Locked out of SSH after single error for 30 mins.

Discussion in 'General' started by Richard Foley, Apr 27, 2020.

  1. Richard Foley

    Richard Foley Member

    I'm (trying to) log into my website/s via ssh. If I make a single (1) error then I am locked out for approx. 30 mins. This makes it very hard to fix/debug. The expected behaviour is to make several errors, typically three (3) but whatever is configured, and then ban the IP for a period of time, typically 30 mins.

    What makes this more complicated to track down is I'm not sure which tool is placing this ban on my IP. It could be fail2ban. I'm using a vanilla installation and don't see anything in the logs regarding my IP. Or it could be something else, but I see nothing to indicate what is going on under /var/log/*
    It's very odd. The only message I get at the client end is:
    ssh: connect to host myhost port 22: Connection timed out
    If I can manage to get back on again today I'll be digging through the logs some more. In the meantime, I'm very stuck!

    I know what this is now, see reply below. Leaving it here in case it helps some other poor soul.
    Last edited: Apr 27, 2020
  2. Richard Foley

    Richard Foley Member

    Ok, think I found it in the auth.log. It's not fail2ban at all, it's sshguard!
    ==> auth.log <==
    Apr 27 09:16:56 myhost sshd[20155]: Connection closed by port 42746 [preauth]
    Apr 27 09:16:56 myhost sshguard[501]: Attack from "" on service 100 with danger 2.
    Apr 27 09:16:57 myhost sshguard[501]: Attack from "" on service 110 with danger 10.
    Apr 27 09:16:57 myhost sshguard[501]: Blocking "" for 3840 secs (4 attacks in 1 secs, after 6 abuses over 92908 secs.)
    Progress... :rolleyes:
    ahrasis likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    sshguard is not part of a ISPConfig standard setup :)
    Richard Foley likes this.
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    ahrasis and Richard Foley like this.
  5. Richard Foley

    Richard Foley Member

    yep, Till, I get that. I assume I installed it at some time in a fit of security-minded fervour. Then forgot about it and assumed it was related to ISPConfig. Apologies for disturbing you good folks here with my bad. I meant well. :confused:

    ps. Thanks again for all the good work you do here supporting the ISPConfig userbase (us).

  6. Steini86

    Steini86 Active Member

  7. Richard Foley

    Richard Foley Member

    till likes this.

Share This Page