custom attack reporting

Create issue
Issue #143 wontfix
Wout Mertens created an issue

I have a nodejs application and I’d like to report all requests for .php urls to sshguard. I presume the easiest way to do this is to pick another application and pretend to output a matching log from it? Or is there a better way?

If pretending works, that also worries me about possible DoS attacks from local users: if you can’t stand someone, just log some messages to the syslog so their IP address gets blocked?

Comments (1)

  1. Kevin Zheng

    If you don't want to add your own attack signature, then you can pretend to be another application.

    You would have to change the lines near HTTP_LOGIN_200OK_BAD in src/parser/attack_scanner.l.

    Yes, local users could just log messages so that their IP address gets blocked. SSHGuard assumes that local users are trustworthy (because remember, your web server also runs as a local user). There are ways around this, see: https://github.com/paul-chambers/blacklistd

  2. Log in to comment