Menu
▾
▴
Re: [Sshguard-users] confused about what to expect
|
From: James H. <jam...@gm...> - 2016-01-21 22:59:56
|
Or worse you might be able to parse the logs but the method to update the firewall changes and you are still left unprotected and possibly loose all your previous protection after a reboot. I would suggest monitoring the firewall rules that get added, not just log messages from sshguard. On Thu, Jan 21, 2016 at 2:48 PM, Emmanuel <el...@ms...> wrote: > ok i get it... > > Is there a 'minimal' message type that is recognized, I mean 'Failed > password for root from IP...' seems like pretty basic > > I'll try to strip everything else but I'm using CoreOS as you noticed, > and things change a lot and quickly with those guys, so I dont' feel very > confident this is a very robust solution: if i upgrade CoreOS to a new > version i may end up with a non-parsable log and no protection... not good. > > Thanks for help > > > > To: ssh...@li... > > From: kev...@gm... > > Date: Thu, 21 Jan 2016 14:24:33 -0800 > > Subject: Re: [Sshguard-users] confused about what to expect > > > > On 01/21/2016 14:15, Emmanuel wrote: > > > i am running 1.6.0 > > > > 1.6.3 recognizes most of your log messages as attacks. I haven't tested > > 1.6.0; you should consider upgrading to 1.6.3. > > > > > I am trying to understand what sshguard does under the hood. > > > > Briefly, a lexer splits up each line into tokens (like > > TIMESTAMP_SYSLOG). A parser looks at each token and processes it if the > > tokens match a known attack pattern. > > > > You can try using sed to get rid of everything but the log message, i.e. > > the "Failed password for root from 183.3.202.107 port 15012 ssh2". If it > > still doesn't recognize the attack, it's probably because 1.6.0 doesn't > > have that particular attack yet. > > > > > what do you mean by not recognizing the syslog prefix? > > > I can sed or transform the stream if I have to to make it work, I just > > > want to understand what format is expected and what make break it. > > > I'm not big in to C, so I'd rather not dig into the code. > > > is there some doc somewhere about this? > > > > The lexer/parser is ugly even if you know C. Something is being done > > about this, but I'm not sure how long it'll take. > > > > Best, > > Kevin > > > > -- > > Kevin Zheng > > kev...@gm... | ke...@kd... | PGP: 0xC22E1090 > > > > > ------------------------------------------------------------------------------ > > Site24x7 APM Insight: Get Deep Visibility into Application Performance > > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > > Monitor end-to-end web transactions and take corrective actions now > > Troubleshoot faster and improve end-user experience. Signup Now! > > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > > _______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > -- James Harris Software Engineer jam...@gm... |
