Re: [SSHGuard-users] Repeaters

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 9/6/20 2:51 AM, Jos Chrispijn wrote:
> Can you tell me how I can trigger SSHGuard blocking this ip address' action?
> 
> Sep  6 11:47:41 poseidon postfix/postscreen[14766]: HANGUP after 0.07
> from [158.174.61.67]:50969 in tests after SMTP handshake
> Sep  6 11:47:41 poseidon postfix/postscreen[14766]: DISCONNECT
> [158.174.61.67]:50969
> Sep  6 11:47:42 poseidon postfix/postscreen[14766]: CONNECT from
> [158.174.61.67]:54563 to [10.10.10.36]:25
> Sep  6 11:47:42 poseidon postfix/postscreen[14766]: PREGREET 14 after
> 0.04 from [158.174.61.67]:54563: EHLO ylmf-pc\r\n
We can determine if one of these lines only appear in "attacks" and
trigger based on that line.

Can you show some examples of legitimate SMTP sessions, so that we can
try to see what the differences are?

Thanks,
Kevin

Re: [SSHGuard-users] Repeaters

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] Repeaters