Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Ryan R. <rr...@ro...> - 2018-11-03 00:07:31
|
Bullshit! On 11/2/2018 4:55 PM, Christopher Engelhard wrote: > Hi all, > what Kevin has described is exactly what I meant. And no, that does not > involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. > Maybe me referencing "services" is what caused the confusion. 'Programs' > might have been clearer - sshguard just happens to currently name what > it matches a 'service'. > > So, to hopefully fully clarify what I'm proposing: > 1) sshguard does not match against services like IMAP/POP3/FTP etc., but > against the log output of *programs* like Pure-FTPd or Postfix. > 2) currently, it assigns each program whose log output it understands a > number internally and reports this number in the logs. This is not very > helpful to the user, who will probably not know that 'Attack from <IP> > on service 320' refers to the Pure-FTPd FTP daemon. > 3) I propose to instead log the actual name of the program as defined by > upstream (I'm all in favour of following standards) instead, i.e. > 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are > still used, one could log these as well, e.g. '<name> (<number>') > > If I understand you, Ryan, correctly, you're proposing logging standard > internet service names instead, e.g. mapping internal matches for > Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? > > That is not without merit. However, this > - would mean that the log no longer really represents what SSHGuard is > actually doing, which is bad for tracking down errors when something > doesn't work as expected > - might not be possible in cases where one program handles multiple > standard services (e.g. IMAP/POP/SMTP submission for Dovecot), depending > on how exactly the given program decides to format its logs > - would mean inconsistency or a significant loss of information in the > special case of the various attacks of webservices - these would all be > reported as "attack on www", as I don't think there is a RFC for the > Django login page > > It might be a good idea to include the service in the message, e.g. > 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', though. > > > I hope that clears things up. > > Best, > Christopher > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
