Hi All
I Have set up the following rules in Definitions & Users - Authentication Servers - Advanced.
Block password guessing - All ticked. After 2 attempts block access for 9000 seconds, ticked drop packets from blocked hosts.
I have been getting emails reporting various addresses attempting to logon as root or as something else as expected, but these should stop and the auto block should come in and I should not get any more after the email saying that this host has been blocked.
This is not the case and this is the BUG I'm reporting in this Ticket.
I have been getting 5x "Failed SSH login attempt from 94.242.252.47 at 2013-05-03 01:44:35 with username root" emails from the same IP Address before getting the "Too many failed logins from 60.220.225.214 for facility sshd. Further logins will be blocked for 900 seconds."
Note "IGNORE" the above 900 seconds and the 9000 seconds, as the 9000 value was changed after the email.
Mark
Guest User!
You are not Sophos Staff.
