-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH successful collection #824
Comments
Link to #825 |
Hello, with Debian Bookworm abandoning auth.log for ssh connexions, will Crowdsec provide a solution for securing ssh ? |
Yes we support journald output, documentation where you can see the current ssh example for debian 12 |
How can Crowdsec, installed in a Docker container, read the syslog of the host ? |
Mount the journal files from the host into the container, and then setup acquisition to find the files via journald. You need to use the Here an example of acquisition https://github.com/crowdsecurity/home-assistant-addons/blob/234549b74260ae698c5f6462a19ad5f27f7b5b5f/crowdsec/config.yaml#L23-L28 Also we have an example via our docker-compose repository https://github.com/crowdsecurity/example-docker-compose/blob/main/journald/docker-compose.yml |
I get this fatal error
I have tried to change the user in the |
So for debian the valid confguration is plugin_config:
user: nobody
group: nogroup |
After https://www.crowdsec.net/blog/detecting-successful-ssh-brute-force we should package up a collection that can detect successful ssh logins and can generate an alert and decisions on the last IP
(Note I will inform this is not a silver bullet unless they also temporary ban the user as they can switch IP and just relogin)
The text was updated successfully, but these errors were encountered: