Menu
▾
▴
Re: [SSHGuard-users] Centos sshguard "error"
|
From: Daniel A. <co...@da...> - 2017-12-27 05:33:06
|
On Wed, Dec 27, 2017, at 04:36, li...@la... wrote: > I'm running Centos 7.3 using Firewalld. Is this error really an error? > Also any help to see what IP is being blocked would help. TL;DR: Commands included at the bottom. > Dec 27 02:04:05 centos-1gb-sfo1-01 sshd[3829]: error: maximum > authentication attempts exceeded for root from 197.251.5.165 port 42280 > ssh2 [preauth] Dec 27 02:04:05 centos-1gb-sfo1-01 sshd[3829]: > Disconnecting: Too many authentication failures [preauth] The above messages are from OpenSSH and are processed by SSHGuard. That appears to be working as SSHGuard logs a warning about having detected a login attempt: > Dec 27 02:04:05 centos-1gb-sfo1-01 sshguard[2934]: Attack from "197.251.5.165" > on service 100 with danger 10. The attacking source 197.251.5.165 now has a dangerousness score of 10. SSHGuard doens’t block an IP until it reaches 30, by the default configuration. 197.251.5.165 would need to attack your two more times within the configured detection time before it would be blocked. See the sshguard.conf file, especially the THRESHOLD, BLOCK_TIME, and DETECTION_TIME in particular. > Perhaps useful info: > firewall-cmd --list-icmp-blocks > returns noting. ICMP blocks have nothing to do with SSHGuard. > I used this as a guide: > https://www.ctrl.blog/entry/how-to-sshguard-firewalld full disclosure: I’m the author. > Unfortunately Centos does not use firewallctl but rather firewall-cmd, > so the commands don't tranlate. firewallctl was added to FirewallD in version 0.4.3 released more than 18 months ago, and there have been many releases of FirewallD since then. You must be using an even older version of FirewallD. You should keep the version of FirewallD (and other software) you’re using up to date. Software on CentOS is often years out of date. :( Please note that the most recent version of SSHGuard still use firewall-cmd internally for backwards compatibility. firewallctl is equivalent to firewall-cmd, but the former is believed to better for end-users as the syntax is simpler and more similar to that of other tools on CentOS/Fedora/RHEL. > Here is the suggested command to see what IP has been blocked: The following commands are equivalent for firewall-cmd: firewall-cmd --ipset=sshguard4 --get-entries [--permanent] firewall-cmd --ipset=sshguard6 --get-entries [--permanent] I hope this helps! :-) Let us know if you have any further questions. PS: What resources other than my blog post did you use when learning about SSHGuard? Did you read the man page? or the configuration file? SSHGuard website? Have a look in your browser’s history if possible. I’m curious about this as we can use such information to help improve documentation. -- Daniel Aleksandersen https://www.daniel.priv.no/ |
