re: SSH scans...
From: Kerry Thompson (kerry_at_crypt.gen.nz)
Date: 12/22/04
- Previous message: nixsec: "Re: SSH scans..."
- In reply to: brian_at_ethernet.org: "re: SSH scans..."
- Next in thread: nixsec: "Re: SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Wed, 22 Dec 2004 21:35:45 +1300
On Wed, 2004-12-22 at 08:14, brian@ethernet.org wrote:
> i dont know how relevant this is, but--
>
> i've been getting a lot of these too, but what's been annoying me is
> that they took bandwidth and space in my logs which i both need as the
> brute force attempts were mainly to my development machines.
>
I've developed a version of Logsurfer which does something very similar
and can be used to detect similar attacks against other services. With
Logsurfer+ ( see http://www.crypt.gen.nz/logsurfer ) the rule would be
#
# detect ssh brute force
#
' ([^ ]+) sshd\[[0-9]*\]: Invalid user .* from ([^ ]+)' - - - 0
open "$2 sshd\\[[0-9]*\\]: .* from $3" - 200 1800 600 10
report "/bin/mailx -s \"Server $2 SSH Login attempts from $2\"
admin@example.com"
"$2 sshd\\[[0-9]*\\]: .* from $3"
Its a little cryptic, but here 1800 is the absolute timeout from the
time of the first message occurring, 600 is the relative timeout after
the last message and 10 is the minimum number of lines which are needed
to trigger the action ( mailx in this case ).
This has the advantage that it can watch the syslog server which
collects logs from any number of hosts, and the thresholds can be tuned
to your needs.
-- Kerry Thompson CCNA CISSP IT Security Consultant kerry@crypt.gen.nz http://www.crypt.gen.nz
- Previous message: nixsec: "Re: SSH scans..."
- In reply to: brian_at_ethernet.org: "re: SSH scans..."
- Next in thread: nixsec: "Re: SSH scans..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
