psad keeps removing/adding bad IP even though bad IP set in auto_dl #67
Description
Hi,
I've set a bad IP to auto_dl with DL 5. This IP keeps hammering my server. So, I thought it'd be a good idea to put it in this file. Unfortunately, I've got this:
# systemctl status psad
mai 28 15:58:58 psad[30129]: src: 110.249.212.46 signature match: "BACKDOOR DoomJuice f
mai 28 15:58:58 psad[30129]: scan detected (Nmap -sT or -sS scan): 110.249.212.46 -> 19
mai 28 16:00:30 psad[30129]: src: 85.209.0.69 signature match: "MISC MS Terminal Server
mai 28 16:00:30 psad[30129]: scan detected (Nmap -sT or -sS scan): 85.209.0.69 -> 193.3
mai 28 16:01:42 psad[30129]: removed iptables auto-block against 92.118.37.81
mai 28 16:01:57 psad[30129]: scan detected (Nmap -sT or -sS scan): 92.118.37.81 -> 193.
mai 28 16:01:57 psad[30129]: added iptables auto-block against 92.118.37.81 (unlimited
mai 28 16:02:23 psad[30129]: removed iptables auto-block against 92.118.37.81
mai 28 16:02:28 psad[30129]: scan detected (Nmap -sT or -sS scan): 92.118.37.81 -> 193.
mai 28 16:02:28 psad[30129]: added iptables auto-block against 92.118.37.81
When I input psad -S, I've got:
# psad -S
[+] Top 25 attackers:
92.118.37.81 DL: 5, Packets: 10, Sig count: 0
…
iptables auto-blocked IPs:
92.118.37.81 (unlimited timeout)
[expired timeout, sending cleanup message]
It used to work properly, then suddenly for no reason psad keeps removing and adding the IP. The IP is normally of DL 2, but I set it to DL 5 in auto_dl file.
My psad.conf settings are:
ENABLE_AUTO_IDSset toYAUTO_IDS_DANGER_LEVELset to4ENABLE_AUTO_IDS_EMAILSset toYEMAIL_ALERT_DANGER_LEVELset to4IPT_SYSLOG_FILEset to/var/log/syslogAUTO_BLOCK_TIMEOUTset to3600