Menu
▾
▴
Re: [Sshguard-users] using sshguard to block attempts at hpn enabled publickey only server
|
From: Vjaceslavs K. <vkl...@gm...> - 2015-02-02 23:02:21
|
Hi Kevin, Just a quick ping on this one, did you have a chance to look at this? On Mon, Jan 26, 2015 at 12:41 PM, Vjaceslavs Klimovs <vkl...@gm...> wrote: > I am happy to test code from SVN or provide more raw logs if needed. > > > On Mon, Jan 26, 2015 at 11:47 AM, Kevin Zheng <kev...@gm...> > wrote: > >> Hi Vjaceslavs, >> >> On 01/26/15 03:03, Vjaceslavs Klimovs wrote: >> > Jan 26 00:58:28 pulley sshd[7061]: Received disconnect from >> > 103.41.124.17 <http://103.41.124.17>: 11: [preauth] >> > >> > That's all they leave in the logs (no "invalid user" and >> > "input_userauth_request:" lines), and that does not get detected. >> > >> > Presumably, the second case should be detected too? >> >> The "Received disconnect" and "[preauth]" message should be detected as >> an attack. SSHGuard does not use simple regex matching, but instead a >> parser, so I'll have to check how I implemented this one. >> >> I suspect that it's the "11:" throwing it off, but I'll have to check. I >> will get back to you on this soon. >> >> Thanks, >> Kevin Zheng >> >> -- >> Kevin Zheng >> kev...@gm... | ke...@kd... | PGP: 0xC22E1090 >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> Sshguard-users mailing list >> Ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > |
