Page 1 of 2

csf ldf not blocking failed login triggers

Posted: 20 Sep 2008, 18:07
by corsair
Hello there!
I need your advice. csf ldf not blocking failed login triggers from same ip. Any suggestions?

I am getting many emails:
---------------------------------
Time: Sat Sep 20 19:03:21 2008 +0400
IP: 81.91.236.79 (BJ/Benin/ortb.ortb.bj)
Failures: 5 (sshd)
Interval: 10 seconds
Blocked: Yes

Log entries:

Sep 20 19:03:07 icarus sshd[14051]: Failed password for invalid user job from ::ffff:81.91.236.79 port 39773 ssh2 Sep 20 19:03:09 icarus sshd[14054]: Invalid user tv from ::ffff:81.91.236.79 Sep 20 19:03:11 icarus sshd[14054]: Failed password for invalid user tv from ::ffff:81.91.236.79 port 39900 ssh2 Sep 20 19:03:14 icarus sshd[14068]: Invalid user tv from ::ffff:81.91.236.79 Sep 20 19:03:17 icarus sshd[14068]: Failed password for invalid user tv from ::ffff:81.91.236.79 port 40016 ssh2
--------------------------------
Time: Sat Sep 20 19:18:24 2008 +0400
IP: 81.91.236.79 (BJ/Benin/ortb.ortb.bj)
Failures: 5 (sshd)
Interval: 10 seconds
Blocked: Yes

Log entries:

Sep 20 19:18:10 icarus sshd[18071]: Invalid user abuse from ::ffff:81.91.236.79 Sep 20 19:18:12 icarus sshd[18071]: Failed password for invalid user abuse from ::ffff:81.91.236.79 port 40429 ssh2 Sep 20 19:18:14 icarus sshd[18074]: Invalid user abused from ::ffff:81.91.236.79 Sep 20 19:18:17 icarus sshd[18074]: Failed password for invalid user abused from ::ffff:81.91.236.79 port 40557 ssh2 Sep 20 19:18:19 icarus sshd[18086]: Invalid user roger from ::ffff:81.91.236.79
-------------------------------------------------

csf v4.09
CENTOS Enterprise 4.7 i686 on virtuozzo - WHM X v3.1.0

Thanks in advance for your time..

Posted: 22 Sep 2008, 09:55
by chirpy
What do you have set for:

LF_TRIGGER
LF_TRIGGER_PERM
LF_SELECT
LF_SMTPAUTH_PERM

Posted: 22 Sep 2008, 20:06
by corsair
Thanks for your reply, here are my settings:

LF_TRIGGER: 0
LF_TRIGGER_PERM: 1
LF_SELECT:0
LF_SMTPAUTH_PERM:1

Posted: 23 Sep 2008, 21:37
by corsair
I have post my settings. Please suggest a solution..

Posted: 27 Sep 2008, 17:10
by corsair
Anybody there??

Posted: 29 Sep 2008, 10:48
by chirpy
Are the permanent blocks appearing in csf.deny and in the LOCALINPUT iptables chain? If so, it would suggest that something earlier in that chain is allowing the IP's through or you've configured the ethernet devices incorrectly.

Posted: 29 Sep 2008, 19:22
by corsair
Thanks for your reply Chirpy,

Yes the ip's are showing on csf.deny.
So you think that there is a misconfiguration on ethernet devices (on csf config)?

Posted: 01 Oct 2008, 18:55
by corsair
Please suggest a solution,

I am recieving about 100 of emails every day!

Posted: 08 Oct 2008, 21:29
by corsair
Please help. Propblem is not solved yet. Please tell me what to do..

Posted: 09 Oct 2008, 16:05
by corsair