Linux vps-61133.fhnet.fr 4.9.0-19-amd64 #1 SMP Debian 4.9.320-2 (2022-06-30) x86_64
Apache/2.4.25 (Debian)
Server IP : 93.113.207.21 & Your IP : 216.73.216.41
Domains :
Cant Read [ /etc/named.conf ]
User : www-data
Terminal
Auto Root
Create File
Create Folder
Localroot Suggester
Backdoor Destroyer
Readme
/
etc /
crowdsec /
parsers /
s01-parse /
Delete
Unzip
Name
Size
Permission
Date
Action
apache2-logs.yaml
3.32
KB
-rw-r--r--
2024-10-04 14:15
mysql-logs.yaml
787
B
-rw-r--r--
2024-03-12 23:06
sshd-logs.yaml
4.83
KB
-rw-r--r--
2024-10-04 14:15
Save
Rename
onsuccess: next_stage #debug: true filter: "evt.Parsed.program in ['sshd-session', 'sshd']" name: crowdsecurity/sshd-logs description: "Parse openSSH logs" pattern_syntax: # The IP grok pattern that ships with crowdsec is buggy and does not capture the last digit of an IP if it is the last thing it matches, and the last octet starts with a 2 # https://github.com/crowdsecurity/crowdsec/issues/938 IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND}) SSHD_AUTH_FAIL: 'pam_%{DATA:pam_type}\(sshd:auth\): authentication failure; logname= uid=%{NUMBER:uid}? euid=%{NUMBER:euid}? tty=ssh ruser= rhost=%{IP_WORKAROUND:sshd_client_ip}( %{SPACE}user=%{USERNAME:sshd_invalid_user})?' SSHD_MAGIC_VALUE_FAILED: 'Magic value check failed \(\d+\) on obfuscated handshake from %{IP_WORKAROUND:sshd_client_ip} port \d+' SSHD_INVALID_USER: 'Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?' SSHD_INVALID_BANNER: 'banner exchange: Connection from %{IP_WORKAROUND:sshd_client_ip} port \d+: invalid format' SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.' # in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy SSHD_NOT_ALLOWED_USER: 'User %{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)? not allowed because not listed in AllowUsers' SSHD_AUTH_TIMEOUT: 'Timeout before authentication for %{IP_WORKAROUND:sshd_client_ip}( port \d+)?' SSHD_DISPATCH_FATAL: 'ssh_dispatch_run_fatal: Connection from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?: message authentication code incorrect \[preauth\]' nodes: - grok: name: "SSHD_FAIL" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_PREAUTH_AUTHENTICATING_USER_ALT" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_PREAUTH_AUTHENTICATING_USER" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_DISC_PREAUTH" apply_on: message - grok: name: "SSHD_BAD_VERSION" apply_on: message - grok: name: "SSHD_INVALID_USER" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_NOT_ALLOWED_USER" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_INVALID_BANNER" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: extra_log_type value: ssh_bad_banner - grok: name: "SSHD_USER_FAIL" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_AUTH_FAIL" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_MAGIC_VALUE_FAILED" apply_on: message statics: - meta: log_type value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_BAD_KEY_NEGOTIATION" apply_on: message statics: - meta: log_type value: ssh_bad_keyexchange - grok: name: "SSHD_AUTH_TIMEOUT" apply_on: message statics: - meta: log_type value: ssh_auth_timeout - grok: name: "SSHD_DISPATCH_FATAL" apply_on: message statics: - meta: log_type value: ssh_dispatch_fatal statics: - meta: service value: ssh - meta: source_ip expression: "evt.Parsed.sshd_client_ip"