On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote: > On Wed, Jan 30, 2008, Brian Mathis wrote: > ... > > > >Log parsing scripts often don't provide the immediacy that rate > >limiting does when under attack. You'd have to run the script > >constantly parsing logs, since most ssh scans come in bursts. > > We use swatch for this and othter interesting events (e.g. NICs > being put in promiscuous mode). It continually monitors one or > more log files using gnu-tail in a perl script, and can do > various things depending on a configuration file. It can send > e-mail notifications and/or execute scripts which can do anything > your heart desires. > Hello, Do you have any specific swatch config lines for detecting ssh brute-force attacks? If so would you care to share them? (off-list if you prefer). Likewise we use swatch for general log monitoring, and have it report back anything unusual to our central monitoring system (Big Brother). John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: John.Horne@xxxxxxxxxxxxxx Fax: +44 (0)1752 233839 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos