Menu
▾
▴
Re: [SSHGuard-users] Missed detections of ssh abuses
|
From: Kevin Z. <kev...@gm...> - 2016-12-23 04:41:38
|
On 12/19/2016 23:09, Jonathan Woithe wrote: > On Tue, Oct 25, 2016 at 11:04:42AM -0700, Kevin Zheng wrote: >> On 10/24/2016 17:05, Jonathan Woithe wrote: >>> In this case, sshguard evidently blocked 91.224.160.131 after 4 of the >>> "Failed password" messages, as I would expect. What I can't work out is why >>> 91.224.160.131 was blocked while 212.129.60.203 was not, even though they >>> generated the same messages. The only difference is that 91.224.160.131 had >>> the single failure around 6 hours before the main block, but this should not >>> make a difference. >> >> It appears that SSHGuard is not recognizing any of the messages with >> "port NNNN" at the end. >> >>> [1] For example, the "Invalid user inexu from 6.6.6.0" rule would not detect >>> the "Invalid user guest from 212.129.60.203 port 52019" entries because our >>> ssh logs the port number on the end of the rule. This rule might require >>> "arbitrary text" to be added to the end to allow for this. >> >> I think this is the solution. > > Has such a solution been implemented yet? If not, an initial patch is > included at the end of this email. Please do check it for correctness: I'm > still getting my head around the .l/.y syntax. Committed in 4702f7f, thanks! -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
