guardian: React on BF attacks for SSH at pre-auth stage.

author Kim Wölfel <xaver4all@gmx.de>

Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)

committer Michael Tremer <michael.tremer@ipfire.org>

Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
author Kim Wölfel <xaver4all@gmx.de>
Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
committer Michael Tremer <michael.tremer@ipfire.org>
Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl

index 86d93fe6117999985587e7a87bb393fa0c9e5ae7..34546b7135aac1f400a1895ea265fb11f43fc96f 100644 (file)
--- a/config/guardian/guardian.pl
+++ b/config/guardian/guardian.pl
@@ -106,6 +106,10 @@ for (;;) {
                                         $temp = $array[11];
                                 }
                                 &checkssh ($temp, "possible SSH-Bruteforce Attack");}
+
+                       # This should catch Bruteforce Attacks with enabled preauth
+                       if ($_ =~ /.*sshd.*Received disconnect from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):.*\[preauth\]/) {
+                               &checkssh ($1, "possible SSH-Bruteforce Attack, failed preauth");}
                         }
         }
  
@@ -424,4 +428,4 @@ sub get_aliases {
         }
  
         print "done \n";
-}
-\ No newline at end of file
+}
diff --git a/lfs/guardian b/lfs/guardian

index fea50db0c8764d07269820999cb74b5cced15af2..a91fbd9ab0a35dc029808c5b3a697f207dc0c785 100644 (file)
--- a/lfs/guardian
+++ b/lfs/guardian
@@ -30,7 +30,7 @@ THISAPP    = guardian-$(VER)
  DIR_APP    = $(DIR_SRC)/$(THISAPP)
  TARGET     = $(DIR_INFO)/$(THISAPP)
  PROG       = guardian
-PAK_VER    = 8
+PAK_VER    = 9
  
  DEPS       = ""
author	Kim Wölfel <xaver4all@gmx.de>
	Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Fri, 10 Jan 2014 15:19:43 +0000 (16:19 +0100)
config/guardian/guardian.pl		patch \| blob \| blame \| history
lfs/guardian		patch \| blob \| blame \| history