[SSHGuard-users] Machinery in place for pluggable sshg-parser

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi there,

The latest code in 'master' has SSHGuard split into four parts:

- sshg-logtail: monitor system logs
- sshg-parser: logs -> attack data
- sshg-blocker: attack data -> block/release actions
- sshg-fw: do things with the firewall

The 'sshguard' command has been replaced with a script that does some
option handling but simply pipes these programs together:

sshg-logtail $logs | sshg-parser | sshg-blocker $flags | sshg-fw

(note that sshg-blocker currently directly popen()'s sshg-fw, so the
last part isn't actually in the 'sshguard' script)

Both sshg-parser and sshg-blocker are candidates for privsep. Capsicum
sandboxing (for FreeBSD) is available. pledge() support on OpenBSD is
welcome, as is sandboxing/privsep for other operating systems.

Here's something that someone could do with this: provide an alternative
implementation of sshg-parser that runs the parser part of fail2ban
(fail2ban-regex?). That way we get their attack signatures in SSHGuard
while hopefully adding privsep to avoid their bugs.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

[SSHGuard-users] Machinery in place for pluggable sshg-parser

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] Machinery in place for pluggable sshg-parser