Re: [SSHGuard-users] "should have already been blocked"

[Jim S. <jse...@Li...>]

I'm getting the same thing on my Linux hosts.

$ cat /etc/issue
Ubuntu 14.04.5 LTS
$ sshguard -v
sshguard 1.7.0

Example from /var/log/auth.log:
Dec  2 01:35:31 mail sshguard[1222]: 1.55.63.241: blocking for 840 secs (4 attacks in 0 secs, after 1 abuses over 0 secs)
Dec  2 01:35:31 mail sshguard[1222]: 1.55.63.241: should already have been blocked
Dec  2 01:50:59 mail sshguard[1222]: 1.55.63.241: unblocking after 928 secs
Dec  2 02:00:50 mail sshguard[1222]: 1.55.63.241: blocking for 1680 secs (4 attacks in 0 secs, after 2 abuses over 1519 secs)
Dec  2 02:00:50 mail sshguard[1222]: 1.55.63.241: should already have been blocked
Dec  2 02:28:51 mail sshguard[1222]: 1.55.63.241: unblocking after 1681 secs
Dec  2 02:50:39 mail sshguard[1222]: 1.55.63.241: blocking for 3360 secs (4 attacks in 0 secs, after 3 abuses over 4508 secs)
Dec  2 02:50:39 mail sshguard[1222]: 1.55.63.241: should already have been blocked
Dec  2 03:46:48 mail sshguard[1222]: 1.55.63.241: unblocking after 3369 secs
Dec  2 07:56:07 mail sshguard[1222]: 1.55.63.241: blocking for 6720 secs (4 attacks in 0 secs, after 4 abuses over 22836 secs)
Dec  2 07:56:07 mail sshguard[1222]: 1.55.63.241: should already have been blocked
Dec  2 07:56:07 mail sshguard[1222]: message repeated 2 times: [ 1.55.63.241: should already have been blocked]
Dec  2 09:50:03 mail sshguard[1222]: 1.55.63.241: unblocking after 6836 secs

That was from yesterday.

Here's the current iptables state:

$ sudo iptables -L 
[sudo] password for <elided>: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
sshguard   all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain sshguard (1 references)
target     prot opt source               destination         
DROP       all  --  187-92-160-77.customer.tdatabrasil.net.br  anywhere         


Never used to see this until I replaced the repo version with one I
built from a tarball to get proper Postfix parsing.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.