Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2018-01-08 03:48:08
|
From centos 7 boot in the messages log. Is this a problem? Jan 7 05:11:48 systemd: Starting LSB: Bring up/down networking... Jan 7 05:11:48 systemd: Starting SSHGuard - blocks brute-force login attempts... Jan 7 05:11:48 iptables: Another app is currently holding the xtables lock. Perhaps you want to use the -w option? Jan 7 05:11:48 systemd: Started SSHGuard - blocks brute-force login attempts. |
|
From: Kevin Z. <kev...@gm...> - 2018-01-08 04:43:45
|
On 01/08/2018 11:47, li...@la... wrote: > From centos 7 boot in the messages log. Is this a problem? > > Jan 7 05:11:48 systemd: Starting LSB: Bring up/down networking... > Jan 7 05:11:48 systemd: Starting SSHGuard - blocks brute-force login attempts... > Jan 7 05:11:48 iptables: Another app is currently holding the xtables lock. Perhaps you want to use the -w option? > Jan 7 05:11:48 systemd: Started SSHGuard - blocks brute-force login attempts. Perhaps. I remember something similar being reported before. What version of SSHGuard, Linux kernel, distribution, and iptables are you using? -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2018-01-08 06:22:13
|
On Mon, 8 Jan 2018 12:43:49 +0800
Kevin Zheng <kev...@gm...> wrote:
> On 01/08/2018 11:47, li...@la... wrote:
> > From centos 7 boot in the messages log. Is this a problem?
> >
> > Jan 7 05:11:48 systemd: Starting LSB: Bring up/down networking...
> > Jan 7 05:11:48 systemd: Starting SSHGuard - blocks brute-force
> > login attempts... Jan 7 05:11:48 iptables: Another app is
> > currently holding the xtables lock. Perhaps you want to use the -w
> > option? Jan 7 05:11:48 systemd: Started SSHGuard - blocks
> > brute-force login attempts.
>
> Perhaps. I remember something similar being reported before.
>
> What version of SSHGuard, Linux kernel, distribution, and iptables are
> you using?
>
I'm running firewalld. I'm very much a novice on firewalld, but I
understand it can be augnmented with iptables, but it isn't a
requirement.
Centos
uname -a
Linux 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4
23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
firewall-cmd --version
0.4.4.4
sh-4.2# systemctl status iptables
Unit iptables.service could not be found.
sh-4.2# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2018-01-07 05:11:48 UTC; 1 day 1h ago
Docs: man:firewalld(1)
Main PID: 585 (firewalld)
CGroup: /system.slice/firewalld.service
└─585 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jan 07 05:12:14 firewalld[585]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Jan 07 05:12:20 firewalld[585]: WARNING: ALREADY_ENABLED: rule family=ipv6 source ipset=sshguard6 drop
Jan 07 05:12:21 firewalld[585]: ERROR: NAME_CONFLICT: new_ipset(): 'sshguard4'
Jan 07 05:12:22 firewalld[585]: WARNING: ALREADY_ENABLED: rule family=ipv4 source ipset=sshguard4 drop
Jan 07 05:12:48 firewalld[585]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Jan 07 05:12:48 firewalld[585]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Jan 07 05:12:48 firewalld[585]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Jan 07 05:12:48 firewalld[585]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Jan 07 05:12:48 firewalld[585]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Jan 07 05:12:48 firewalld[585]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
|
|
From: <li...@la...> - 2018-01-08 06:47:00
|
On Mon, 8 Jan 2018 12:43:49 +0800 Kevin Zheng <kev...@gm...> wrote: > On 01/08/2018 11:47, li...@la... wrote: > > From centos 7 boot in the messages log. Is this a problem? > > > > Jan 7 05:11:48 systemd: Starting LSB: Bring up/down networking... > > Jan 7 05:11:48 systemd: Starting SSHGuard - blocks brute-force > > login attempts... Jan 7 05:11:48 iptables: Another app is > > currently holding the xtables lock. Perhaps you want to use the -w > > option? Jan 7 05:11:48 systemd: Started SSHGuard - blocks > > brute-force login attempts. > > Perhaps. I remember something similar being reported before. > > What version of SSHGuard, Linux kernel, distribution, and iptables are > you using? > Some additional firewalld stuff I meant to post but forgot. The default size of the ipset is very small. I maxed one out at less than 30 IP addresses. Check out this post, specifically at the bottom: https://lists.fedorahosted.org/archives/list/fir...@li.../thread/EQAIIB5YTEAFZRW7Z6ALKCV3HGSWJ2EM/ You need to specify the maximum size of the elements of the ipset. But what I found interesting is if you add an IP address to block, you will be returned a "success" even if the ipset is full (reached limit). |
|
From: Daniel A. <co...@da...> - 2018-01-09 16:04:29
|
On Mon, Jan 8, 2018, at 07:46, li...@la... wrote: > On Mon, 8 Jan 2018 12:43:49 +0800 > Kevin Zheng <kev...@gm...> wrote: > > > On 01/08/2018 11:47, li...@la... wrote: > > > From centos 7 boot in the messages log. Is this a problem? > > > > > > Jan 7 05:11:48 systemd: Starting LSB: Bring up/down networking... > > > Jan 7 05:11:48 systemd: Starting SSHGuard - blocks brute-force > > > login attempts... Jan 7 05:11:48 iptables: Another app is > > > currently holding the xtables lock. Perhaps you want to use the -w > > > option? Jan 7 05:11:48 systemd: Started SSHGuard - blocks > > > brute-force login attempts. > > > > Perhaps. I remember something similar being reported before. > > > > What version of SSHGuard, Linux kernel, distribution, and iptables are > > you using? > > > > Some additional firewalld stuff I meant to post but forgot. The default > size of the ipset is very small. I maxed one out at less than 30 IP > addresses. > > Check out this post, specifically at the bottom: > https://lists.fedorahosted.org/archives/list/fir...@li.../thread/EQAIIB5YTEAFZRW7Z6ALKCV3HGSWJ2EM/ > > You need to specify the maximum size of the elements of the ipset. But > what I found interesting is if you add an IP address to block, you will > be returned a "success" even if the ipset is full (reached limit). I tested on Fedora 27 just now and added over 1000 addresses to the sshguard4 ipset without problem. The default maximum size of an ipset should be 65 536. I’m not sure what is going on on your system, but I doubt that this is your problem if you only have 30 entries. -- Daniel Aleksandersen https://www.daniel.priv.no/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X