Menu
▾
▴
Re: [Sshguard-users] sshguard only blocks LAN attackers
|
From: Mij <mi...@bi...> - 2007-06-17 21:58:50
|
hello akis > Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address > 194.24.158.16 > Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 > failures over 12 seconds. good to see helpful debugging messages in your report, bravo. These pair of lines tells you that sshguard correctly resolved the hostname to address 194.24.158.16, and then blocked this IP. > iptables -L: > > Chain sshguard (0 references) > target prot opt source destination > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > DROP 0 -- lime-gw16.one.at anywhere > > > > The strange thing, is that the DROP Rule, contains the hostname of the > "attacker", and NOT the IP address. this is iptables reversing addresses for better readability: with "iptables -Ln" you should get 194.24.158.16 . sshguard did its job in putting the blocking rule in the "sshguard" chain, so I guess this address is not blocked because you have not demanded the INPUT chain to this one, possible? "iptables -Ln" should give you Chain INPUT (policy ACCEPT) target prot opt source destination sshguard tcp -- anywhere anywhere tcp dpt:ssh [...] if this is missing, follow the commands in http://sshguard.sourceforge.net/doc/setup/blockingiptables.html bye > Running an nslookup in lime-gw16.one.at gives: > > Server: 193.92.150.3 > Address: 193.92.150.3#53 > > Non-authoritative answer: > Name: lime-gw16.one.at > Address: 194.24.158.16 > > Which successfully resolves to the "attacker' s" IP. But does not > block > the attacker.. > What is going wrong? I guess it has something to do with the hostname > and not the IP in the drop Rule. > > > > > P.S. > I should point out, that the detected "attacker's" IP is a friend of > mine, trying to test the behavior of sshguard, not an actual attacker. > > > > > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
