does not detect multiple failures to login

Create issue
Issue #41 closed
Lester Ingber created an issue

In README.rst of the current 1.7.0 code, it states: "If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked." I use iptables.

I have seen this not to be true for examples like: "... sshd[XXX]: refused connect from XXX (XXX)" in my auth.log. I have seen these pile up to 100's and 1000's, coming in every few secs, and sshguard does not catch these. Instead I have to rely on other tools to block these instances. Yes, the XXX IP is blocked, but I still get many entries in my auth.log, e.g., from being blocked in hosts.deny. It seems that iptables may block these IPs sooner?

It would help if sshguard could access a text file of key phrases to use in its determination of hosts to block.

Comments (4)

  1. Kevin Zheng

    It sounds like these messages are coming from blocking hosts using hosts.deny. If you use a firewall no more messages should show up after the block.

    In the latest version, SSHGuard uses a separate executable, sshg-parser, to parse attacks.

  2. Log in to comment