CSF Version: 5.71
SSH Version: openssh-4.3p2-82.el5
Hello.
We run quite a few CentOS 5 and a week or so ago serveral of our servers were the target of brute force SSH attacks. What we found though was that with:
LF_SSHD = 15
ST_DISKW_FREQ = 5
LFD was not blocking the the IP's (and there were many more than 15 brute force attempts per IP address per 5 minutes). As it turns out, the problem was in regex.pm for the SSH strings. Sll of the SSH regexes were looking for once instance of a character that is not a space and not a dot (period) which is in between the date/time and sshd[$pid], i.e.
$line =~ /^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ sshd\[\d+\]:
However, there is no such character in /var/log/secure for SSH on CentOS 5. All that is in between the date/time and sshd[$pid] is a single space. As such, once [^\s\.]+ was removed such that the above regex was changed to this:
$line =~ /^(\S+|\S+\s+\d+\s+\S+) sshd\[\d+\]:
then LFD finally began blocking the brute force IPs.
Thought that you may like to know
Cheers,
Michael (AU)