This is one hint out of bad experience. If you or clients cannot connect using ftp to some port and get “Connection refused” error and there is no blacklist/whitelist on firewall involved or already covered try if sshguard is not blocking them.  It is based on this post.

It could happen that number of attempts was so high that IP is actually blocked. Try command

sudo iptables -L

if you see in output DROP action with your/customers IP then you found the reason:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  --  xxx.xxx.xxx.xxx        anywhere
...here can be more lines of blocked IPs...

You can whitelist IP in question in /etc/sshguard/whitelist file

Notes about file /etc/sshguard/whitelist out of experience

  • If you whitelist list of IPs everyone must be on separate line and no characters are allowed after each IP. No notes (forget something like this “xx.xx.xx.xx # comment”) not even space at the end of IP.
  • In /var/log/auth,log you can check if sshguard was able to read whilelist properly.
    • if you see something like this you have to fix it (problem is space after IP)
      sshguard[13191]: whitelist: could not parse line "xx.xx.xx.xx " as plain IP nor IP block nor host name.
    • if sshguard starts OK you will see something like this:
      sshguard[13191]: Got exit signal, flushing blocked addresses and exiting...
      sshguard[13258]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.

It is also a good idea to check if sshd is actually listening on given port:

sudo netstat -anp|grep ssh
  • If you want to release all blocked IPs simply restart sshguard: sudo service sshguard restart

 

Other useful links: