Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
I've noticed over the last few months that ssh attack scanning scripts have
been proliferating. The scripts attack using a common set of usernames with
weak password combinations, and result in a long line of log entries like:
Nov 6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3
Nov 6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41
The common usernames are admin root webmaster data rolo guest test patrick
iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51
cip52 sybase oracle mysql master account server henry frank adam george
(included here for easier googling on the problem)
I use the excellent portsentry to detect and shut down IP's that do
traditional nmap-style portscans of my machines. This attack script isn't a
port scan, so it just shows up in my security log summaries every morning.
Can anyone help me out with a simple log scanning script that could detect the
'illegal user xxx' strings in /var/log/secure and issue the
"/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these
addresses down.
The scan volume is up to about two a day on each of my servers, and I'd like
to get this crap out of my logs
Any assistance appreciated: I and many other people would thank anyone who
would whip up a script to block this stuff.
Regards,
- Brian
--
gentoo-security@g.o mailing list
|
|
