Re: [tlug] Login/SSH Scan Detection

To: tlug@example.com
Subject: Re: [tlug] Login/SSH Scan Detection
From: "A.Sajjad Zaidi" <sajjad@example.com>
Date: Mon, 18 Feb 2002 17:18:58 +0900
Content-disposition: inline
Content-type: text/plain; charset=us-ascii
In-reply-to: <Pine.GSO.4.43.0202181530380.4735-100000@example.com>
References: <20020218054708.GA13856@example.com> <Pine.GSO.4.43.0202181530380.4735-100000@example.com>
Sender: "A.Sajjad Zaidi" <sajjad@example.com>
User-agent: Mutt/1.3.27i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Ayako,

And more thanks to Jim, I managed to send some emails with a little
Python script. I already use Snort for port scan detection, but wanted
something smaller and just for sshd.

Syslog logs 'authpriv.*' messages to a fifo which is read by the script,
line by line and sends all messages to me.

The only problem Ive seen is that after a while I cant read anything
from the fifo. Not even with cat. The permissions are fine and it worked
initially.

Once I figure that out, Im going to take up your suggestion no.3.
Something in C should be fun.

- -- 
A. Sajjad Zaidi
System Administrator
Technology & Operations Div.
Digital Garage Inc.


On Mon, Feb 18, 2002 at 04:23:07PM +0900, ayako kato wrote:
> 
> 
> Hi,
> 
> 
> Just a few things i would try if I were you (not verified .. just
> suggestions)
> 
> 
> 1.) Portsentry
> 
> I thought portsentry had an option to run an external command. I've never
> used it but looking at the sample config file, I imagine you could put
> something like this:
> 
> KILL_RUN_CMD="/your/mail/or/pager/command option"
> 
> ... and receive an email/pager message when a scan is detected.
> 
> portsentry: www.psionic.com/products/portsentry.html
> 
> 
> 2.) Snort + Syslog-ng
> 
> Or you could use snort/syslog-ng combination. Make snort write logs into
> your syslog file. To do that you'd have something like this in your
> snort.conf (very simplified):
> 
> ---<config>---
> var HOME_NET [192.168.1.2/24]
> 
> alert tcp !HOME_NET any -> HOME_NET 22 (msg: "ssh scan from an unknown
> host!";)
> 
> output alert_syslog: LOG_AUTH LOG_ALERT
> ---<config>---
> 
>  ... and in your syslog-ng.conf:
> 
> ---<config>---
> desination dest_prog { program("/your/mail/prog your option"); };
> log { source(FOO); filter(BAR); destination(dest_prog); };
> ---<config>---
> 
> snort: www.snort.org/
> syslog-ng: www.balabit.hu/en/downloads/syslog-ng/
> 
> 
> 3.) Write your own stuff
> 
> After all, writing a little daemon script that monitors your syslog file
> may be the simplest solution ... (using perl or any language of your
> choice.)
> 
> 
> (corrections are welcome)
> ak
> 
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8cLjut1KjqyZ+DQ4RApV2AJ496e6Ned4M6x6jgPTgmaw3HRgNlACglvST
x2TUwKh7zvn/HxwdBhP+LPw=
=STpf
-----END PGP SIGNATURE-----

References:
- [tlug] Login/SSH Scan Detection
  - From: A.Sajjad Zaidi
- Re: [tlug] Login/SSH Scan Detection
  - From: ayako kato

Prev by Date: Re: [tlug] Login/SSH Scan Detection
Next by Date: Re: [tlug] Login/SSH Scan Detection
Previous by thread: Re: [tlug] Login/SSH Scan Detection
Next by thread: Re: [tlug] Login/SSH Scan Detection
Index(es):
- Date
- Thread

Home | Main Index | Thread Index