Menu
▾
▴
Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server
|
From: Kevin Z. <kev...@gm...> - 2015-01-26 19:48:41
|
Hi Vjaceslavs, On 01/26/15 03:03, Vjaceslavs Klimovs wrote: > Jan 26 00:58:28 pulley sshd[7061]: Received disconnect from > 103.41.124.17 <http://103.41.124.17>: 11: [preauth] > > That's all they leave in the logs (no "invalid user" and > "input_userauth_request:" lines), and that does not get detected. > > Presumably, the second case should be detected too? The "Received disconnect" and "[preauth]" message should be detected as an attack. SSHGuard does not use simple regex matching, but instead a parser, so I'll have to check how I implemented this one. I suspect that it's the "11:" throwing it off, but I'll have to check. I will get back to you on this soon. Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
