Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Login/SSH Scan Detection



Another option is tcp wrappers. The following is example from the
man page that mails illegal tftp attempts to root:

       /etc/hosts.allow:
          in.tftpd: LOCAL, .my.domain

       /etc/hosts.deny:
          in.tftpd: ALL: spawn (/some/where/safe_finger -l @%h | \
               /usr/ucb/mail -s %d-%h root) &

--Matt
On Mon, Feb 18, 2002 at 04:23:07PM +0900, ayako kato wrote:
> 
> 
> Hi,
> 
> 
> Just a few things i would try if I were you (not verified .. just
> suggestions)
> 
> 
> 1.) Portsentry
> 
> I thought portsentry had an option to run an external command. I've never
> used it but looking at the sample config file, I imagine you could put
> something like this:
> 
> KILL_RUN_CMD="/your/mail/or/pager/command option"
> 
> ... and receive an email/pager message when a scan is detected.
> 
> portsentry: www.psionic.com/products/portsentry.html
> 
> 
> 2.) Snort + Syslog-ng
> 
> Or you could use snort/syslog-ng combination. Make snort write logs into
> your syslog file. To do that you'd have something like this in your
> snort.conf (very simplified):
> 
> ---<config>---
> var HOME_NET [192.168.1.2/24]
> 
> alert tcp !HOME_NET any -> HOME_NET 22 (msg: "ssh scan from an unknown
> host!";)
> 
> output alert_syslog: LOG_AUTH LOG_ALERT
> ---<config>---
> 
>  ... and in your syslog-ng.conf:
> 
> ---<config>---
> desination dest_prog { program("/your/mail/prog your option"); };
> log { source(FOO); filter(BAR); destination(dest_prog); };
> ---<config>---
> 
> snort: www.snort.org/
> syslog-ng: www.balabit.hu/en/downloads/syslog-ng/
> 
> 
> 3.) Write your own stuff
> 
> After all, writing a little daemon script that monitors your syslog file
> may be the simplest solution ... (using perl or any language of your
> choice.)
> 
> 
> (corrections are welcome)
> ak
> 
> 
> On Mon, 18 Feb 2002, A.Sajjad Zaidi wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi,
> >
> > Ive been thinking of a way to detect whenever there is a login attempt
> > and send an email notification if there is.
> >
> > It should send the alert as soon as possible so log file checkers that
> > run very often (every minute or so) might be overkill.
> >
> > Has anyone done this or knows a simple way to do it? I can get syslog
> > to write to a FIFO, but dont know how to do anything useful with it.
> >
> > - --
> > A. Sajjad Zaidi
> > System Administrator
> > Technology & Operations Div.
> > Digital Garage Inc.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> >
> > iD8DBQE8cJVat1KjqyZ+DQ4RAjsxAJ9cP3xMPw42XlwvIVtlfegwG01YHQCeKEv2
> > JC4XQ4CeCrwMuADPL7nMSGA=
> > =2feQ
> > -----END PGP SIGNATURE-----
> >
> 
> 
> 
> 
> 


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links