lfd being overly trigger-happy

Post Reply
wonderwall
Junior Member
Posts: 10
Joined: 14 Nov 2014, 21:21

lfd being overly trigger-happy

Post by wonderwall »

Hello,

I'm having an issue with lfd which seems minor at the moment but which I know will blow up in my face eventually. Essentially, when I enter the wrong ssh password once or twice, lfd will block me out, even though it is supposedly configured to only block the IP after 15 failed attempts. While at home, I can simply switch to a different IP and unblock myself again, but if this happens on the road, it will cause me major headaches.

This is from /var/log/secure

May 24 05:53:19 server sshd[32114]: Failed password for root from 1.2.3.4 port 49673 ssh2
May 24 05:53:19 server sshd[32114]: Failed password for root from 1.2.3.4 port 49673 ssh2

And this is the corresponding lfd IP block:

1.2.3.4 # lfd: 1.2.3.4 (someserver.com), 15 distributed sshd attacks on account [root] in the last 3600 secs - Sun May 24 05:53:24 2015

At first, I thought it's a bug in WinSCP which I am using for connection, but if WinSCP would really cause so many connections I'm assuming they would show up in the logs, and if they don't show up in the logs, lfd wouldn't know about it either and not block my IP, correct?

So at this point I am assuming it's a bug in lfd itself, but if it is, I'm sure I'm not the only one who has experienced this. Has anyone else seen this? Any other thoughts, ideas, pointers?

I'm using csf v7.69 as a Directadmin plugin. Many thanks in advance!

Post Reply