1 |
I've noticed over the last few months that ssh attack scanning scripts have |
2 |
been proliferating. The scripts attack using a common set of usernames with |
3 |
weak password combinations, and result in a long line of log entries like: |
4 |
|
5 |
Nov 6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3 |
6 |
Nov 6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41 |
7 |
|
8 |
The common usernames are admin root webmaster data rolo guest test patrick |
9 |
iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51 |
10 |
cip52 sybase oracle mysql master account server henry frank adam george |
11 |
(included here for easier googling on the problem) |
12 |
|
13 |
I use the excellent portsentry to detect and shut down IP's that do |
14 |
traditional nmap-style portscans of my machines. This attack script isn't a |
15 |
port scan, so it just shows up in my security log summaries every morning. |
16 |
|
17 |
Can anyone help me out with a simple log scanning script that could detect the |
18 |
'illegal user xxx' strings in /var/log/secure and issue the |
19 |
"/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these |
20 |
addresses down. |
21 |
|
22 |
The scan volume is up to about two a day on each of my servers, and I'd like |
23 |
to get this crap out of my logs |
24 |
|
25 |
Any assistance appreciated: I and many other people would thank anyone who |
26 |
would whip up a script to block this stuff. |
27 |
|
28 |
Regards, |
29 |
|
30 |
- Brian |
31 |
|
32 |
-- |
33 |
gentoo-security@g.o mailing list |