Menu
▾
▴
Re: [Sshguard-users] confused about what to expect
|
From: Emmanuel <el...@ms...> - 2016-01-21 22:49:04
|
ok i get it... Is there a 'minimal' message type that is recognized, I mean 'Failed password for root from IP...' seems like pretty basic I'll try to strip everything else but I'm using CoreOS as you noticed, and things change a lot and quickly with those guys, so I dont' feel very confident this is a very robust solution: if i upgrade CoreOS to a new version i may end up with a non-parsable log and no protection... not good. Thanks for help > To: ssh...@li... > From: kev...@gm... > Date: Thu, 21 Jan 2016 14:24:33 -0800 > Subject: Re: [Sshguard-users] confused about what to expect > > On 01/21/2016 14:15, Emmanuel wrote: > > i am running 1.6.0 > > 1.6.3 recognizes most of your log messages as attacks. I haven't tested > 1.6.0; you should consider upgrading to 1.6.3. > > > I am trying to understand what sshguard does under the hood. > > Briefly, a lexer splits up each line into tokens (like > TIMESTAMP_SYSLOG). A parser looks at each token and processes it if the > tokens match a known attack pattern. > > You can try using sed to get rid of everything but the log message, i.e. > the "Failed password for root from 183.3.202.107 port 15012 ssh2". If it > still doesn't recognize the attack, it's probably because 1.6.0 doesn't > have that particular attack yet. > > > what do you mean by not recognizing the syslog prefix? > > I can sed or transform the stream if I have to to make it work, I just > > want to understand what format is expected and what make break it. > > I'm not big in to C, so I'd rather not dig into the code. > > is there some doc somewhere about this? > > The lexer/parser is ugly even if you know C. Something is being done > about this, but I'm not sure how long it'll take. > > Best, > Kevin > > -- > Kevin Zheng > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
