ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://forum.configserver.com/

LFD count sometimes inflated

https://forum.configserver.com/viewtopic.php?t=10791

Page 1 of 1

LFD count sometimes inflated

Posted: 18 Apr 2018, 19:25
by reboot+hopeitcomesup
I typoed my name and didn't notice and just TWO logins triggered where the count is specified to be 5 failures.
i..e these 5 lines were each counted, when in reality the first 3 actually belong to the same attempt
I shall need to be more generous with the numbers for this specific case:

Code: Select all

Blocked:  Permanent Block [LF_SSHD] (IP match in csf.allow, block may not work)
Log entries:
Apr 15 10:35:31 city sshd[6201]: Invalid user scotty from X.X.176.191
Apr 15 10:35:36 city sshd[6441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.176.191 
Apr 15 10:35:37 city sshd[6201]: Failed keyboard-interactive/pam for invalid user scotty from X.X.176.191 port 50471 ssh2
Apr 15 10:35:46 city sshd[6460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.176.191 
Apr 15 10:35:48 city sshd[6201]: Failed keyboard-interactive/pam for invalid user scotty from X.X.176.191 port 50471 ssh2

Re: LFD count sometimes inflated

Posted: 01 May 2018, 10:48
by ForumAdmin
That is a side-effect of trapping multiple lines from different OS's and logs that are checked for SSH. If you find that happening you will have to increase the limit appropriately.
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited