Re: One approach to dealing with SSH brute force attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote:
> On Wed, Jan 30, 2008, Brian Mathis wrote:
> ...
> >
> >Log parsing scripts often don't provide the immediacy that rate
> >limiting does when under attack.  You'd have to run the script
> >constantly parsing logs, since most ssh scans come in bursts.
> 
> We use swatch for this and othter interesting events (e.g. NICs
> being put in promiscuous mode).  It continually monitors one or
> more log files using gnu-tail in a perl script, and can do
> various things depending on a configuration file.  It can send
> e-mail notifications and/or execute scripts which can do anything
> your heart desires.
> 
Hello,

Do you have any specific swatch config lines for detecting ssh
brute-force attacks? If so would you care to share them? (off-list if
you prefer). Likewise we use swatch for general log monitoring, and have
it report back anything unusual to our central monitoring system (Big
Brother).



John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: John.Horne@xxxxxxxxxxxxxx       Fax: +44 (0)1752 233839
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux