Gentoo Archives: gentoo-security

From: Sean Cook <scook@×××××.net>
To: gentoo-security@l.g.o
Subject: RE: [gentoo-security] hackers
Date: Tue, 11 Oct 2005 12:37:13
Message-Id: 20051011122358.847EF2BBE5@franklin.kinex.net
In Reply to: Re: [gentoo-security] hackers by APerez@cds.ca
Yes, you can set up triggers in syslog-ng that will trigger based on failed
ssh login attempts.

 

filter f_ssh_login_attempt {

        program("sshd.*")

        and match("(Failed|Accepted)")

        and not match("Accepted (hostbased|publickey) for (root|zoneaxfr)
from (10.4.3.1)");

};

 

log { 

        source(src);

        filter(f_ssh_login_attempt);

        destination(mail-alert-perl); 

};

destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); };

 

Sean

 

  _____  

From: APerez@×××.ca [mailto:APerez@×××.ca] 
Sent: Tuesday, October 11, 2005 8:22 AM
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] hackers

 


I have a question: 

Is there an application/program which can send an email whenever this 
ssh attack happen? 

A few months ago I got 300 attempts which made me close ssh port 
and stop using it for a while. 

Thanks 

Alfredito
  




Jochen Maes <sejo@g.o> 

10/10/2005 05:52 AM 


Please respond to
gentoo-security@l.g.o


To

gentoo-security@l.g.o 


cc

 


Subject

[gentoo-security] hackers

 


 

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,


ok one off my servers i keep on getting one iprange that tries to
login through ssh (200-300) attemps with other usernames.
This is probably a script that's being ran all the time, but the isp
doesn't mind, i allready sent my logs and my complaints and i don't
get any response.
Is there something like hackerwatch that i can send those logs to
(preferrably automatically) when happening?
I've blocked the range now so isn't a problem but hate it that the isp
doesn nothing against it.

greetings,

SeJo

- --
"Defer no time, delays have dangerous ends"

Jochen Maes                     
Gentoo Linux
Gentoo Belgium
http://sejo.be
http://gentoo.be
http://gentoo.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
ZPNqAHab5fXLdx11vdod5rc=
=35Kg
-----END PGP SIGNATURE-----

-- 
gentoo-security@g.o mailing list