Menu
▾
▴
Re: [SSHGuard-users] More debugging output
|
From: Frank S. <fst...@bi...> - 2018-09-28 08:28:17
|
Kevin Zheng wrote: > On 9/27/18 2:55 AM, Frank Steiner wrote: >> Hi, >> >> just a little proposal for an improvment: trying to figure out why certain >> actions get the matches/score they do, it would be very helpful if the >> "Attack from..." messages could contain the rule that matched. Like >> "Attack from xxx on service 100 (SSH_MAXAUTH) with danger.." >> >> I had to patch that myself to figure out why so many rules matched >> for my ssh, but I just added stupid print statements in attack_scanner.c, >> so I cannot offer a valid patch for this. > > Have you tried running sshg-parser in libexec? The output is currently a > bit cryptic, but it'll tell you which rule was matched. Hmm, if I feed journalctl to sshg-parser I only get lines like 100 x.x.x.x 4 10 100 x.x.x.x 4 3 These are two different rules, the first one is the unknown user, the second one the maximum reached as I patched that one to score 3. -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * |
