1 |
Yes, you can set up triggers in syslog-ng that will trigger based on failed |
2 |
ssh login attempts. |
3 |
|
4 |
|
5 |
|
6 |
filter f_ssh_login_attempt { |
7 |
|
8 |
program("sshd.*") |
9 |
|
10 |
and match("(Failed|Accepted)") |
11 |
|
12 |
and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) |
13 |
from (10.4.3.1)"); |
14 |
|
15 |
}; |
16 |
|
17 |
|
18 |
|
19 |
log { |
20 |
|
21 |
source(src); |
22 |
|
23 |
filter(f_ssh_login_attempt); |
24 |
|
25 |
destination(mail-alert-perl); |
26 |
|
27 |
}; |
28 |
|
29 |
destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); }; |
30 |
|
31 |
|
32 |
|
33 |
Sean |
34 |
|
35 |
|
36 |
|
37 |
_____ |
38 |
|
39 |
From: APerez@×××.ca [mailto:APerez@×××.ca] |
40 |
Sent: Tuesday, October 11, 2005 8:22 AM |
41 |
To: gentoo-security@l.g.o |
42 |
Subject: Re: [gentoo-security] hackers |
43 |
|
44 |
|
45 |
|
46 |
|
47 |
I have a question: |
48 |
|
49 |
Is there an application/program which can send an email whenever this |
50 |
ssh attack happen? |
51 |
|
52 |
A few months ago I got 300 attempts which made me close ssh port |
53 |
and stop using it for a while. |
54 |
|
55 |
Thanks |
56 |
|
57 |
Alfredito |
58 |
|
59 |
|
60 |
|
61 |
|
62 |
|
63 |
Jochen Maes <sejo@g.o> |
64 |
|
65 |
10/10/2005 05:52 AM |
66 |
|
67 |
|
68 |
Please respond to |
69 |
gentoo-security@l.g.o |
70 |
|
71 |
|
72 |
To |
73 |
|
74 |
gentoo-security@l.g.o |
75 |
|
76 |
|
77 |
cc |
78 |
|
79 |
|
80 |
|
81 |
|
82 |
Subject |
83 |
|
84 |
[gentoo-security] hackers |
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 |
-----BEGIN PGP SIGNED MESSAGE----- |
97 |
Hash: SHA1 |
98 |
|
99 |
Hey all, |
100 |
|
101 |
|
102 |
ok one off my servers i keep on getting one iprange that tries to |
103 |
login through ssh (200-300) attemps with other usernames. |
104 |
This is probably a script that's being ran all the time, but the isp |
105 |
doesn't mind, i allready sent my logs and my complaints and i don't |
106 |
get any response. |
107 |
Is there something like hackerwatch that i can send those logs to |
108 |
(preferrably automatically) when happening? |
109 |
I've blocked the range now so isn't a problem but hate it that the isp |
110 |
doesn nothing against it. |
111 |
|
112 |
greetings, |
113 |
|
114 |
SeJo |
115 |
|
116 |
- -- |
117 |
"Defer no time, delays have dangerous ends" |
118 |
|
119 |
Jochen Maes |
120 |
Gentoo Linux |
121 |
Gentoo Belgium |
122 |
http://sejo.be |
123 |
http://gentoo.be |
124 |
http://gentoo.org |
125 |
-----BEGIN PGP SIGNATURE----- |
126 |
Version: GnuPG v1.4.2 (GNU/Linux) |
127 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
128 |
|
129 |
iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe |
130 |
ZPNqAHab5fXLdx11vdod5rc= |
131 |
=35Kg |
132 |
-----END PGP SIGNATURE----- |
133 |
|
134 |
-- |
135 |
gentoo-security@g.o mailing list |