hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

fixed Extend sshd parser to log messages regarding AllowUsers #874 #1018

Open pfostenberg opened this issue 1 year ago • 4 comments

pfostenberg avatar Apr 09 '24 09:04 pfostenberg

Should detect bf attacks even with AllowUsers are configured.

pfostenberg avatar Apr 09 '24 09:04 pfostenberg

Should detect bf attacks even with AllowUsers are configured.

Hey so in the refeer issues the test case does not pass I had to alter the grok line to detect multiple cases

(Failed password for invalid )?(u|U)ser %{USERNAME:sshd_invalid_user}? from %{IP:sshd_client_ip}( port \d+)?( not allowed because not listed in AllowUsers)?

Do you have an example log line we can add for a test case?

Here is the provided case in the previous example

2023-11-14T00:20:42.738197+01:00 myserver sshd[1112652]: User root from 192.168.1.1 not allowed because not listed in AllowUsers

LaurenceJJones avatar Apr 09 '24 12:04 LaurenceJJones

yes you can use this line: ( ends with ssh2)

Apr 6 18:51:41 eve sshd[2784424]: Failed password for invalid user root from 89.67.127.249 port 51182 ssh2

I added your line into my system for testing...

pfostenberg avatar Apr 09 '24 13:04 pfostenberg

Can you check the updates I made @pfostenberg and if you are happy that the test cases are covered we can merge

LaurenceJJones avatar Apr 09 '24 14:04 LaurenceJJones

@LaurenceJJones @pfostenberg are you both able to get this merged? I'm facing the problem that this fixes at the moment.

keval6b avatar Jun 27 '24 13:06 keval6b

@LaurenceJJones @pfostenberg are you both able to get this merged? I'm facing the problem that this fixes at the moment.

merged, will take up to 30 minutes to be replicated across the CDN's

To update run: cscli hub update && cscli hub upgrade

LaurenceJJones avatar Jun 27 '24 14:06 LaurenceJJones