guardian: React on BF attacks for SSH at pre-auth stage.
authorKim Wölfel <xaver4all@gmx.de>
Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
See #10457.

config/guardian/guardian.pl
lfs/guardian

index 86d93fe..34546b7 100644 (file)
@@ -106,6 +106,10 @@ for (;;) {
                                        $temp = $array[11];
                                }
                                &checkssh ($temp, "possible SSH-Bruteforce Attack");}
+
+                       # This should catch Bruteforce Attacks with enabled preauth
+                       if ($_ =~ /.*sshd.*Received disconnect from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):.*\[preauth\]/) {
+                               &checkssh ($1, "possible SSH-Bruteforce Attack, failed preauth");}
                        }
        }
 
@@ -424,4 +428,4 @@ sub get_aliases {
        }
 
        print "done \n";
-}
\ No newline at end of file
+}
index fea50db..a91fbd9 100644 (file)
@@ -30,7 +30,7 @@ THISAPP    = guardian-$(VER)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = guardian
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       = ""