Menu
▾
▴
Re: [SSHGuard-users] Query over 'double counting' attacks?
|
From: Karl P. <kpi...@td...> - 2018-04-20 17:29:51
|
--On 20 April 2018 at 08:57:18 -0700 Kevin Zheng <kev...@gm...> wrote: >> Will this count as a 'danger' of 20? - Or does sshguard know / realise >> these are both for the same connection, so collapse them? - The logs >> seem to indicate they're treated as two separate things... > > No, SSHGuard currently does not. > > Checking the timestamp and throwing away duplicates could possibly work, > but there are also many attackers who make multiple connections in the > span of one second. > > I'm open to ideas on how to fix this. Ok, it's not a major issue (as someone else already replied 'Does it really need fixing?') It did confuse me a little looking at the logs (and obviously has implications for the counts before blocking - but it is all working). I might see if I can get away with ignoring the "Disconnected from" lines - as so far it looks like everything 'evil' triggers from at least one other line - I'll collect some logs and check. The bigger annoyance is 99% of IP's don't seem to trip the blocks (because they only try once or twice from a single IP and never again) - I can't think of any simple way of handling that either. Obvious dictionary attacks from single IP's are shut down very quickly though, which is good. Thanks, -Karl |
