csf ldf not blocking failed login triggers

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

csf ldf not blocking failed login triggers

Post by corsair »

Hello there!
I need your advice. csf ldf not blocking failed login triggers from same ip. Any suggestions?

I am getting many emails:
---------------------------------
Time: Sat Sep 20 19:03:21 2008 +0400
IP: 81.91.236.79 (BJ/Benin/ortb.ortb.bj)
Failures: 5 (sshd)
Interval: 10 seconds
Blocked: Yes

Log entries:

Sep 20 19:03:07 icarus sshd[14051]: Failed password for invalid user job from ::ffff:81.91.236.79 port 39773 ssh2 Sep 20 19:03:09 icarus sshd[14054]: Invalid user tv from ::ffff:81.91.236.79 Sep 20 19:03:11 icarus sshd[14054]: Failed password for invalid user tv from ::ffff:81.91.236.79 port 39900 ssh2 Sep 20 19:03:14 icarus sshd[14068]: Invalid user tv from ::ffff:81.91.236.79 Sep 20 19:03:17 icarus sshd[14068]: Failed password for invalid user tv from ::ffff:81.91.236.79 port 40016 ssh2
--------------------------------
Time: Sat Sep 20 19:18:24 2008 +0400
IP: 81.91.236.79 (BJ/Benin/ortb.ortb.bj)
Failures: 5 (sshd)
Interval: 10 seconds
Blocked: Yes

Log entries:

Sep 20 19:18:10 icarus sshd[18071]: Invalid user abuse from ::ffff:81.91.236.79 Sep 20 19:18:12 icarus sshd[18071]: Failed password for invalid user abuse from ::ffff:81.91.236.79 port 40429 ssh2 Sep 20 19:18:14 icarus sshd[18074]: Invalid user abused from ::ffff:81.91.236.79 Sep 20 19:18:17 icarus sshd[18074]: Failed password for invalid user abused from ::ffff:81.91.236.79 port 40557 ssh2 Sep 20 19:18:19 icarus sshd[18086]: Invalid user roger from ::ffff:81.91.236.79
-------------------------------------------------

csf v4.09
CENTOS Enterprise 4.7 i686 on virtuozzo - WHM X v3.1.0

Thanks in advance for your time..
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

What do you have set for:

LF_TRIGGER
LF_TRIGGER_PERM
LF_SELECT
LF_SMTPAUTH_PERM
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

Thanks for your reply, here are my settings:

LF_TRIGGER: 0
LF_TRIGGER_PERM: 1
LF_SELECT:0
LF_SMTPAUTH_PERM:1
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

I have post my settings. Please suggest a solution..
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

Anybody there??
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Are the permanent blocks appearing in csf.deny and in the LOCALINPUT iptables chain? If so, it would suggest that something earlier in that chain is allowing the IP's through or you've configured the ethernet devices incorrectly.
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

Thanks for your reply Chirpy,

Yes the ip's are showing on csf.deny.
So you think that there is a misconfiguration on ethernet devices (on csf config)?
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

Please suggest a solution,

I am recieving about 100 of emails every day!
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

Please help. Propblem is not solved yet. Please tell me what to do..
Top
corsair
Junior Member
Posts: 10
Joined: 27 Feb 2007, 17:10

Post by corsair »

I found my solution here: showthread.php?t=1554&highlight=virtuozzo
Top
Post Reply

Return to “Report Bugs (csf)”