We get attacks nightly. Last night, there were 500+ attempts logins to root through ssh. All from the same IP address. The warning banner doesn't do much good...I could call theplanet.com but then I'd be calling different ISP's almost daily because of the attacks. Ideally, I would like the machines to automatically block the IP address of the attacker after say 5 failed attempts... Ryan -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Smith, Albert Sent: Wednesday, April 27, 2005 2:18 PM To: General Red Hat Linux discussion list Subject: RE: How to display IP of ssh user in message? If they never are able to successfully login then it won't matter if you display it in a banner page as they already know that IP address's are logged in the btmp and the wtmp logs. Here are things to do from a liability stand point: 1 - Have a warning banner enabled at log in. It is very easy to do and I have attached one. Just put in /etc and name it issue and make sure it has permission 444 set. 2 - make sure /var/log/btmp exists if not create the file. Whenever a failed attempt happens either by local, ssh or whatever connection just do a lastb and it logs it by, id - ipaddress and date/time. 3 - Continue to call theplanet.com on the number listed on their website if they fail to respond I would contact your local police if you belive this to be a hacker attempt. Albert Smith Sr. Unix Systems Administrator HPCSA, RHCT Genex Services 440 E. Swedesford Rd. Wayne, PA 19087 albert.smith@xxxxxxxxxxxxxxxxx (610) 964-5154 > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Burke, Thomas G. > Sent: Wednesday, April 27, 2005 11:39 AM > To: golharam@xxxxxxxxx; General Red Hat Linux discussion list > Subject: RE: How to display IP of ssh user in message? > > Probably won't matter, as most of them are scripts... > > -Tom > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx]On Behalf Of Ryan Golhar > Sent: Friday, April 15, 2005 11:28 AM > To: Burke, Thomas G.; 'General Red Hat Linux discussion list' > Subject: RE: How to display IP of ssh user in message? > > > > My message might have been a bit confusing. When a user logs > in via ssh, a message can be displayed. I forget what file > this is in. I want to add their IP address to the message so > they know that we know where they are coming from... > > > > -----Original Message----- > From: Burke, Thomas G. [ mailto:tg.burke@xxxxxxx] > Sent: Friday, April 15, 2005 11:15 AM > To: golharam@xxxxxxxxx; General Red Hat Linux discussion list > Subject: RE: How to display IP of ssh user in message? > > > > This data shows up in one of the other logs - not sure which > off the top > of my head, tho. > > -Tom > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [ mailto:redhat-list-bounces@xxxxxxxxxx]On Behalf Of Ryan Golhar > Sent: Friday, April 15, 2005 11:02 AM > To: 'General Red Hat Linux discussion list' > Subject: How to display IP of ssh user in message? > > > > Hi all, > > I notice in our logs that we get a large amount of failed attempts to > log in. Short of blocking these domains using iptables, I > was wondering > > if there is a way to display the IP address of the user > logging in, in a > > message so they know we have their IP address? > > sshd: > Invalid Users: > Unknown Account: 602 Time(s) > Authentication Failures: > xfs (138.67-18-71.reverse.theplanet.com ): 1 Time(s) > root (nitrogen.umdnj.edu ): 1 Time(s) > root (138.67-18-71.reverse.theplanet.com ): 1 Time(s) > unknown (138.67-18-71.reverse.theplanet.com ): 595 Time(s) > unknown (218.153.147.92 ): 6 Time(s) > daemon (138.67-18-71.reverse.theplanet.com ): 1 Time(s) > root (218.153.147.92 ): 3 Time(s) > rpc (138.67-18-71.reverse.theplanet.com ): 1 Time(s) > unknown (10.136.16.244 ): 1 Time(s) > smmsp (138.67-18-71.reverse.theplanet.com ): 1 Time(s) > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=subscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
