LF_SSHD not blocking IP on non-standard port

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
1 post Page 1 of 1
ditto
Junior Member
Posts: 5
Joined: 25 Feb 2012, 11:14


Edit: Please delete this post. I was not able to delete it myself. It is not a bug, the reason the IP is not blocked is because it is not within my setting of 300 sec.

We have SSHD running on default port 22. Control panel is DirectAdmin. Settings is as follows:

LF_SSHD = 5
LF_SSHD_PERM = 1
SSHD_LOG = /var/log/secure

Bruteforce attacks on port 22 is blocked correctly, however all bruteforce attacks on other ports then 22 is never blocked, maybe because they change the port number on each attempt so that it never reaches 5 attempts on the same port number? Is this a bug? If not please consider it a feature request.

Here is the log from /var/log/secure of one IP wich never is blocked because it is doing the brutefoce on non-default ports:

Sep 2 14:07:47 server sshd[24680]: Invalid user ashok from 178.62.6.225 port 47186
Sep 2 14:07:47 server sshd[24680]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:07:49 server sshd[24680]: Failed password for invalid user ashok from 178.62.6.225 port 47186 ssh2
Sep 2 14:07:49 server sshd[24680]: Received disconnect from 178.62.6.225 port 47186:11: Bye Bye [preauth]
Sep 2 14:07:49 server sshd[24680]: Disconnected from 178.62.6.225 port 47186 [preauth]
Sep 2 14:19:53 server sshd[28425]: Invalid user sinus from 178.62.6.225 port 41914
Sep 2 14:19:53 server sshd[28425]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:19:55 server sshd[28425]: Failed password for invalid user sinus from 178.62.6.225 port 41914 ssh2
Sep 2 14:19:55 server sshd[28425]: Received disconnect from 178.62.6.225 port 41914:11: Bye Bye [preauth]
Sep 2 14:19:55 server sshd[28425]: Disconnected from 178.62.6.225 port 41914 [preauth]
Sep 2 14:26:15 server sshd[30148]: Invalid user anurag from 178.62.6.225 port 58886
Sep 2 14:26:15 server sshd[30148]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:26:18 server sshd[30148]: Failed password for invalid user anurag from 178.62.6.225 port 58886 ssh2
Sep 2 14:26:18 server sshd[30148]: Received disconnect from 178.62.6.225 port 58886:11: Bye Bye [preauth]
Sep 2 14:26:18 server sshd[30148]: Disconnected from 178.62.6.225 port 58886 [preauth]
Sep 2 14:32:16 server sshd[31822]: Invalid user sensu from 178.62.6.225 port 47630
Sep 2 14:32:16 server sshd[31822]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:32:18 server sshd[31822]: Failed password for invalid user sensu from 178.62.6.225 port 47630 ssh2
Sep 2 14:32:18 server sshd[31822]: Received disconnect from 178.62.6.225 port 47630:11: Bye Bye [preauth]
Sep 2 14:32:18 server sshd[31822]: Disconnected from 178.62.6.225 port 47630 [preauth]
Sep 2 14:38:28 server sshd[1737]: Invalid user harvey from 178.62.6.225 port 36370
Sep 2 14:38:28 server sshd[1737]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:38:31 server sshd[1737]: Failed password for invalid user harvey from 178.62.6.225 port 36370 ssh2
Sep 2 14:38:31 server sshd[1737]: Received disconnect from 178.62.6.225 port 36370:11: Bye Bye [preauth]
Sep 2 14:38:31 server sshd[1737]: Disconnected from 178.62.6.225 port 36370 [preauth]
Sep 2 14:44:43 server sshd[3613]: Invalid user son from 178.62.6.225 port 53348
Sep 2 14:44:43 server sshd[3613]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:44:45 server sshd[3613]: Failed password for invalid user son from 178.62.6.225 port 53348 ssh2
Sep 2 14:44:45 server sshd[3613]: Received disconnect from 178.62.6.225 port 53348:11: Bye Bye [preauth]
Sep 2 14:44:45 server sshd[3613]: Disconnected from 178.62.6.225 port 53348 [preauth]
Sep 2 14:50:43 server sshd[5409]: Invalid user user from 178.62.6.225 port 42092
Sep 2 14:50:43 server sshd[5409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:50:45 server sshd[5409]: Failed password for invalid user user from 178.62.6.225 port 42092 ssh2
Sep 2 14:50:45 server sshd[5409]: Received disconnect from 178.62.6.225 port 42092:11: Bye Bye [preauth]
Sep 2 14:50:45 server sshd[5409]: Disconnected from 178.62.6.225 port 42092 [preauth]
Sep 2 14:56:42 server sshd[7160]: Invalid user alex from 178.62.6.225 port 59064
Sep 2 14:56:42 server sshd[7160]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.62.6.225
Sep 2 14:56:44 server sshd[7160]: Failed password for invalid user alex from 178.62.6.225 port 59064 ssh2
Sep 2 14:56:44 server sshd[7160]: Received disconnect from 178.62.6.225 port 59064:11: Bye Bye [preauth]
Sep 2 14:56:44 server sshd[7160]: Disconnected from 178.62.6.225 port 59064 [preauth]
1 post Page 1 of 1