Re: [SSHGuard-users] Query over 'double counting' attacks?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 20 Apr 2018 08:57:18 -0700
Kevin Zheng <kev...@gm...> wrote:

> On 04/20/2018 03:09, Karl Pielorz wrote:
> > So sshguard triggers for the 'Invalid user' line - and then,
> > again for the 'Disconnected from' line.
> > 
> > 
> > Will this count as a 'danger' of 20? - Or does sshguard know /
> > realise these are both for the same connection, so collapse them?
> > - The logs seem to indicate they're treated as two separate
> > things...  
> 
> No, SSHGuard currently does not.
> 
> Checking the timestamp and throwing away duplicates could possibly
> work, but there are also many attackers who make multiple
> connections in the span of one second.
> 
> I'm open to ideas on how to fix this.
> 

Does it really *need* fixing?  If somebody's hammering SSH that hard,
from multiple different angles, I'd want them blocked sooner, rather
than later, anyway.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Re: [SSHGuard-users] Query over 'double counting' attacks?

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] Query over 'double counting' attacks?