Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Shadowbq <sha...@gm...> - 2018-11-03 00:25:46
|
Ryan You are now trolling. Please be more respectful. - shadowbq > On Nov 2, 2018, at 8:10 PM, Ryan Root <rr...@ro...> wrote: > > Are you two some of the actual programmers on this project? Not only do > you not know what the hell you are talking about when you get caught in > lie you make up a bunch of crap as if you are smarter than someone who > caught you. > >> On 11/2/2018 5:07 PM, Ryan Root wrote: >> Bullshit! >> >>> On 11/2/2018 4:55 PM, Christopher Engelhard wrote: >>> Hi all, >>> what Kevin has described is exactly what I meant. And no, that does not >>> involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. >>> Maybe me referencing "services" is what caused the confusion. 'Programs' >>> might have been clearer - sshguard just happens to currently name what >>> it matches a 'service'. >>> >>> So, to hopefully fully clarify what I'm proposing: >>> 1) sshguard does not match against services like IMAP/POP3/FTP etc., but >>> against the log output of *programs* like Pure-FTPd or Postfix. >>> 2) currently, it assigns each program whose log output it understands a >>> number internally and reports this number in the logs. This is not very >>> helpful to the user, who will probably not know that 'Attack from <IP> >>> on service 320' refers to the Pure-FTPd FTP daemon. >>> 3) I propose to instead log the actual name of the program as defined by >>> upstream (I'm all in favour of following standards) instead, i.e. >>> 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are >>> still used, one could log these as well, e.g. '<name> (<number>') >>> >>> If I understand you, Ryan, correctly, you're proposing logging standard >>> internet service names instead, e.g. mapping internal matches for >>> Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? >>> >>> That is not without merit. However, this >>> - would mean that the log no longer really represents what SSHGuard is >>> actually doing, which is bad for tracking down errors when something >>> doesn't work as expected >>> - might not be possible in cases where one program handles multiple >>> standard services (e.g. IMAP/POP/SMTP submission for Dovecot), depending >>> on how exactly the given program decides to format its logs >>> - would mean inconsistency or a significant loss of information in the >>> special case of the various attacks of webservices - these would all be >>> reported as "attack on www", as I don't think there is a RFC for the >>> Django login page >>> >>> It might be a good idea to include the service in the message, e.g. >>> 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', though. >>> >>> >>> I hope that clears things up. >>> >>> Best, >>> Christopher >>> >>> >>> _______________________________________________ >>> sshguard-users mailing list >>> ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>> >> >> >> _______________________________________________ >> sshguard-users mailing list >> ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users >> > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
