Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Ryan R. <rr...@ro...> - 2018-11-03 00:26:14
|
no On 11/2/2018 5:25 PM, Shadowbq wrote: > Ryan > > You are now trolling. Please be more respectful. > > - shadowbq > >> On Nov 2, 2018, at 8:10 PM, Ryan Root <rr...@ro...> wrote: >> >> Are you two some of the actual programmers on this project? Not only do >> you not know what the hell you are talking about when you get caught in >> lie you make up a bunch of crap as if you are smarter than someone who >> caught you. >> >>> On 11/2/2018 5:07 PM, Ryan Root wrote: >>> Bullshit! >>> >>>> On 11/2/2018 4:55 PM, Christopher Engelhard wrote: >>>> Hi all, >>>> what Kevin has described is exactly what I meant. And no, that does not >>>> involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. >>>> Maybe me referencing "services" is what caused the confusion. 'Programs' >>>> might have been clearer - sshguard just happens to currently name what >>>> it matches a 'service'. >>>> >>>> So, to hopefully fully clarify what I'm proposing: >>>> 1) sshguard does not match against services like IMAP/POP3/FTP etc., but >>>> against the log output of *programs* like Pure-FTPd or Postfix. >>>> 2) currently, it assigns each program whose log output it understands a >>>> number internally and reports this number in the logs. This is not very >>>> helpful to the user, who will probably not know that 'Attack from <IP> >>>> on service 320' refers to the Pure-FTPd FTP daemon. >>>> 3) I propose to instead log the actual name of the program as defined by >>>> upstream (I'm all in favour of following standards) instead, i.e. >>>> 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are >>>> still used, one could log these as well, e.g. '<name> (<number>') >>>> >>>> If I understand you, Ryan, correctly, you're proposing logging standard >>>> internet service names instead, e.g. mapping internal matches for >>>> Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? >>>> >>>> That is not without merit. However, this >>>> - would mean that the log no longer really represents what SSHGuard is >>>> actually doing, which is bad for tracking down errors when something >>>> doesn't work as expected >>>> - might not be possible in cases where one program handles multiple >>>> standard services (e.g. IMAP/POP/SMTP submission for Dovecot), depending >>>> on how exactly the given program decides to format its logs >>>> - would mean inconsistency or a significant loss of information in the >>>> special case of the various attacks of webservices - these would all be >>>> reported as "attack on www", as I don't think there is a RFC for the >>>> Django login page >>>> >>>> It might be a good idea to include the service in the message, e.g. >>>> 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', though. >>>> >>>> >>>> I hope that clears things up. >>>> >>>> Best, >>>> Christopher >>>> >>>> >>>> _______________________________________________ >>>> sshguard-users mailing list >>>> ssh...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>>> >>> >>> _______________________________________________ >>> sshguard-users mailing list >>> ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>> >> >> >> _______________________________________________ >> sshguard-users mailing list >> ssh...@li... >> https://lists.sourceforge.net/lists/listinfo/sshguard-users |
