Re: [SSHGuard-users] rev 1.7.0 not blocking all worthy of blocking

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 07/28/2016 00:20, li...@la... wrote:
> Looking at the log, 162.144.102.19 is worthy of blocking, but it wasn't
> blocked.

This is not technically a bug because the code is behaving as written. I
think the bug is in the policy itself. Here's what's going on:

The "POSSIBLE BREAK-IN ATTEMPT" is not considered an attack. This
message shows up when a reverse DNS lookup doesn't match, but the actual
attack is the "Connection closed" line. They're not two separate attacks.

Attackers are purged 30 minutes after their *first* attack, not their
most recent attack. The first attack was at 04:48:34, and so by the time
the third attack that would have triggered a block rolled around
(05:31:03), the attacker's earlier attacks were already forgotten.

This latter issue is something worth fixing. Suggestions? Perhaps it's
better to change the policy to purge 30 minutes after the most *recent*
attack.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] rev 1.7.0 not blocking all worthy of blocking

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] rev 1.7.0 not blocking all worthy of blocking