From: Kevin Z. <kev...@gm...> - 2018-09-26 22:14:05
|
Hi Frank, Thanks for the comments. On 9/26/18 7:38 AM, Frank Steiner wrote: > Thus, four attacks with score 10 each are counted, giving a score of 40 > for two wrong passwords. That happens because in addition to the two > wrong passwords (SSH_LOGINERR_PAM, I've patched the scanner to see > which rules matched) sshguard also counts the "maximum authentication > attempts exceeded" (ssh_maxauth) and the "Failed keyboard-interactive/pam > for someuser" (SSH_LOGINERR_PREF). > > This really makes it hard to configure sshguard in a reasonable way. > Two wrong ftp passwords are score 20, two wrong ssh passwords are > 40. For my config it wouldn't be neccessary to count the > "failed keyboard-interactive" or the "max attempts" when I already > count each wrong password. I agree this is bad. > I saw in the comments that the rule SSH_LOGINERR_PREF was meant for > Ubuntu, the SSH_LOGINERR_PAM for FreeBSD/Debian, but for our SuSE > system they match both. As you point out, it's hard to keep the rules generally applicable but also avoid duplicates. > I see only two ways to solve this problem in general: Either you > define groups of commands that mean the same and are only counted > as one attack. But it might be very hard to figure out e.g which > pam messages belong to with sshd parent process if several connections > are done in parallel. Exactly. > Or you allow users to define which rules should be counted with > which score in the config file. E.g. setting sth. likle this > in sshguard.conf: > > SSH_LOGINERR_PREF=0 > SSH_MAXAUTH=3 > > That would sshguard cause to ignore the "Failed keyboard-interactive/pam" > and counting the "max attempt" message with score 3 only. > > This would allow every admin to adjust scoring to his/her specific > needs, even different settings for several hosts. Perhaps this is the better solution. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |