How to react to "authentication failures" in log file
- From: "Orlando Amador" <orlando@xxxxxxxxxx>
- Date: Wed, 28 Feb 2007 08:40:18 -0400
Is it possible to run a script when the server logs one of this message?
Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
Feb 28 05:25:29 www sshd(pam_unix)[27452]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
I'm getting several of this every night. It seem that someone finds some
break-in script an try to run it against my server. Currently I'm just
reacting to it. When logwatch report comes in the morning, I use Iptables
to block the remote IP. I like to automate that process.
I'm thinking that either sshd can launch a script in reaction to this event
or one can run a script periodically to scan the logfile and determine which
IP to add to iptables. Maybe even flush iptables periodically to keep the
reject list short.
Before I start to re-invent the wheel, any suggestions about this? Maybe
there are tools already available for this purposes?
PS. Any options in sshd to throttle down this logon events?
Saludos,
Orlando
.
- Follow-Ups:
- Prev by Date: Re: help needed using putty
- Next by Date: VPN over ssh
- Previous by thread: restricting the SOCKS server
- Next by thread: Re: How to react to "authentication failures" in log file
- Index(es):
Relevant Pages
|
|
