Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend sshd parser to log messages regarding AllowUsers #874

Open
d-Rickyy-b opened this issue Nov 13, 2023 · 2 comments · May be fixed by #1021
Open

Extend sshd parser to log messages regarding AllowUsers #874

d-Rickyy-b opened this issue Nov 13, 2023 · 2 comments · May be fixed by #1021
Labels
good first issue Good for newcomers

Comments

@d-Rickyy-b
Copy link

d-Rickyy-b commented Nov 13, 2023
edited

What would you like to be added?

/kind enhancement

Why is this needed?

Thanks for creating crowdsec. I am currently playing around with its capabilities.

I hardened my ssh server so that it only accepts connections from specific users, defined in the sshd_config AllowUsers directive. From my perspective anyone trying to log into my ssh server with any user not included in the AllowUsers list is brute forcing.

A regular log line for this attack on my debian machine looks like this:

2023-11-14T00:20:42.738197+01:00 myserver sshd[1112652]: User root from 180.101.xxx.xxx not allowed because not listed in AllowUsers

Using cscli explain --type sshd on the log line returns this:

line: 2023-11-14T00:20:42.738197+01:00 myserver sshd[1112652]: User root from 180.101.xxx.xxx not allowed because not listed in AllowUsers
        ├ s00-raw
        |       ├ 🟢 crowdsecurity/non-syslog (+5 ~8)
        |       └ 🔴 crowdsecurity/syslog-logs
        ├ s01-parse
        |       ├ 🔴 crowdsecurity/nginx-logs
        |       └ 🔴 crowdsecurity/sshd-logs
        └-------- parser failure 🔴

Would it be possible to add this case to the parser?
@github-actions GitHub Actions
Copy link

@d-Rickyy-b: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions GitHub Actions
Copy link

@d-Rickyy-b: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind feature
  • /kind enhancement
  • /kind bug
  • /kind packaging
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@blotus blotus transferred this issue from crowdsecurity/crowdsec Nov 20, 2023
@LaurenceJJones LaurenceJJones added the good first issue Good for newcomers label Feb 20, 2024
@LaurenceJJones LaurenceJJones mentioned this issue Apr 7, 2024
Closed
pfostenberg added a commit to pfostenberg/hub that referenced this issue Apr 9, 2024
@pfostenberg
fixed Extend sshd parser to log messages regarding AllowUsers crowdse…
c874564 
…curity#874 crowdsecurity#1018
@LaurenceJJones LaurenceJJones linked a pull request Apr 9, 2024 that will close this issue
fixed Extend sshd parser to log messages regarding AllowUsers #874 #1018 #1021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixed Extend sshd parser to log messages regarding AllowUsers #874 #1018 pfostenberg/hub
2 participants
@d-Rickyy-b @LaurenceJJones