Menu
▾
▴
sshguard-users
|
From: Kevin Z. <kev...@gm...> - 2015-08-25 06:15:05
|
On 08/24/2015 20:12, li...@la... wrote: > I put the rule at 550. However, I'm not sure it is blocking properly, > or this particular attack is something sshguard does not block. To check the addresses that are blocked, display table #22: # ipfw table 22 list Keep in mind that SSHGuard unblocks blocked attackers after 7 minutes the first time the attacker is blocked. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2015-08-29 00:43:31
|
I've studied enough auth.log now to believe the program is working. I'm going back into lurking mode. Thanks all for your help. Original Message From: Kevin Zheng Sent: Monday, August 24, 2015 11:15 PM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] Is sshguard working? On 08/24/2015 20:12, li...@la... wrote: > I put the rule at 550. However, I'm not sure it is blocking properly, > or this particular attack is something sshguard does not block. To check the addresses that are blocked, display table #22: # ipfw table 22 list Keep in mind that SSHGuard unblocks blocked attackers after 7 minutes the first time the attacker is blocked. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: <do...@sa...> - 2015-08-31 18:19:35
|
I am running FreeBSD of various versions 7-10. All show this problem. My question goes back to the original question except that I am apparently the only one on the list using inetd. My initial reasons for this being I am several hours away from my servers and this seemed more prudent as testing mistakes are slightly less fatal than with ipfw. And much more easily circumvented. Anyway, the inet version exhibits the same characteristic as originally described. That is I see 50-100 entries logged within a minute before sshguard gets a block inserted. Restarting inetd is not required to pickup changes in the file. I was assuming this to be a scheduling issue. In my case all the instances of this are with PAM errors. One way to do this would be to launch all 100 (or so) attempts. The time stamps suggests they are arriving about 1/sec but this could be PAM queuing the requests. _____ Douglas Denault http://www.safeport.com do...@sa... Voice: 301-217-9220 Fax: 301-217-9277 |
|
From: Kevin Z. <kev...@gm...> - 2015-09-01 00:03:47
|
On 08/31/2015 10:39, do...@sa... wrote: > My question goes back to the original question except that I am apparently the > only one on the list using inetd. My initial reasons for this being I am several > hours away from my servers and this seemed more prudent as testing mistakes are > slightly less fatal than with ipfw. And much more easily circumvented. I don't think it should matter whether you're running from 'inetd' or not, since all of the logs go through syslog. That's running, right? > Anyway, the inet version exhibits the same characteristic as originally > described. That is I see 50-100 entries logged within a minute before sshguard > gets a block inserted. Restarting inetd is not required to pickup changes in the > file. I was assuming this to be a scheduling issue. In my case all the instances > of this are with PAM errors. Can you give me a few examples of the log entries you want blocked? I want to make sure that SSHGuard is actually picking them up as attacks. > One way to do this would be to launch all 100 (or so) attempts. The time stamps > suggests they are arriving about 1/sec but this could be PAM queuing the > requests. I'm not sure; I don't know much about PAM. Best, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
|
From: Willem J. W. <wj...@di...> - 2015-09-01 00:16:08
|
On 1-9-2015 02:03, Kevin Zheng wrote:
> On 08/31/2015 10:39, do...@sa... wrote:
>> My question goes back to the original question except that I am apparently the
>> only one on the list using inetd. My initial reasons for this being I am several
>> hours away from my servers and this seemed more prudent as testing mistakes are
>> slightly less fatal than with ipfw. And much more easily circumvented.
>
> I don't think it should matter whether you're running from 'inetd' or
> not, since all of the logs go through syslog. That's running, right?
>
>> Anyway, the inet version exhibits the same characteristic as originally
>> described. That is I see 50-100 entries logged within a minute before sshguard
>> gets a block inserted. Restarting inetd is not required to pickup changes in the
>> file. I was assuming this to be a scheduling issue. In my case all the instances
>> of this are with PAM errors.
>
> Can you give me a few examples of the log entries you want blocked? I
> want to make sure that SSHGuard is actually picking them up as attacks.
>
>> One way to do this would be to launch all 100 (or so) attempts. The time stamps
>> suggests they are arriving about 1/sec but this could be PAM queuing the
>> requests.
>
> I'm not sure; I don't know much about PAM.
And make sure that syslogd is not summarizing the reporting.
look at the -c option of syslogd:
-c Disable the compression of repeated instances of the same line
into a single line of the form ``last message repeated N times''
when the output is a pipe to another program. If specified
twice, disable this compression in all cases.
--WjW
|
Thanks for helping keep SourceForge clean.
X