From 2a747e37a86f44c5da8dbf67c4135772df29f24e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Kim=20W=C3=B6lfel?= <xaver4all@gmx.de>
Date: Fri, 10 Jan 2014 16:19:43 +0100
Subject: [PATCH] guardian: React on BF attacks for SSH at pre-auth stage.

See #10457.
---
 config/guardian/guardian.pl | 6 +++++-
 lfs/guardian                | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl
index 86d93fe61..34546b713 100644
--- a/config/guardian/guardian.pl
+++ b/config/guardian/guardian.pl
@@ -106,6 +106,10 @@ for (;;) {
 					$temp = $array[11];
 				}
 				&checkssh ($temp, "possible SSH-Bruteforce Attack");}
+
+			# This should catch Bruteforce Attacks with enabled preauth
+			if ($_ =~ /.*sshd.*Received disconnect from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):.*\[preauth\]/) {
+				&checkssh ($1, "possible SSH-Bruteforce Attack, failed preauth");}
 			}
 	}
 
@@ -424,4 +428,4 @@ sub get_aliases {
 	}
 
 	print "done \n";
-}
\ No newline at end of file
+}
diff --git a/lfs/guardian b/lfs/guardian
index fea50db0c..a91fbd9ab 100644
--- a/lfs/guardian
+++ b/lfs/guardian
@@ -30,7 +30,7 @@ THISAPP    = guardian-$(VER)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = guardian
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       = ""
 
-- 
2.39.2