Menu
▾
▴
Re: [SSHGuard-users] Query over 'double counting' attacks?
|
From: Jim S. <jse...@Li...> - 2018-04-20 16:33:36
|
On Fri, 20 Apr 2018 08:57:18 -0700 Kevin Zheng <kev...@gm...> wrote: > On 04/20/2018 03:09, Karl Pielorz wrote: > > So sshguard triggers for the 'Invalid user' line - and then, > > again for the 'Disconnected from' line. > > > > > > Will this count as a 'danger' of 20? - Or does sshguard know / > > realise these are both for the same connection, so collapse them? > > - The logs seem to indicate they're treated as two separate > > things... > > No, SSHGuard currently does not. > > Checking the timestamp and throwing away duplicates could possibly > work, but there are also many attackers who make multiple > connections in the span of one second. > > I'm open to ideas on how to fix this. > Does it really *need* fixing? If somebody's hammering SSH that hard, from multiple different angles, I'd want them blocked sooner, rather than later, anyway. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>. |
