- edited description
does not detect multiple failures to login
In README.rst of the current 1.7.0 code, it states: "If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked." I use iptables.
I have seen this not to be true for examples like: "... sshd[XXX]: refused connect from XXX (XXX)" in my auth.log. I have seen these pile up to 100's and 1000's, coming in every few secs, and sshguard does not catch these. Instead I have to rely on other tools to block these instances. Yes, the XXX IP is blocked, but I still get many entries in my auth.log, e.g., from being blocked in hosts.deny. It seems that iptables may block these IPs sooner?
It would help if sshguard could access a text file of key phrases to use in its determination of hosts to block.
Comments (4)
-
reporter -
It sounds like these messages are coming from blocking hosts using hosts.deny. If you use a firewall no more messages should show up after the block.
In the latest version, SSHGuard uses a separate executable,
sshg-parser
, to parse attacks. -
- changed status to open
-
- changed status to closed
Re-open if you're still having unexpected behavior.
- Log in to comment