Re: [SSHGuard-users] Adedd and 'should have been added'

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Jos,

On 07/31/2016 09:21, Jos Chrispijn wrote:
> As you see the ip address has been blocked @ (1), but in the same run I
> get twice another display line, saying the the ip should have been
> blocked (as it was in (1)).
> Can you explain how we should interprer the (2) lines or is it a display
> bug?

The attacker was blacklisted (and blocked) in (1), so the attacker was
disconnected by the firewall. Disconnects also cause sshd to log the
message you saw, which SSHGuard saw and warned that an attack was
recognized, even though it assumed the attacker was already blocked.

You can safely disregard this message. The purpose of this message was
to warn when the firewall failed to block, in which case lots of these
messages would appear.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Adedd and 'should have been added'

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] Adedd and 'should have been added'