Menu
▾
▴
[SSHGuard-users] Parsing DNS names in sshg-parser
|
From: Kevin Z. <kev...@gm...> - 2021-05-22 04:56:50
|
Hi there, I'd be curious to know: is anyone aware of an attack signature where only an attacker's DNS name (and not IP address) is available? I'm asking because of this bug report, in which sshg-parser tries to parse a fully-qualified Java class name as a DNS name: https://bitbucket.org/sshguard/sshguard/issues/142/wrong-parsing-of-java-stacktraces-in This DNS lookup will also fail on systems where SSHGuard knows how to sandbox itself. I'm considering removing this lookup altogether if there are no known log messages where the IP address is not available. (By the way, did you know that sshg-parser can operate with reduced privileges? Right now it only does so on FreeBSD, via Capsicum; and OpenBSD, via pledge(). If you are interested in lending a hand to help get sandboxing, or even privilege dropping, working on your system, let me know.) Regards, Kevin |
