[Sshguard-users] Add a new custom rule

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,
I am successfully using sshguard 1.0 on FreeBSD (6.x and 7.0) with ipfw to
block ssh attacks. On my setup sshguard parses the /var/log/auth.log
messages which also logs failed FTP and POP attempts. Thus I would like to
use sshguard to block those attacks too (instead of using a new filter
program). However I am not sure how to tackle this, could someone point me
to the necessary modifications or files to change? I suppose
src/attack_scanner.l is a good start, but is it the only one? A simple
working rule would be enough for my liking :o).

Thanks,
Cheers,
Colin

Typical POP attack:

Jun 26 11:51:17 sleepyowl ipop3d[75832]: Login failed user=dave auth=dave
host=210.0.95.29.static.nexnet.net.au [210.0.95.29]
Jun 26 11:51:17 sleepyowl ipop3d[75834]: Login failed user=data auth=data
host=210.0.95.29.static.nexnet.net.au [210.0.95.29]
Jun 26 11:51:19 sleepyowl ipop3d[75836]: Login failed user=daustin
auth=daustin host=210.0.95.29.static.nexnet.net.au [210.0.95.29]

Typical FTP attack:

Jun 26 14:04:15 sleepyowl ftpd[79060]: FTP LOGIN FAILED FROM
211.151.240.50, anne
Jun 26 14:04:34 sleepyowl ftpd[79067]: FTP LOGIN FAILED FROM
211.151.240.50, anne
Jun 26 14:04:53 sleepyowl ftpd[79069]: FTP LOGIN FAILED FROM
211.151.240.50, anne

[Sshguard-users] Add a new custom rule

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] Add a new custom rule