Menu
▾
▴
Re: [SSHGuard-users] Missed detections of ssh abuses
|
From: Kevin Z. <kev...@gm...> - 2016-10-25 18:04:49
|
On 10/24/2016 17:05, Jonathan Woithe wrote: > In this case, sshguard evidently blocked 91.224.160.131 after 4 of the > "Failed password" messages, as I would expect. What I can't work out is why > 91.224.160.131 was blocked while 212.129.60.203 was not, even though they > generated the same messages. The only difference is that 91.224.160.131 had > the single failure around 6 hours before the main block, but this should not > make a difference. It appears that SSHGuard is not recognizing any of the messages with "port NNNN" at the end. > [1] For example, the "Invalid user inexu from 6.6.6.0" rule would not detect > the "Invalid user guest from 212.129.60.203 port 52019" entries because our > ssh logs the port number on the end of the rule. This rule might require > "arbitrary text" to be added to the end to allow for this. I think this is the solution. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
