DENY ALL : 45.114.11.13 218.87.111.116 218.26.243.138 113.11.197.233 193.201.227.30 218.65.30.217 58.218.211.166 221.179.89.90 : DENY ALL : 218.65.30.61 218.87.109.60 119.147.47.94 190.9.130.71 182.100.67.112 219.229.222.4 62.210.7.160 113.195.145.12 : DENY ALL : 45.114.11.41 45.114.11.29 23.91.120.48 45.114.11.39 184.168.119.160 91.199.151.85 45.114.11.51 218.200.188.213 : DENY ALL : 198.58.95.66 109.169.74.58 14.63.161.216 193.107.17.72 182.100.67.102 45.55.76.112 162.250.126.81 218.87.111.110 : DENY ALL : 103.17.107.18 193.104.41.53 45.114.11.14 23.21.125.218 71.245.177.204 45.114.11.28 191.235.188.206 45.114.11.26 : DENY ALL : : DENY ###sshguard### This time, my home IP is not listed there, and many IPs are listed which show up in /var/log/auth.log trying to ssh as the root user, so that’s good. I’m going to keep an eye on it, and restore the rests of hosts.allow from the backup. Jul 23 02:44:04 mail sshguard[3339]: Offender '200.114.65.111:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted. Jul 23 02:44:04 mail sshguard[3339]: Blocking 200.114.65.111:4 for >0secs: 40 danger in 4 attacks over 757 seconds (all: 40d in 1 abuses over 757s). -- 'It's still a lie. Like the lie about masks.' 'What lie about masks?' 'The way people say they hide faces.' 'They do hide faces,' said Nanny Ogg. 'Only the one on the outside.' --Maskerade |
