I have installed security/sshguard and what I'm finding in my logs are an awful lot of these:
security/sshguard isn't going to block anything and why?
My issue is there's not any indications where these 'attempts' are coming from. Mind you, they'd never get past anything, there's perhaps ONE account on the entire box that has a shell assigned to it inside the /etc/pwd.
I know security/sshguard when it sees > 4 bad entries such as that, it's supposed to drop those IP's into the /etc/hosts.allow at the top and 'block' them.
But if there aren't any indications where they're coming from, how can this be accomplished - better yet, would anyone have any better script that looks at say...the last 10 lines in the /var/log/messages and just turn that service off for say 60 seconds??? I'd be happy to add any script anyone has come up with for my scenario..billy/">
My assumption here is that security/sshguard isn't going to block anything and why?
My issue is there's not any indications where these 'attempts' are coming from. Mind you, they'd never get past anything, there's perhaps ONE account on the entire box that has a shell assigned to it inside the /etc/pwd.
I know security/sshguard when it sees > 4 bad entries such as that, it's supposed to drop those IP's into the /etc/hosts.allow at the top and 'block' them.
But if there aren't any indications where they're coming from, how can this be accomplished - better yet, would anyone have any better script that looks at say...the last 10 lines in the /var/log/messages and just turn that service off for say 60 seconds??? I'd be happy to add any script anyone has come up with for my scenario.
Code:
Mar 15 06:36:32 rmx saslauthd[18614]: do_auth : auth failure: [user=billy] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
[/user]
My issue is there's not any indications where these 'attempts' are coming from. Mind you, they'd never get past anything, there's perhaps ONE account on the entire box that has a shell assigned to it inside the /etc/pwd.
I know security/sshguard when it sees > 4 bad entries such as that, it's supposed to drop those IP's into the /etc/hosts.allow at the top and 'block' them.
But if there aren't any indications where they're coming from, how can this be accomplished - better yet, would anyone have any better script that looks at say...the last 10 lines in the /var/log/messages and just turn that service off for say 60 seconds??? I'd be happy to add any script anyone has come up with for my scenario..billy/">
My assumption here is that security/sshguard isn't going to block anything and why?
My issue is there's not any indications where these 'attempts' are coming from. Mind you, they'd never get past anything, there's perhaps ONE account on the entire box that has a shell assigned to it inside the /etc/pwd.
I know security/sshguard when it sees > 4 bad entries such as that, it's supposed to drop those IP's into the /etc/hosts.allow at the top and 'block' them.
But if there aren't any indications where they're coming from, how can this be accomplished - better yet, would anyone have any better script that looks at say...the last 10 lines in the /var/log/messages and just turn that service off for say 60 seconds??? I'd be happy to add any script anyone has come up with for my scenario.