Menu
▾
▴
Re: [SSHGuard-users] rev 1.7.0 not blocking all worthy of blocking
|
From: Georg L. <jor...@ma...> - 2016-07-28 20:23:05
|
On 28/07/16 13:34, Kevin Zheng wrote: > On 07/28/2016 00:20, li...@la... wrote: >> Looking at the log, 162.144.102.19 is worthy of blocking, but it wasn't >> blocked. ... > Attackers are purged 30 minutes after their *first* attack, not their > most recent attack. The first attack was at 04:48:34, and so by the time > the third attack that would have triggered a block rolled around > (05:31:03), the attacker's earlier attacks were already forgotten. > > This latter issue is something worth fixing. Suggestions? Perhaps it's > better to change the policy to purge 30 minutes after the most *recent* > attack. > > Best, > Kevin > Hello, Attacks as I observer them typically are spread over time. I guess, that attackers already know, that they get more attention if they blindly hammer on the same host, so they distribute the attacks and better come back later to give it a try. I have set the -s option to 70 minutes instead of 30 and consider setting -p to 5 minutes to take care of this. Using the most recent attack time instead of the first, only shifts the time window, so in the next corner case the attacker gets forgotten. If I had a wish, I would like to be able to specify the coefficient for the (exponential?) back-off time. Currently it seems to be set fixed to 1.5 (man page, -p option). - - - Another idea: sshg-parse could be used for creating time series of the attacks, which can then be analyzed by statistical tools. Eventually we end up with an adaptive Kalman Filter or so ... - - - Best Regards, Georg Lehner |
