Menu
▾
▴
Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server
|
From: Vjaceslavs K. <vkl...@gm...> - 2015-01-26 20:41:50
|
I am happy to test code from SVN or provide more raw logs if needed. On Mon, Jan 26, 2015 at 11:47 AM, Kevin Zheng <kev...@gm...> wrote: > Hi Vjaceslavs, > > On 01/26/15 03:03, Vjaceslavs Klimovs wrote: > > Jan 26 00:58:28 pulley sshd[7061]: Received disconnect from > > 103.41.124.17 <http://103.41.124.17>: 11: [preauth] > > > > That's all they leave in the logs (no "invalid user" and > > "input_userauth_request:" lines), and that does not get detected. > > > > Presumably, the second case should be detected too? > > The "Received disconnect" and "[preauth]" message should be detected as > an attack. SSHGuard does not use simple regex matching, but instead a > parser, so I'll have to check how I implemented this one. > > I suspect that it's the "11:" throwing it off, but I'll have to check. I > will get back to you on this soon. > > Thanks, > Kevin Zheng > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
