Re: [Sshguard-users] Subject: Re: Username Blacklisting

[James H. <jam...@gm...>]

Many of the logs already parsed include usernames so it sounds like
adjusting the lexer/ parser expressions to pick out the name and include
them in the values passed back. Since we already have internet scales for
block and black list a simple integer multiplier should work for vouching
up the threat level.

I would suggest something like
Username:multiplier
Which keeps it paswd like. We could add more values in the future. In
addition to a multiplier I could see someone wanting to just set a value
instead of using multipliers.

Username:multiplier:setvalue

root::100
bob:2:

Setting any root attempt to 100 threat level and doubling the value Bob
would otherwise get.
On May 15, 2015 9:16 AM, "Kevin Zheng" <kev...@gm...> wrote:

> On 05/15/2015 10:58, Laurence Perkins (OE) wrote:
> > It would pretty well have to be added as a configuration at runtime
> > since the list of prohibited usernames would vary per system.
>
> Perhaps a flat text file, with one username per line?
>
> > My original thought was to have a list where even attempting to log in
> > with one of the names resulted in an immediate block.  E.g.: The root
> > account on my machine is disabled.  Anyone who even attempts to use it
> > is necessarily an unauthorized attacker and should be blocked
> > immediately.  There is no reason to wait for them to try more than once
> > (or even to let them finish the first attempt really).  Same thing goes
> > for various other account names that are commonly tested by attackers
> > and that don't even exist on my machine.  User accounts that do exist
> > where someone could legitimately be having trouble remembering their
> > password need to not lock the user out for fat-fingering their password
> > a couple of times though.
>
> Makes sense. Especially at the point which a user account (e.g. root) is
> disabled, any attempted login is certainly an attack.
>
> > If the list were implemented as a "danger multiplier" then it could be
> > calibrated so that root login attempts get blocked instantly, logins to
> > my account get blocked after just a couple of attempts, and logins to
> > some of my more absent-minded users get a little extra grace.  It's
> > probably not worth going to a lot of extra trouble to implement it this
> > way, but if username blacklisting is easiest to do by adjusting the
> > danger for listed accounts then reading a custom multiplier from the
> > account list for each account wouldn't take much more effort.  Just
> > being able to blacklist accounts, however, would eliminate the vast
> > majority of attackers as nearly all of them seem to hit the same list of
> > default usernames.
>
> Actually, most of the work is probably going to be extracting the
> username and passing it to the attack reporter. I'll start working on a
> proof-of-concept soon and keep you updated.
>
> Thanks,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>