Menu
▾
▴
Re: [SSHGuard-users] Query over 'double counting' attacks?
|
From: Kevin Z. <kev...@gm...> - 2018-04-20 15:57:11
|
On 04/20/2018 03:09, Karl Pielorz wrote: > So sshguard triggers for the 'Invalid user' line - and then, again for > the 'Disconnected from' line. > > > Will this count as a 'danger' of 20? - Or does sshguard know / realise > these are both for the same connection, so collapse them? - The logs > seem to indicate they're treated as two separate things... No, SSHGuard currently does not. Checking the timestamp and throwing away duplicates could possibly work, but there are also many attackers who make multiple connections in the span of one second. I'm open to ideas on how to fix this. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
