- changed status to open
False positives
Issue #83
duplicate
I do parallel sftp transfers from a remote server via lftp, and sshguard-2.0.0 is triggering off disconnect log entries:
Dec 1 06:25:27 server sshd[19956]: Accepted publickey for User from 1.2.3.4 port 21563 ssh2: RSA SHA256:...
Dec 1 06:25:27 server sshd[19471]: Received disconnect from 1.2.3.4 port 60058:11: disconnected by user
Dec 1 06:25:27 server sshd[19471]: Disconnected from 1.2.3.4 port 60058
Dec 1 06:25:27 server sshd[19959]: Accepted publickey for User from 1.2.3.4 port 21564 ssh2: RSA SHA256:...
Dec 1 06:25:27 server sshd[19454]: Received disconnect from 1.2.3.4 port 11159:11: disconnected by user
Dec 1 06:25:27 server sshd[19454]: Disconnected from 1.2.3.4 port 11159
Dec 1 06:25:28 server sshd[19961]: Received disconnect from 1.2.3.4 port 21562:11: disconnected by user
Dec 1 06:25:28 server sshd[19961]: Disconnected from 1.2.3.4 port 21562
Dec 1 06:25:28 server sshd[19987]: Connection closed by 1.2.3.4 port 21569 [preauth]
Dec 1 06:25:28 server sshguard[76807]: Attack from "1.2.3.4" on service 100 with danger 10.
Dec 1 06:25:28 server sshguard[76807]: Blocking "1.2.3.4" forever (3 attacks in 36 secs, after 1 abuses over 36 secs.)
This type of signature doesn't appear to pose any entry risk, perhaps a DDOS? It should be ignored or given a much lower "dangerousness" vs. a failed authentication attempt.
Comments (3)
-
-
- changed status to duplicate
Duplicate of
#77. -
Only the "Connection closed by 1.2.3.4 port 21569 [preauth]" is recognized by SSHGuard (the lines above it aren't), so this is a duplicate of
#77. - Log in to comment
Perhaps a fix would be to recognize the "Accepted publickey" line as a success and reset the accumulated danger. Or as you mention, lowering the dangerousness.