Menu
▾
▴
Re: [SSHGuard-users] rev 1.7.0 not blocking all worthy of blocking
|
From: <li...@la...> - 2016-07-28 19:57:16
|
I think you have a "number of attacks" per some time period criteria. I think a simple lockout after the most recent attack is fine. But you must of had a reason for the more complicated criteria. I suppose if some IP attacked every 30 minutes until the end of time, it would be wrong to allow that behavior. How about the release time is based from the last attack, but if there is a trigger prior to release, the timer gets increased by say 15 minutes. Well no, that won't work because the attacker would just wait 30 minutes between attacks and never increase the time period. How about a simple 30 minute lockout, no fancy time increase, but the program makes a log for suggested blacklisting based on persistent attacks. Original Message From: Kevin Zheng Sent: Thursday, July 28, 2016 12:35 PM To: ssh...@li... Subject: Re: [SSHGuard-users] rev 1.7.0 not blocking all worthy of blocking On 07/28/2016 00:20, li...@la... wrote: > Looking at the log, 162.144.102.19 is worthy of blocking, but it wasn't > blocked. This is not technically a bug because the code is behaving as written. I think the bug is in the policy itself. Here's what's going on: The "POSSIBLE BREAK-IN ATTEMPT" is not considered an attack. This message shows up when a reverse DNS lookup doesn't match, but the actual attack is the "Connection closed" line. They're not two separate attacks. Attackers are purged 30 minutes after their *first* attack, not their most recent attack. The first attack was at 04:48:34, and so by the time the third attack that would have triggered a block rolled around (05:31:03), the attacker's earlier attacks were already forgotten. This latter issue is something worth fixing. Suggestions? Perhaps it's better to change the policy to purge 30 minutes after the most *recent* attack. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
