Re: [Sshguard-users] Is sshguard working?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I put the rule at 550. However, I'm not sure it is blocking properly, or this particular attack is something sshguard does not block.

‎Aug 22 18:41:37 theranch sshd[75277]: Did not receive identification string from 106.37.194.226
Aug 22 18:46:57 theranch sshd[75300]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 18:46:58 theranch sshd[75300]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 18:52:31 theranch sshd[75309]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 18:52:31 theranch sshd[75309]: Invalid user ghost from 106.37.194.226
Aug 22 18:52:31 theranch sshd[75309]: input_userauth_request: invalid user ghost [preauth]
Aug 22 18:52:31 theranch sshd[75309]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 18:52:31 theranch sshguard[808]: blacklist: added 106.37.194.226
Aug 22 18:52:31 theranch sshguard[808]: Blocking 106.37.194.226:4 for >0secs: 40 danger in 4 attacks over 653 seconds (all: 40d in 1 abuses over 653s).
Aug 22 18:56:54 theranch sshd[75332]: Received disconnect from 43.229.53.69: 11:  [preauth]
Aug 22 18:58:25 theranch sshd[75335]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 18:58:25 theranch sshd[75335]: Invalid user admin from 106.37.194.226
Aug 22 18:58:25 theranch sshd[75335]: input_userauth_request: invalid user admin [preauth]
Aug 22 18:58:25 theranch sshd[75335]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:14:59 theranch sshd[75391]: Invalid user chocolate from 121.12.125.23
Aug 22 19:14:59 theranch sshd[75391]: input_userauth_request: invalid user chocolate [preauth]
Aug 22 19:15:00 theranch sshd[75391]: Connection closed by 121.12.125.23 [preauth]
Aug 22 19:15:47 theranch sshd[75396]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:15:47 theranch sshd[75396]: Invalid user deploy from 106.37.194.226
Aug 22 19:15:47 theranch sshd[75396]: input_userauth_request: invalid user deploy [preauth]
Aug 22 19:15:47 theranch sshd[75396]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:21:06 theranch sshd[75405]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:21:06 theranch sshd[75405]: Invalid user git from 106.37.194.226
Aug 22 19:21:06 theranch sshd[75405]: input_userauth_request: invalid user git [preauth]
Aug 22 19:21:07 theranch sshd[75405]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:26:28 theranch sshd[75426]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:26:28 theranch sshd[75426]: Invalid user git from 106.37.194.226
Aug 22 19:26:28 theranch sshd[75426]: input_userauth_request: invalid user git [preauth]
Aug 22 19:26:28 theranch sshd[75426]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:31:48 theranch sshd[75437]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:31:48 theranch sshd[75437]: Invalid user oracle from 106.37.194.226
Aug 22 19:31:48 theranch sshd[75437]: input_userauth_request: invalid user oracle [preauth]
Aug 22 19:31:48 theranch sshd[75437]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:37:07 theranch sshd[75459]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:37:07 theranch sshd[75459]: Invalid user test from 106.37.194.226
Aug 22 19:37:07 theranch sshd[75459]: input_userauth_request: invalid user test [preauth]
Aug 22 19:37:07 theranch sshd[75459]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:42:23 theranch sshd[75468]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:42:23 theranch sshd[75468]: Invalid user tomcat from 106.37.194.226
Aug 22 19:42:23 theranch sshd[75468]: input_userauth_request: invalid user tomcat [preauth]
Aug 22 19:42:23 theranch sshd[75468]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:49:33 theranch sshd[75494]: Received disconnect from 43.229.53.69: 11:  [preauth]
Aug 22 19:50:48 theranch sshd[75500]: Did not receive identification string from 125.122.221.95
Aug 22 19:54:04 theranch sshd[75504]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:54:04 theranch sshd[75504]: Invalid user tomcat from 106.37.194.226
Aug 22 19:54:04 theranch sshd[75504]: input_userauth_request: invalid user tomcat [preauth]
Aug 22 19:54:04 theranch sshd[75504]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 19:57:18 theranch sshd[75524]: Received disconnect from 222.186.21.225: 11:  [preauth]
Aug 22 19:59:37 theranch sshd[75528]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 19:59:37 theranch sshd[75528]: Invalid user tomcat4 from 106.37.194.226
Aug 22 19:59:37 theranch sshd[75528]: input_userauth_request: invalid user tomcat4 [preauth]
Aug 22 19:59:37 theranch sshd[75528]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 20:02:32 theranch sshd[75550]: Did not receive identification string from 14.159.103.107
Aug 22 20:04:47 theranch sshd[75554]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 20:04:47 theranch sshd[75554]: Invalid user postgres from 106.37.194.226
Aug 22 20:04:47 theranch sshd[75554]: input_userauth_request: invalid user postgres [preauth]
Aug 22 20:04:48 theranch sshd[75554]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 20:10:07 theranch sshd[75565]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 20:10:07 theranch sshd[75565]: Invalid user postgres from 106.37.194.226
Aug 22 20:10:07 theranch sshd[75565]: input_userauth_request: invalid user postgres [preauth]
Aug 22 20:10:07 theranch sshd[75565]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 20:15:23 theranch sshd[75586]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 20:15:23 theranch sshd[75586]: Invalid user offline from 106.37.194.226
Aug 22 20:15:23 theranch sshd[75586]: input_userauth_request: invalid user offline [preauth]
Aug 22 20:15:23 theranch sshd[75586]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 20:20:37 theranch sshd[75598]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 20:20:37 theranch sshd[75598]: Invalid user oracle from 106.37.194.226
Aug 22 20:20:37 theranch sshd[75598]: input_userauth_request: invalid user oracle [preauth]
Aug 22 20:20:37 theranch sshd[75598]: Received disconnect from 106.37.194.226: 11: Bye Bye [preauth]
Aug 22 20:25:51 theranch sshd[75620]: reverse mapping checking getaddrinfo for 226.194.37.106.static.bjtelecom.net [106.37.194.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 22 20:25:51 theranch sshd[75620]: Invalid user public from 106.37.194.226
Aug 22 20:25:51 theranch sshd[75620]: input_userauth_request: invalid user public [preauth]
Aug 22 20:25:51 theranch sshd[75620]: Received disconnect from
106.37.194.226: 11: Bye Bye [preauth]

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00550 deny log ip from table(22) to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

Re: [Sshguard-users] Is sshguard working?

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] Is sshguard working?