LFD count sometimes inflated

Post Reply
reboot+hopeitcomesup
Junior Member
Posts: 6
Joined: 02 Oct 2017, 14:00

LFD count sometimes inflated

Post by reboot+hopeitcomesup »

I typoed my name and didn't notice and just TWO logins triggered where the count is specified to be 5 failures.
i..e these 5 lines were each counted, when in reality the first 3 actually belong to the same attempt
I shall need to be more generous with the numbers for this specific case:

Code: Select all

Blocked:  Permanent Block [LF_SSHD] (IP match in csf.allow, block may not work)
Log entries:
Apr 15 10:35:31 city sshd[6201]: Invalid user scotty from X.X.176.191
Apr 15 10:35:36 city sshd[6441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.176.191 
Apr 15 10:35:37 city sshd[6201]: Failed keyboard-interactive/pam for invalid user scotty from X.X.176.191 port 50471 ssh2
Apr 15 10:35:46 city sshd[6460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.176.191 
Apr 15 10:35:48 city sshd[6201]: Failed keyboard-interactive/pam for invalid user scotty from X.X.176.191 port 50471 ssh2
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: LFD count sometimes inflated

Post by ForumAdmin »

That is a side-effect of trapping multiple lines from different OS's and logs that are checked for SSH. If you find that happening you will have to increase the limit appropriately.
Post Reply