guardian: React on BF attacks for SSH at pre-auth stage.

[people/teissler/ipfire-2.x.git] / config / guardian / guardian.pl

diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl
index 86d93fe6117999985587e7a87bb393fa0c9e5ae7..34546b7135aac1f400a1895ea265fb11f43fc96f 100644 (file)
--- a/config/guardian/guardian.pl
+++ b/config/guardian/guardian.pl
@@ -106,6 +106,10 @@ for (;;) {
                                        $temp = $array[11];
                                }
                                &checkssh ($temp, "possible SSH-Bruteforce Attack");}
+
+                       # This should catch Bruteforce Attacks with enabled preauth
+                       if ($_ =~ /.*sshd.*Received disconnect from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):.*\[preauth\]/) {
+                               &checkssh ($1, "possible SSH-Bruteforce Attack, failed preauth");}
                        }
        }
 
@@ -424,4 +428,4 @@ sub get_aliases {
        }
 
        print "done \n";
-}
\ No newline at end of file
+}