Re: [SSHGuard-users] Scoring problems

[Kevin Z. <kev...@gm...>]

Hi Frank,

Thanks for the comments.

On 9/26/18 7:38 AM, Frank Steiner wrote:
> Thus, four attacks with score 10 each are counted, giving a score of 40
> for two wrong passwords. That happens because in addition to the two
> wrong passwords (SSH_LOGINERR_PAM, I've patched the scanner to see
> which rules matched) sshguard also counts the "maximum authentication
> attempts exceeded" (ssh_maxauth) and the "Failed keyboard-interactive/pam
> for someuser" (SSH_LOGINERR_PREF).
> 
> This really makes it hard to configure sshguard in a reasonable way.
> Two wrong ftp passwords are score 20, two wrong ssh passwords are
> 40. For my config it wouldn't be neccessary to count the
> "failed keyboard-interactive" or the "max attempts" when I already
> count each wrong password.

I agree this is bad.

> I saw in the comments that the rule SSH_LOGINERR_PREF was meant for
> Ubuntu, the SSH_LOGINERR_PAM for FreeBSD/Debian, but for our SuSE
> system they match both.

As you point out, it's hard to keep the rules generally applicable but
also avoid duplicates.

> I see only two ways to solve this problem in general: Either you
> define groups of commands that mean the same  and are only counted
> as one attack. But it might  be very hard to figure out e.g which
> pam messages belong to with sshd parent process if several connections
> are done in parallel.

Exactly.

> Or you allow users to define which rules should be counted with
> which score in the config file. E.g. setting sth. likle this
> in sshguard.conf:
> 
> SSH_LOGINERR_PREF=0
> SSH_MAXAUTH=3
> 
> That would sshguard cause to ignore the "Failed keyboard-interactive/pam"
> and counting the "max attempt" message with score 3 only.
> 
> This would allow every admin to adjust scoring to his/her specific
> needs, even different settings for several hosts.

Perhaps this is the better solution.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090