Thread: [SSHGuard-users] Adedd and 'should have been added'

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Dearteam,

Just saw following in my all.log file:

-- cut --

Jul 31 18:12:56 ares sshguard[720]: blacklist: added 98.174.187.19
Jul 31 18:12:56 ares kernel: Jul 31 18:12:56 ares sshguard[720]: 
blacklist: added 98.174.187.19
(1) Jul 31 18:12:56 ares sshguard[720]: 98.174.187.19: blocking forever 
(3 attacks in 256 secs, after 1 abuses over 256 secs)
(1) Jul 31 18:12:56 ares kernel: Jul 31 18:12:56 ares sshguard[720]: 
98.174.187.19: blocking forever (3 attacks in 256 secs, after 1 abuses 
over 256 secs)
Jul 31 18:12:56 ares postfix/smtpd[2492]: lost connection after AUTH 
from wsip-98-174-187-19.ok.ok.cox.net[98.174.187.19]
Jul 31 18:12:56 ares postfix/smtpd[2492]: disconnect from 
wsip-98-174-187-19.ok.ok.cox.net[98.174.187.19] ehlo=1 auth=0/1 commands=1/2
(2) --> Jul 31 18:12:56 ares sshguard[720]: 98.174.187.19: should 
already have been blocked
(2) --> Jul 31 18:12:56 ares kernel: Jul 31 18:12:56 ares sshguard[720]: 
98.174.187.19: should already have been blocked

-- cut --

As you see the ip address has been blocked @ (1), but in the same run I 
get twice another display line, saying the the ip should have been 
blocked (as it was in (1)).
Can you explain how we should interprer the (2) lines or is it a display 
bug?

Keep up the good work,
Jos Chrispijn

Thread: [SSHGuard-users] Adedd and 'should have been added'

Intelligently block brute-force attacks by aggregating system logs

sshguard-users