Menu
▾
▴
[SSHGuard-users] Query over 'double counting' attacks?
|
From: Karl P. <kpi...@td...> - 2018-04-20 10:28:40
|
Hi, I've recently installed sshguard 2.1.0 under FreeBSD - and it's all setup, and appears to be working fine. In the logs though I'll see entries like: Apr 20 10:43:32 sshd2[90659]: Connection from x.x.x.x port 58942 on 192.168.1.129 port 2323 Apr 20 10:43:42 sshd2[90659]: Invalid user test from x.x.x.x Apr 20 10:43:42 sshguard[89640]: Attack from "x.x.x.x" on service 100 with danger 10. Apr 20 10:43:42 sshd2[90659]: Received disconnect from x.x.x.x port 58942:11: Normal Shutdown, Thank you for playing [preauth] Apr 20 10:43:42 sshd2[90659]: Disconnected from x.x.x.x port 58942 [preauth] Apr 20 10:43:42 sshguard[89640]: Attack from "x.x.x.x" on service 100 with danger 10. So sshguard triggers for the 'Invalid user' line - and then, again for the 'Disconnected from' line. Will this count as a 'danger' of 20? - Or does sshguard know / realise these are both for the same connection, so collapse them? - The logs seem to indicate they're treated as two separate things... Thanks, -Karl |
