Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Christopher E. <ce...@lc...> - 2018-11-02 23:55:14
|
Hi all, what Kevin has described is exactly what I meant. And no, that does not involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. Maybe me referencing "services" is what caused the confusion. 'Programs' might have been clearer - sshguard just happens to currently name what it matches a 'service'. So, to hopefully fully clarify what I'm proposing: 1) sshguard does not match against services like IMAP/POP3/FTP etc., but against the log output of *programs* like Pure-FTPd or Postfix. 2) currently, it assigns each program whose log output it understands a number internally and reports this number in the logs. This is not very helpful to the user, who will probably not know that 'Attack from <IP> on service 320' refers to the Pure-FTPd FTP daemon. 3) I propose to instead log the actual name of the program as defined by upstream (I'm all in favour of following standards) instead, i.e. 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are still used, one could log these as well, e.g. '<name> (<number>') If I understand you, Ryan, correctly, you're proposing logging standard internet service names instead, e.g. mapping internal matches for Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? That is not without merit. However, this - would mean that the log no longer really represents what SSHGuard is actually doing, which is bad for tracking down errors when something doesn't work as expected - might not be possible in cases where one program handles multiple standard services (e.g. IMAP/POP/SMTP submission for Dovecot), depending on how exactly the given program decides to format its logs - would mean inconsistency or a significant loss of information in the special case of the various attacks of webservices - these would all be reported as "attack on www", as I don't think there is a RFC for the Django login page It might be a good idea to include the service in the message, e.g. 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', though. I hope that clears things up. Best, Christopher |
