Menu
▾
▴
Re: [Sshguard-users] confused about what to expect
|
From: Kevin Z. <kev...@gm...> - 2016-01-21 19:38:56
|
On 01/21/2016 10:51, Emmanuel wrote: > I run sshguard without any flags so far. sending journalctl data to it with > > /bin/sh -c 'journalctl --no-pager -q -f -t sshd | sed -u > "s/\\[[0-9]*\\]//" | docker run -i --name sshguard --rm --net=host > --privileged mischief/sshguard:1.6.0' > > the 'sed' part is meant to strip the PID info as I understand sshguard > tries to match PIDs but CoreOS uses inetd sshd and sshguard would reject > that I've never run SSHGuard using systemd(8) before, so I won't be much help there. You've made sure that the logs are coming out of the pipe? > Prior I have set: > /usr/sbin/iptables -D INPUT -j sshguard > /usr/sbin/ip6tables -D INPUT -j sshguard > /usr/sbin/iptables -A INPUT -j sshguard > /usr/sbin/ip6tables -A INPUT -j sshguard > > I would expect sshguard to create iptables rules, but I don't see any > even though my journalctl logs show attacks happening. > I would like to know: > > *1) what should the rules look like?* Not sure (as I don't run iptables). I'm sure someone on this list knows. > *2) How is the 'score' calculated? I see the default is 40, but what > does 40 equate to in terms of number of attempts etc?* Each attempt (currently) adds a score of 10. The default is to block an address when the score reaches 40 (4 attacks). > *3) Does sshguard logs banned addresses somewhere?* SSHGuard logs what it does to syslog. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
