Re: One approach to dealing with SSH brute force attacks.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Feb 04, 2008, John Horne wrote:
>
>On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote:
>> On Wed, Jan 30, 2008, Brian Mathis wrote:
>> ...
>> >
>> >Log parsing scripts often don't provide the immediacy that rate
>> >limiting does when under attack.  You'd have to run the script
>> >constantly parsing logs, since most ssh scans come in bursts.
>> 
>> We use swatch for this and othter interesting events (e.g. NICs
>> being put in promiscuous mode).  It continually monitors one or
>> more log files using gnu-tail in a perl script, and can do
>> various things depending on a configuration file.  It can send
>> e-mail notifications and/or execute scripts which can do anything
>> your heart desires.
>> 
>Hello,
>
>Do you have any specific swatch config lines for detecting ssh
>brute-force attacks? If so would you care to share them? (off-list if
>you prefer). Likewise we use swatch for general log monitoring, and have
>it report back anything unusual to our central monitoring system (Big
>Brother).

Here's part of the swatchrc file from one of our public servers.
We get many more reports from sshd via tcp_wrappers (libwrap)
which have been modified to use DNSRBLs to white and black list
various hosts and IP ranges.

perlcode 0 use Sys::Hostname::Long;
perlcode 0 my $host_long = hostname_long;
perlcode 0 my $email=qq(support\@$host_long);
perlcode 0 my $secmail = qq(security\@$host_long);
perlcode my ($month, $day, $time, $host_name, @message) = split(/\s+/); 

watchfor /device (\S+) entered promiscuous mode/
   mail addresses=$secmail, subject=[swatch] $host_name promiscuous $1

watchfor /File name too long/
    mail addresses=$email, subject=[swatch] BufferOverflow_attempt

watchfor /DHCPREQUEST/
	mail addresses=postmaster, subject=[swatch] $host_name@message

watchfor /Failed password for.*from\s+(\S+)/
	threshold track_by=$1,type=both,count=3,seconds=60
   	mail addresses=$secmail, subject=[swatch] $host_name@message

watchfor /Accepted password for root.*from\s+(\S+)/
   mail addresses=$secmail, subject=[swatch] $host_name ssh password $1

watchfor /Accepted publickey for root.*from\s+(\S+)/
   mail addresses=$secmail, subject=[swatch] $host_name ssh publickey $1

watchfor /Invalid login as admin/
   mail addresses=$secmail, subject=[swatch] $host_name@message
   
watchfor /Invalid login as mainadmin/
   mail addresses=$secmail, subject=[swatch] $host_name@message

watchfor /Successful login as mainadmin/
   mail addresses=$secmail, subject=[swatch] $host_name@message

watchfor /DeliveryErrors/
   mail addresses=postmaster, subject=[swatch] Postfix_Delivery_Errors

watchfor /file system full/
    mail addresses=$email, subject=[swatch] $host_name@message

watchfor /refused connect from\s+(\S+)/
	threshold track_by=$1,type=both,count=3,seconds=60
   	mail addresses=$secmail, subject=[swatch] $host_name@message

# end of file

Bill
--
INTERNET:   bill@xxxxxxxxxxxxx  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

there is nothing more difficult to take in hand, more perilous to
conduct, or more uncertain in its success, than to take the lead in
the introduction of a new order of things.  Because the innovator has
for enemies all those who have done well under the old conditions,
and lukewarm defenders in those who may do well under the new.
    -- Machiavelli
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux