- changed status to wontfix
custom attack reporting
Issue #143
wontfix
I have a nodejs application and I’d like to report all requests for .php urls to sshguard. I presume the easiest way to do this is to pick another application and pretend to output a matching log from it? Or is there a better way?
If pretending works, that also worries me about possible DoS attacks from local users: if you can’t stand someone, just log some messages to the syslog so their IP address gets blocked?
Comments (1)
-
- Log in to comment
If you don't want to add your own attack signature, then you can pretend to be another application.
You would have to change the lines near
HTTP_LOGIN_200OK_BAD
in src/parser/attack_scanner.l.Yes, local users could just log messages so that their IP address gets blocked. SSHGuard assumes that local users are trustworthy (because remember, your web server also runs as a local user). There are ways around this, see: https://github.com/paul-chambers/blacklistd