sshguard-users — User questions and answers, bugs, and general support

Re: [SSHGuard-users] question about postfix greylist early retry

[Jos C. <ssh...@cl...>]

On 10-7-2018 18:02, Christos Chatzaras wrote:
> Greylisting allows a mail server to resend the e-mail after 5 minutes. So if a mail server retries in 4 minutes does it block it? Or it only blocks if a mail server tries to send it multiple times during the first 5 minutes?
You can configure greylisting with any time interval. What I reported is 
excessive mail dropping behavior (every second by the same mailserver ip 
for the same email account) for multiple times.

/Jos

-- With both feed on the ground you will never make a step forward

Re: [SSHGuard-users] question about postfix greylist early retry

[Christos C. <ch...@cr...>]

Greylisting allows a mail server to resend the e-mail after 5 minutes. So if a mail server retries in 4 minutes does it block it? Or it only blocks if a mail server tries to send it multiple times during the first 5 minutes?


> On 10 Jul 2018, at 18:29, Jos Chrispijn <ssh...@cl...> wrote:
> 
> On 10-7-2018 14:15, Christos Chatzaras wrote:
>> Can you explain how postfix greylist early retry works?
>> 
> What I know about it:
> 
> Normally first time connection with postgrey results in a greylisting message and time out.
> 
> But lately there are mailservers that still try every second to drop the same email (although everyone knows what greylisting is about).
> I reported this behavior to the author and he considered this as annoying behavior too, resulting in putting these kind of mailservers on the internal black list.
> 
> -- With both feed on the ground you will never make a step forward

Re: [SSHGuard-users] question about postfix greylist early retry

[Jos C. <ssh...@cl...>]

On 10-7-2018 14:15, Christos Chatzaras wrote:
> Can you explain how postfix greylist early retry works?
>
What I know about it:

Normally first time connection with postgrey results in a greylisting 
message and time out.

But lately there are mailservers that still try every second to drop the 
same email (although everyone knows what greylisting is about).
I reported this behavior to the author and he considered this as 
annoying behavior too, resulting in putting these kind of mailservers on 
the internal black list.

-- With both feed on the ground you will never make a step forward

[SSHGuard-users] question about postfix greylist early retry

[Christos C. <ch...@cr...>]

Hello,

Can you explain how postfix greylist early retry works?

Kind regards,
Christos Chatzaras

Re: [SSHGuard-users] SSHGuard 2.2.0 release announcement

[Jos C. <ssh...@cl...>]

On 9-7-2018 21:42, Kevin Zheng wrote:
> Hi there,
>
> SSHGuard 2.2.0 is now available for download on SourceForge [1].
>
Thanks, appreciate the support!
Any donation link available?

-- With both feed on the ground you will never make a step forward

[SSHGuard-users] SSHGuard 2.2.0 release announcement

[Kevin Z. <kev...@gm...>]

Hi there,

SSHGuard 2.2.0 is now available for download on SourceForge [1].

**Added**

- Add '--disable-maintainer-mode' in configure for package maintainers
- BusyBox log banner detection
- Match Exim "auth mechanism not supported"
- Match Exim "auth when not advertised"
- Match Postfix greylist early retry
- OpenSMTPD monitoring support
- Recognize IPv6 addresses with interface name

**Changed**

- Ignore CR in addition to LF
- Only log attacks if not already blocked or whitelisted

**Fixed**

- Use correct signal names in driver shell script

[1] https://sourceforge.net/projects/sshguard/files/sshguard/

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] SSHGuard 2.2.0 around the corner

[jungle B. <jun...@gm...>]

On 5 July 2018 at 10:27, Kevin Zheng <kev...@gm...> wrote:
>>
>> OpenBSD x64 -current with autoreconf-2.69.
>
> Thanks for the report on OpenBSD.
>
> This warning from autoconf is known, and you can safely ignore it for
> now, unless of course, there's an error that I'm missing.
>

Probably not. the config and make went well. I've restarted the service

> I'd be curious if pledge() support in the parser is still working?
>

Do you know how I would go about testing that?

> --
> Kevin Zheng
> kev...@gm... | ke...@be... | PGP: 0xC22E1090


-- 
-------
inum: 883510009027723
sip: jun...@si...

Re: [SSHGuard-users] SSHGuard 2.2.0 around the corner

[Kevin Z. <kev...@gm...>]

On 07/05/2018 12:26, jungle Boogie wrote:
> On 5 July 2018 at 10:17, Kevin Zheng <kev...@gm...> wrote:
>> Hi folks,
>>
>>
>> - Use correct signal names in driver shell script
>>
>> The new release will be cut over the weekend. Git users, consider giving
>> current master a whirl.
>>
> 
> I don't know the current version of sshugard I have, but it's from
> master and fairly recent (+/- 1month is my guess).
> 
> When I updated src and did autoreconf -i (per build instructions), I have this:
> 
> $ autoreconf -i
> configure.ac:19: installing './ar-lib'
> configure.ac:13: installing './compile'
> configure.ac:7: installing './install-sh'
> configure.ac:7: installing './missing'
> configure.ac:9: installing './tap-driver.sh'
> src/blocker/Makefile.am:5: warning: source file '../common/simclist.c'
> is in a subdirectory,
> src/blocker/Makefile.am:5: but option 'subdir-objects' is disabled
> automake-1.15: warning: possible forward-incompatibility.
> automake-1.15: At least a source file is in a subdirectory, but the
> 'subdir-objects'
> automake-1.15: automake option hasn't been enabled.  For now, the
> corresponding output
> automake-1.15: object file(s) will be placed in the top-level
> directory.  However,
> automake-1.15: this behaviour will change in future Automake versions: they will
> automake-1.15: unconditionally cause object files to be placed in the
> same subdirectory
> automake-1.15: of the corresponding sources.
> automake-1.15: You are advised to start using 'subdir-objects' option
> throughout your
> automake-1.15: project, to avoid future incompatibilities.
> src/blocker/Makefile.am: installing './depcomp'
> src/fw/Makefile.am:26: warning: source file '../common/simclist.c' is
> in a subdirectory,
> src/fw/Makefile.am:26: but option 'subdir-objects' is disabled
> configure.ac: installing './ylwrap'
> parallel-tests: installing './test-driver'
> 
> 
> OpenBSD x64 -current with autoreconf-2.69.

Thanks for the report on OpenBSD.

This warning from autoconf is known, and you can safely ignore it for
now, unless of course, there's an error that I'm missing.

I'd be curious if pledge() support in the parser is still working?

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] SSHGuard 2.2.0 around the corner

[jungle B. <jun...@gm...>]

On 5 July 2018 at 10:17, Kevin Zheng <kev...@gm...> wrote:
> Hi folks,
>
>
> - Use correct signal names in driver shell script
>
> The new release will be cut over the weekend. Git users, consider giving
> current master a whirl.
>

I don't know the current version of sshugard I have, but it's from
master and fairly recent (+/- 1month is my guess).

When I updated src and did autoreconf -i (per build instructions), I have this:

$ autoreconf -i
configure.ac:19: installing './ar-lib'
configure.ac:13: installing './compile'
configure.ac:7: installing './install-sh'
configure.ac:7: installing './missing'
configure.ac:9: installing './tap-driver.sh'
src/blocker/Makefile.am:5: warning: source file '../common/simclist.c'
is in a subdirectory,
src/blocker/Makefile.am:5: but option 'subdir-objects' is disabled
automake-1.15: warning: possible forward-incompatibility.
automake-1.15: At least a source file is in a subdirectory, but the
'subdir-objects'
automake-1.15: automake option hasn't been enabled.  For now, the
corresponding output
automake-1.15: object file(s) will be placed in the top-level
directory.  However,
automake-1.15: this behaviour will change in future Automake versions: they will
automake-1.15: unconditionally cause object files to be placed in the
same subdirectory
automake-1.15: of the corresponding sources.
automake-1.15: You are advised to start using 'subdir-objects' option
throughout your
automake-1.15: project, to avoid future incompatibilities.
src/blocker/Makefile.am: installing './depcomp'
src/fw/Makefile.am:26: warning: source file '../common/simclist.c' is
in a subdirectory,
src/fw/Makefile.am:26: but option 'subdir-objects' is disabled
configure.ac: installing './ylwrap'
parallel-tests: installing './test-driver'


OpenBSD x64 -current with autoreconf-2.69.



> --
> Kevin Zheng
> kev...@gm... | ke...@be... | PGP: 0xC22E1090


-- 
-------
inum: 883510009027723
sip: jun...@si...

Re: [SSHGuard-users] How to protect Dovecot on Ubuntu 18.04?

[Kevin Z. <kev...@gm...>]

On 06/13/2018 16:55, George Wilder via sshguard-users wrote:
> I am fairly new to sshguard. I installed the version that comes with
> Ubuntu 18.04:
> 
> ==> sshguard -v sshguard 1.7.1
> 
> And it’s protecting ssh just fine. I verified that by creating
> multiple login failures. My IP was blocked. I recovered by removing
> it from the black list.
> 
> I recently set up an e-mail server using postfix and dovecot.
> 
> My question is do I need to so anything special to enable sshguard
> protection for e-mail (/var/log/mail.log)? Or is it enabled already?

Sorry for the very late reply; hope this is still relevant.

SSHGuard will look for any attacks it recognizes in the logs you give
it. If your journalctl contains lines from /var/log/mail.log and your
firewall is set up to block all ports instead of only 22, there's
nothing more you need to do.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] SSHGuard 2.2.0 around the corner

[Kevin Z. <kev...@gm...>]

Hi folks,

After a hiatus from the old release schedule, SSHGuard 2.2.0 is finally
around the corner. Only bug fixes were made to components outside of the
parser, and the parser has a new suite of tests, so no new bugs are
anticipated.

**Added**

- Add '--disable-maintainer-mode' in configure for package maintainers
- BusyBox log banner detection
- Match Exim "auth mechanism not supported"
- Match Exim "auth when not advertised"
- Match Postfix greylist early retry
- OpenSMTPD monitoring support
- Recognize IPv6 addresses with interface name

**Changed**

- Ignore CR in addition to LF
- Only log attacks if not already blocked or whitelisted

**Fixed**

- Use correct signal names in driver shell script

The new release will be cut over the weekend. Git users, consider giving
current master a whirl.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Erase IP

[Kevin Z. <kev...@gm...>]

On 06/27/2018 12:54, Bob Wooldridge wrote:
> I'm doing some testing with my firewall and I want to erase an IP from
> sshguards memory so that I can start over.  Is there a way to do this?

Not currently, unless you restart SSHGuard.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Erase IP

[Bob W. <bob...@ed...>]

I'm doing some testing with my firewall and I want to erase an IP from 
sshguards memory so that I can start over.  Is there a way to do this?

-- 
Bob Wooldridge
EDM Incorporated
http://www.edm-inc.com

Re: [SSHGuard-users] Consistent mail dumpers

[Jos C. <ssh...@cl...>]

Kev, I sent you my logfile a week ago - did you have time to check it or 
should I resend?


On 20-6-2018 20:33, Kevin Zheng wrote:
> On 06/20/2018 07:52, Jos Chrispijn wrote:
>> Lately I see that there are more and more spam servers that are trying
>> 30 times in 30 seconds to dump their email.
>> Of course mankind found out greylisting for that too, but is there a way
>> to block these ip's with sshguard as well?
> What mail server are you using? Can you give some examples of the log
> messages that you get?
>

-- With both feed on the ground you will never make a step forward

Re: [SSHGuard-users] Terminated

[Kevin Z. <kev...@gm...>]

On 06/20/2018 07:56, Jos Chrispijn wrote:
> Using 'sshguard -v' results in a
> 
> SSHGuard 2.1.0
> Terminated
> 
> What is the function of that 2nd line? Cannot remember I saw that earlier...

I see this, too. I think it has to do with the recursive trap that now
gets set in the sshguard driver script. I think it's harmless, but I'll
investigate if there's an issue or a better way to do it.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Can't Get it to work

[Kevin Z. <kev...@gm...>]

On 06/25/2018 13:24, Bob Wooldridge wrote:
> I have sshguard version 2.1.0 installed on Devuan 2.0 (a debian variant
> without systemd).  I am running sshd under daemon tools and using
> multilog, but auth.log also registers failed attempts. I have also set
> up sshguard to run under daemontools.  Here is my run script:
> 
>> #!/bin/sh
>>
>> export SSHGUARD_DEBUG=1
>> exec 2>&1
>> exec /usr/local/sbin/sshguard
> 
> I have tried configuring the sshgaurd.conf file to watch auth.log or the
> sshd multilog which I put in /var/log/sshd/current.  In the
> /usr/local/etc/sshguard.conf file I set the FILE variable to
> /var/log/sshd/current.  When I run sshgaurd, the output is this:
> But when I try to login with bad password sshguard does not seem to
> recognize it.  There is nothing in the sshguard log.
> 
> What am I doing wrong??

Could you paste a few examples of lines from your /var/log/sshd/current
that should be detected? I could be that it just doesn't recognize the
log messages on your system.

The "trap: SIGINT: bad trap" is a bug that has since been fixed but
probably isn't the one causing issues for you.

What did you run to generate that iptables output, or did that just show
up by itself?

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Can't Get it to work

[Bob W. <bob...@ed...>]

I have sshguard version 2.1.0 installed on Devuan 2.0 (a debian variant 
without systemd).  I am running sshd under daemon tools and using 
multilog, but auth.log also registers failed attempts. I have also set 
up sshguard to run under daemontools.  Here is my run script:

> #!/bin/sh
>
> export SSHGUARD_DEBUG=1
> exec 2>&1
> exec /usr/local/sbin/sshguard

I have tried configuring the sshgaurd.conf file to watch auth.log or the 
sshd multilog which I put in /var/log/sshd/current.  In the 
/usr/local/etc/sshguard.conf file I set the FILE variable to 
/var/log/sshd/current.  When I run sshgaurd, the output is this:

> trap: SIGINT: bad trap
> sshguard[16082]: whitelist: add IPv4 block: 127.0.0.0 with mask 8.
> sshguard[16082]: whitelist: add '127.0.0.1' as plain IPv4.
> sshguard[16082]: whitelist: add plain IPv4 127.0.0.1.
> sshguard[16082]: Now monitoring attacks.
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> sshguard   all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  127.0.0.1            127.0.0.1
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 state 
> RELATED,ESTABLISHED
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 icmptype 3
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 icmptype 11
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 icmptype 8
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 icmptype 0
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0 tcp dpt:8095
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0 tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0 tcp dpt:443
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain sshguard (1 references)
> target     prot opt source               destination

But when I try to login with bad password sshguard does not seem to 
recognize it.  There is nothing in the sshguard log.

What am I doing wrong??

-- 
Bob Wooldridge
EDM Incorporated
http://www.edm-inc.com

Re: [SSHGuard-users] Consistent mail dumpers

[Kevin Z. <kev...@gm...>]

On 06/20/2018 07:52, Jos Chrispijn wrote:
> Lately I see that there are more and more spam servers that are trying
> 30 times in 30 seconds to dump their email.
> Of course mankind found out greylisting for that too, but is there a way
> to block these ip's with sshguard as well?

What mail server are you using? Can you give some examples of the log
messages that you get?

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Terminated

[Jos C. <ssh...@cl...>]

Using 'sshguard -v' results in a

SSHGuard 2.1.0
Terminated

What is the function of that 2nd line? Cannot remember I saw that earlier...

Regards,
Jos

-- With both feed on the ground you will never make a step forward
	

[SSHGuard-users] Consistent mail dumpers

[Jos C. <ssh...@cl...>]

Lately I see that there are more and more spam servers that are trying 
30 times in 30 seconds to dump their email.
Of course mankind found out greylisting for that too, but is there a way 
to block these ip's with sshguard as well?

Keep up the good work!
Jos

-- With both feed on the ground you will never make a step forward
	

[SSHGuard-users] How to protect Dovecot on Ubuntu 18.04?

[George W. <ge...@al...>]

I am fairly new to sshguard. I installed the version that comes with Ubuntu 18.04:

==> sshguard -v
sshguard 1.7.1

And it’s protecting ssh just fine. I verified that by creating multiple login failures. My IP was blocked. I recovered by removing it from the black list.

I recently set up an e-mail server using postfix and dovecot.

My question is do I need to so anything special to enable sshguard protection for e-mail (/var/log/mail.log)? Or is it enabled already?


Here’s how sshguard is running on my system:

==> ps -ef | grep sshguard
root     13131     1  0 09:12 ?        00:00:00 /bin/sh /usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 1200
root     13133 13131  0 09:12 ?        00:00:00 /usr/sbin/sshguard -i /run/sshguard.pid -w /etc/sshguard/whitelist -a 40 -p 420 -s 1200

Thanks for any hints or pointers.

Best Regards,
George

Re: [SSHGuard-users] OpenSMTPD and SSHGuard?

[Júlio M. <ju...@ma...>]

On Tue, 5 Jun 2018 at 02:54, Kevin Zheng <kev...@gm...> wrote:
> A pull request recently added two messages from OpenSMTPD:
>
> https://bitbucket.org/sshguard/sshguard/pull-requests/34/add-monitoring-support-for-new-service/diff
>
> If you're interested in adding support for more messages from OpenSMTPD,
> you can take a look at the changes.

Thanks. I looked at it.
I tried to analise the openSMTPD code and got some hits but I needed
to test on a live system. Here are some live results:

smtp event=connected address=192.168.1.222 host=client.lan
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH PLAIN (...)" result="535 Authentication failed"
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH LOGIN (password)" result="535 Authentication failed"
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH PLAIN (...)" result="535 Authentication failed"
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH LOGIN (password)" result="535 Authentication failed"
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=ok
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH PLAIN (...)" result="535 Authentication failed"
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH LOGIN (password)" result="535 Authentication failed"
smtp event=authentication user=julio1 address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH PLAIN (...)" result="535 Authentication failed"
smtp event=authentication user=julio1 address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH LOGIN (password)" result="535 Authentication failed"
smtp event=failed-command address=192.168.1.222 host=client.lan
command="MAIL FROM:<ju...@ma...n> BODY=8BITMIME SIZE=404"
result="530 5.5.1 Invalid command: Must issue an AUTH command first"
smtp event=authentication user=alien address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH PLAIN (...)" result="535 Authentication failed"
smtp event=authentication user=alien address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH LOGIN (password)" result="535 Authentication failed"
smtp event=authentication user=alien address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH PLAIN (...)" result="535 Authentication failed"
smtp event=authentication user=alien address=192.168.1.222
host=client.lan result=permfail
smtp event=failed-command address=192.168.1.222 host=client.lan
command="AUTH LOGIN (password)" result="535 Authentication failed"
smtp event=authentication user=julio address=192.168.1.222
host=client.lan result=ok

I could not trigger the command="AUTH LOGIN" result="503 5.5.1 Invalid
command: Command not supported" message.
Using the notation from
https://www.sshguard.net/docs/reference/attack-signatures/, every AUTH
failure is preceded by:

XYZ smtp event=authentication user=XYZ address=6.6.6.0 host=XYZ result=permfail

Maybe only that signature is need. I am not comfortable with lex/yacc
or even git to make a pull request. It could take time (weeks).
So I need help to translate the above signature to lex/yacc.

Júlio

Sent via Migadu.com, world's easiest email hosting

Re: [SSHGuard-users] OpenSMTPD and SSHGuard?

[Kevin Z. <kev...@gm...>]

A pull request recently added two messages from OpenSMTPD:

https://bitbucket.org/sshguard/sshguard/pull-requests/34/add-monitoring-support-for-new-service/diff

If you're interested in adding support for more messages from OpenSMTPD,
you can take a look at the changes.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] OpenSMTPD and SSHGuard?

[Júlio M. <ju...@ma...>]

On 26 May 2018 at 23:34, Gary <li...@la...> wrote:
> I enable anvil on postfix. Good enough for me. I have most of the world blocked on all email ports other than 25.
>
> Note I completely block the xyz TLD, along with a number of other TLD know to be used by spammers. Well not block but reply a 550. I am not unique in this respect.

Enough to me, Gary. This talking is getting nonsense. But at least I
can assess your comment about BSD versus Linux.

To the others on the list, I am sorry for the off-topic mails.

Cheers

Júlio

Sent via Migadu.com, world's easiest email hosting

Re: [SSHGuard-users] OpenSMTPD and SSHGuard?

[Gary <li...@la...>]

"It's all about logs. No port are monitored by SSHGuard, I presume."

But a firewall controls a port. Just because some IP is poking at my port 22, I don't want to block that same IP from port 25. If you really want to nitpick, your email should always be reachable. You agree to that when you get a domain. Now of course in practice there are many hurdles blocking email.

I enable anvil on postfix. Good enough for me. I have most of the world blocked on all email ports other than 25.

Note I completely block the xyz TLD, along with a number of other TLD know to be used by spammers. Well not block but reply a 550. I am not unique in this respect. 


  Original Message  
From: julio@maranhao.xyz
Sent: May 26, 2018 5:32 PM
To: ssh...@li...
Subject: Re: [SSHGuard-users] OpenSMTPD and SSHGuard?

On 26 May 2018 at 19:41, Gary <li...@la...> wrote:
> But getting back to SSHGuard, I never understood how to use it for both ssh and email ports.

It's all about logs. No port are monitored by SSHGuard, I presume.

> They are different attacks.

Yes. Different objectives, apps and logs. But SSHGuard is not only
ssh. It's actually a "MultiAppGuard" as writen in the website.

> Just because some server is attacking ssh, do I really want to block that server's email?

I didn't understand your doubt. But to clarify my case, I want to
monitor three apps: an IMAP, an SMTP and an SSH server. SSHGuard (and
Fail2Ban) method is to read and analyze the respective log files. What
these apps have in common? Run in the same server and have access
protection (login/passwd). SSHGuard can see in the logs all failed
attempts to access the apps, so it can configure a firewall to block
the offender access to the apps: block a port (or all ports) to some
external IP.

A good comparison is failed login attempts to an ATM or smartcard
holding a digital certificate. Three (n) errors in a row will block
access for a day (bank) or forever (smartcard). Did I help you?

Júlio

Sent via Migadu.com, world's easiest email hosting

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sshguard-users mailing list
ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users