Menu
▾
▴
[SSHGuard-users] Messages logged to root xterm
|
From: Doug D. <do...@sa...> - 2021-03-02 05:44:05
|
The system in question is a FreeBSD jail using sshguard-2.1.0_1 and inet as the attacks on all jails are not the same. Nor do I have the same error weights on all the jails within a single host. On the first root console I'm getting the following types of messages, nay several hundred per 24 hour period: Could not resolve 'netcupde.tor-exit.de' to address Could not resolve 'netcupde.tor-exit.de' to address Could not resolve 'netcupde.tor-exit.de' to address Could not resolve '207.188.84.69.tor.pathcom.com' to address Could not resolve '207.188.84.69.tor.pathcom.com' to address Could not resolve 'vps-917b9a34.vps.ovh.ca' to address Could not resolve 'netcupde.tor-exit.de' to address Could not resolve '207.188.84.69.tor.pathcom.com' to address In auth.log I can find corresponding entries: Mar 1 22:08:40 host1 sshd[40511]: error: PAM: authentication error for root from netcupde.tor-exit.de Mar 1 22:08:51 host1 sshd[40523]: refused connect from vps-917b9a34.vps.ovh.ca (51.222.15.164) Mar 1 23:27:47 host1 sshd[88474]: refused connect from 207.188.84.69.tor.pathcom.com (207.188.84.69) Mar 1 23:27:48 host1 sshd[88458]: error: PAM: authentication error for root from 207.188.84.69.tor.pathcom.com sshguard blocks and refuses about 50,000 ssh attacks/per day so do not think all attacks with DNS issues get written out to the terminal. The 'Could not resolve' errors are not logged, they are just written to the xterm. There is too much volume to be sure if any of these messages come from the refused group. Counts for a typical day: 1 => Accepted publickey 15 => Failed keyboard-interactive/pam 15 => Postponed keyboard-interactive 19 => Bad protocol 45 => error: maximum 140 => error: PAM: 175 => Disconnected from 175 => Received disconnect 301 => Invalid user 430 => Did not 56773 => refused connect 58089 total attempts This particular server has attracted the attention of China and other bad actors so about 1M attacks per day are blocked by ipfw from the host. All of this is working as it should and is effectly countering a 24/7 denial of service to this system. My only question is are the messages to the xterm coming from DNS errors within sshguard and, can I configure around that? Thanks for any assistance/and or thoughts Doug _____ Douglas Denault http://www.safeport.com do...@sa... Voice: 301-217-9220 Fax: 301-217-9277 |
