Menu
▾
▴
Re: [Sshguard-users] New patterns for Asterisk, how to cope with color codes?
|
From: Mij <mi...@ss...> - 2010-12-08 20:40:45
|
Joe, The "Registration from ... failed" signatures you detail in your submission are implemented. For the others you brief only in your email, please perform another submission on the website with a full line for each. I'm talking about: 1) .*No registration for peer '.*' (from <HOST>) 2) .*Host <HOST> failed MD5 authentication for '.*' (.*) 3) .*Failed to authenticate user .*@<HOST>.* We need this for being sure to produce an appropriately tight signature for each. On Nov 29, 2010, at 13:57 , Joe Greco wrote: > Related to http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/ > > Asterisk is a telephony PBX application; it handles VoIP and POTS phone > traffic. Because a PBX is essentially a switch for voice traffic, it's > theoretically susceptible to attack, and in fact since many people use > numeric extensions and trivial passwords, many times it turns out to be > actually susceptible to brute force attacks. > > VoIP typically uses UDP transport, so an attacker trying to guess at > your passwords will bombard your server with hundreds or thousands of > packets per second of UDP traffic, essentially DoS'ing your server. > sshguard sitting live on a logfile from syslogd looks like the ideal > application to handle this. Many other people are running things like > fail2ban but it strikes me as suboptimal and requires python anyways, > so a fast compiled daemon is a better choice. > > The patterns needed are > > .*Registration from '.*' failed for '<HOST>' - Wrong password > .*Registration from '.*' failed for '<HOST>' - No matching peer found > .*Registration from '.*' failed for '<HOST>' - Username/auth name mismatch > .*No registration for peer '.*' (from <HOST>) > .*Host <HOST> failed MD5 authentication for '.*' (.*) > .*Failed to authenticate user .*@<HOST>.* > > But so far I'm having a little trouble getting even just the first one > to work. Maybe I'm just getting the rule structure wrong, but there's > another difficulty: Asterisk may bless its logfiles with color escape > codes. I'm not sure the best way to cope with that. I was trying just > ".*" to cover for it. Shouldn't that work? > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) > With 24 million small businesses in the US alone, that's way too many apples. > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
