Menu
▾
▴
Re: [SSHGuard-users] Log human-readable service IDs instead of numbers?
|
From: Ryan R. <rr...@ro...> - 2018-11-03 00:28:25
|
Whoever the coward "shadowbq" is, I have used sshguard and may use it in the future. I have a right to investigate the integrity and technical competence of people making decisions about it's future. If you don't like this list you get lost. Ryan On 11/2/2018 5:26 PM, Ryan Root wrote: > no > > On 11/2/2018 5:25 PM, Shadowbq wrote: >> Ryan >> >> You are now trolling. Please be more respectful. >> >> - shadowbq >> >>> On Nov 2, 2018, at 8:10 PM, Ryan Root <rr...@ro...> wrote: >>> >>> Are you two some of the actual programmers on this project? Not only do >>> you not know what the hell you are talking about when you get caught in >>> lie you make up a bunch of crap as if you are smarter than someone who >>> caught you. >>> >>>> On 11/2/2018 5:07 PM, Ryan Root wrote: >>>> Bullshit! >>>> >>>>> On 11/2/2018 4:55 PM, Christopher Engelhard wrote: >>>>> Hi all, >>>>> what Kevin has described is exactly what I meant. And no, that does not >>>>> involve redefining 'ssh 22/tcp' as 'craftbeer' for the fun of it. >>>>> Maybe me referencing "services" is what caused the confusion. 'Programs' >>>>> might have been clearer - sshguard just happens to currently name what >>>>> it matches a 'service'. >>>>> >>>>> So, to hopefully fully clarify what I'm proposing: >>>>> 1) sshguard does not match against services like IMAP/POP3/FTP etc., but >>>>> against the log output of *programs* like Pure-FTPd or Postfix. >>>>> 2) currently, it assigns each program whose log output it understands a >>>>> number internally and reports this number in the logs. This is not very >>>>> helpful to the user, who will probably not know that 'Attack from <IP> >>>>> on service 320' refers to the Pure-FTPd FTP daemon. >>>>> 3) I propose to instead log the actual name of the program as defined by >>>>> upstream (I'm all in favour of following standards) instead, i.e. >>>>> 'Attack from <IP> on Pure-FTPd'. If internally service ID numbers are >>>>> still used, one could log these as well, e.g. '<name> (<number>') >>>>> >>>>> If I understand you, Ryan, correctly, you're proposing logging standard >>>>> internet service names instead, e.g. mapping internal matches for >>>>> Dovecot, Courier, Exim to 'Attack on IMAP'/'... POP' etc., correct? >>>>> >>>>> That is not without merit. However, this >>>>> - would mean that the log no longer really represents what SSHGuard is >>>>> actually doing, which is bad for tracking down errors when something >>>>> doesn't work as expected >>>>> - might not be possible in cases where one program handles multiple >>>>> standard services (e.g. IMAP/POP/SMTP submission for Dovecot), depending >>>>> on how exactly the given program decides to format its logs >>>>> - would mean inconsistency or a significant loss of information in the >>>>> special case of the various attacks of webservices - these would all be >>>>> reported as "attack on www", as I don't think there is a RFC for the >>>>> Django login page >>>>> >>>>> It might be a good idea to include the service in the message, e.g. >>>>> 'Attack on WWW (Wordpress)' or 'Attack on IMAP/POP (Dovecot)', though. >>>>> >>>>> >>>>> I hope that clears things up. >>>>> >>>>> Best, >>>>> Christopher >>>>> >>>>> >>>>> _______________________________________________ >>>>> sshguard-users mailing list >>>>> ssh...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>>>> >>>> _______________________________________________ >>>> sshguard-users mailing list >>>> ssh...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sshguard-users >>>> >>> >>> _______________________________________________ >>> sshguard-users mailing list >>> ssh...@li... >>> https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
