Menu
▾
▴
Re: [SSHGuard-users] Portscanners
|
From: Jim S. <jse...@Li...> - 2018-10-14 13:43:25
|
On Sat, 13 Oct 2018 11:38:20 -0700
Kevin Zheng <kev...@gm...> wrote:
> On 10/13/18 11:20 AM, Jos Chrispijn wrote:
> > Was this a stupid question or is there a way to solve this?
> >
> > On 7-10-2018 16:41, Jos Chrispijn wrote:
> >>
> >> Would it be possible to put this behaviour as being abusive and
> >> put on the blacklist as well?
> >>
> >> Oct 7 16:32:39 myserver postfix/postscreen[54284]: CONNECT from
> >> [221.225.107.228]:56134 to [x.x.x.x]:25
> >> Oct 7 16:32:40 myserver postfix/postscreen[54284]: DISCONNECT
> >> [221.225.107.228]:56134
> >> Oct 7 16:32:41 myserver postfix/postscreen[54284]: CONNECT from
> >> [221.225.107.228]:56149 to [x.x.x.x]:25
> >> Oct 7 16:32:42 myserver postfix/postscreen[54284]: DISCONNECT
> >> [221.225.107.228]:56149
> >> Oct 7 16:32:42 myserver postfix/postscreen[54284]: CONNECT from
> >> [221.225.107.228]:56168 to [1x.x.x.x]:25
> >> Oct 7 16:32:44 myserver postfix/postscreen[54284]: DISCONNECT
> >> [221.225.107.228]:56168
> >>
> >> thanks, Jos
>
> Not a stupid question; I (or someone else) just needs to sit down
> and write the rules for this new attack signature.
>
CONNECT and DISCONNECT messages are normal. They do not indicate an
authentication failure of any type. To write a rule for this,
sshguard would have to be able to understand that "X number of
repeated CONNECT/DISCONNECT messages w/in one second of each other
is bad."
Can sshguard do that? That would be pretty sophisticated rule
interpretation.
Besides which, a CONNECT, followed by an immediate DISCONNECT, is not
a *security* threat, per se. In fact it might well be no more than
TCP stack or firewall brain-damage:
http://postfix.1071664.n5.nabble.com/meaning-of-connect-immediately-followed-by-disconnect-in-mail-log-td32773.html
Personally, I wouldn't worry about it.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
|
