| 1 |
I've noticed over the last few months that ssh attack scanning scripts have |
| 2 |
been proliferating. The scripts attack using a common set of usernames with |
| 3 |
weak password combinations, and result in a long line of log entries like: |
| 4 |
|
| 5 |
Nov 6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3 |
| 6 |
Nov 6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41 |
| 7 |
|
| 8 |
The common usernames are admin root webmaster data rolo guest test patrick |
| 9 |
iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51 |
| 10 |
cip52 sybase oracle mysql master account server henry frank adam george |
| 11 |
(included here for easier googling on the problem) |
| 12 |
|
| 13 |
I use the excellent portsentry to detect and shut down IP's that do |
| 14 |
traditional nmap-style portscans of my machines. This attack script isn't a |
| 15 |
port scan, so it just shows up in my security log summaries every morning. |
| 16 |
|
| 17 |
Can anyone help me out with a simple log scanning script that could detect the |
| 18 |
'illegal user xxx' strings in /var/log/secure and issue the |
| 19 |
"/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these |
| 20 |
addresses down. |
| 21 |
|
| 22 |
The scan volume is up to about two a day on each of my servers, and I'd like |
| 23 |
to get this crap out of my logs |
| 24 |
|
| 25 |
Any assistance appreciated: I and many other people would thank anyone who |
| 26 |
would whip up a script to block this stuff. |
| 27 |
|
| 28 |
Regards, |
| 29 |
|
| 30 |
- Brian |
| 31 |
|
| 32 |
-- |
| 33 |
gentoo-security@g.o mailing list |
Archives