Re: [SSHGuard-users] Portscanners

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 05/03/2016 08:36, Jos Chrispijn wrote:
> Is there a way of blocking port scanners and treat them as false login?

Yes, by adding these signatures and monitoring 'all.log'. But this
wouldn't stop these log messages from showing up, because the attackers
would still hit the firewall. It doesn't make sense to have a firewall
protecting the firewall.

> May  3 17:24:18 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712
> x.x.x.x:28997 in via re0
> May  3 17:24:26 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712
> x.x.x.x:11505 in via re0
> May  3 17:24:31 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712
> x.x.x.x:21643 in via re0
> May  3 17:24:33 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712
> x.x.x.x:28800 in via re0

I think this is beyond the scope of SSHGuard. SSHGuard protects against
service attacks, not port scans. The intent of SSHGuard is to use a
firewall to prevent rapid attacks against services (that takes up CPU
and memory resources).

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] Portscanners

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] Portscanners