Menu
▾
▴
Re: [Sshguard-users] sshguard only blocks LAN attackers
|
From: Akis M. <ph...@at...> - 2007-06-18 17:10:30
|
O/H Mij έγραψε: > hello akis > > > >> Jun 17 23:51:53 sextus sshguard[3753]: Matched IP address >> 194.24.158.16 >> Jun 17 23:51:53 sextus sshguard[3753]: Blocking 194.24.158.16: 3 >> failures over 12 seconds. >> > > good to see helpful debugging messages in your report, bravo. > These pair of lines tells you that sshguard correctly resolved the > hostname to address 194.24.158.16, > and then blocked this IP. > > > >> iptables -L: >> >> Chain sshguard (0 references) >> target prot opt source destination >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> DROP 0 -- lime-gw16.one.at anywhere >> >> >> >> The strange thing, is that the DROP Rule, contains the hostname of the >> "attacker", and NOT the IP address. >> > > this is iptables reversing addresses for better readability: with > "iptables -Ln" you should > get 194.24.158.16 . > > sshguard did its job in putting the blocking rule in the "sshguard" > chain, so I guess > this address is not blocked because you have not demanded the INPUT > chain to this one, > possible? > > "iptables -Ln" should give you > > Chain INPUT (policy ACCEPT) > target prot opt source destination > sshguard tcp -- anywhere anywhere tcp dpt:ssh > > [...] > > if this is missing, follow the commands in > http://sshguard.sourceforge.net/doc/setup/blockingiptables.html > > bye > > >> Running an nslookup in lime-gw16.one.at gives: >> >> Server: 193.92.150.3 >> Address: 193.92.150.3#53 >> >> Non-authoritative answer: >> Name: lime-gw16.one.at >> Address: 194.24.158.16 >> >> Which successfully resolves to the "attacker' s" IP. But does not >> block >> the attacker.. >> What is going wrong? I guess it has something to do with the hostname >> and not the IP in the drop Rule. >> >> >> >> >> P.S. >> I should point out, that the detected "attacker's" IP is a friend of >> mine, trying to test the behavior of sshguard, not an actual attacker. >> >> >> >> >> >> >> ---------------------------------------------------------------------- >> --- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > oops, I forgot to input this command: iptables -A INPUT -p tcp --dport 22 -j sshguard Works like a charm now ! You were correct Thank you Mij :) |
