Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Ryan R. <rr...@ro...> - 2018-11-03 00:10:20
|
Are you two some of the actual programmers on this project? Not only do you not know what the hell you are talking about when you get caught in lie you make up a bunch of crap as if you are smarter than someone who caught you. On 11/2/2018 5:07 PM, Ryan Root wrote: > Bullshit! > > On 11/2/2018 4:55 PM, Christopher Engelhard wrote: >> Hi all, >> what Kevin has described is exactly what I meant. And no, that does not >> involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. >> Maybe me referencing "services" is what caused the confusion. 'Programs' >> might have been clearer - sshguard just happens to currently name what >> it matches a 'service'. >> >> So, to hopefully fully clarify what I'm proposing: >> 1) sshguard does not match against services like IMAP/POP3/FTP etc., but >> against the log output of *programs* like Pure-FTPd or Postfix. >> 2) currently, it assigns each program whose log output it understands a >> number internally and reports this number in the logs. This is not very >> helpful to the user, who will probably not know that 'Attack from <IP> >> on service 320' refers to the Pure-FTPd FTP daemon. >> 3) I propose to instead log the actual name of the program as defined by >> upstream (I'm all in favour of following standards) instead, i.e. >> 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are >> still used, one could log these as well, e.g. '<name> (<number>') >> >> If I understand you, Ryan, correctly, you're proposing logging standard >> internet service names instead, e.g. mapping internal matches for >> Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? >> >> That is not without merit. However, this >> - would mean that the log no longer really represents what SSHGuard is >> actually doing, which is bad for tracking down errors when something >> doesn't work as expected >> - might not be possible in cases where one program handles multiple >> standard services (e.g. IMAP/POP/SMTP submission for Dovecot), depending >> on how exactly the given program decides to format its logs >> - would mean inconsistency or a significant loss of information in the >> special case of the various attacks of webservices - these would all be >> reported as "attack on www", as I don't think there is a RFC for the >> Django login page >> >> It might be a good idea to include the service in the message, e.g. >> 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', though. >> >> >> I hope that clears things up. >> >> Best, >> Christopher >> >> >> _______________________________________________ >> sshguard-users mailing list >> ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
