Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Login/SSH Scan Detection
- To: tlug@example.com
- Subject: Re: [tlug] Login/SSH Scan Detection
- From: ayako kato <ayako.kato@example.com>
- Date: Mon, 18 Feb 2002 16:23:07 +0900 (JST)
- Content-type: TEXT/PLAIN; charset=US-ASCII
- In-reply-to: <20020218054708.GA13856@example.com>
Hi,
Just a few things i would try if I were you (not verified .. just
suggestions)
1.) Portsentry
I thought portsentry had an option to run an external command. I've never
used it but looking at the sample config file, I imagine you could put
something like this:
KILL_RUN_CMD="/your/mail/or/pager/command option"
... and receive an email/pager message when a scan is detected.
portsentry: www.psionic.com/products/portsentry.html
2.) Snort + Syslog-ng
Or you could use snort/syslog-ng combination. Make snort write logs into
your syslog file. To do that you'd have something like this in your
snort.conf (very simplified):
---<config>---
var HOME_NET [192.168.1.2/24]
alert tcp !HOME_NET any -> HOME_NET 22 (msg: "ssh scan from an unknown
host!";)
output alert_syslog: LOG_AUTH LOG_ALERT
---<config>---
... and in your syslog-ng.conf:
---<config>---
desination dest_prog { program("/your/mail/prog your option"); };
log { source(FOO); filter(BAR); destination(dest_prog); };
---<config>---
snort: www.snort.org/
syslog-ng: www.balabit.hu/en/downloads/syslog-ng/
3.) Write your own stuff
After all, writing a little daemon script that monitors your syslog file
may be the simplest solution ... (using perl or any language of your
choice.)
(corrections are welcome)
ak
On Mon, 18 Feb 2002, A.Sajjad Zaidi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Ive been thinking of a way to detect whenever there is a login attempt
> and send an email notification if there is.
>
> It should send the alert as soon as possible so log file checkers that
> run very often (every minute or so) might be overkill.
>
> Has anyone done this or knows a simple way to do it? I can get syslog
> to write to a FIFO, but dont know how to do anything useful with it.
>
> - --
> A. Sajjad Zaidi
> System Administrator
> Technology & Operations Div.
> Digital Garage Inc.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8cJVat1KjqyZ+DQ4RAjsxAJ9cP3xMPw42XlwvIVtlfegwG01YHQCeKEv2
> JC4XQ4CeCrwMuADPL7nMSGA=
> =2feQ
> -----END PGP SIGNATURE-----
>
- Follow-Ups:
- Re: [tlug] Login/SSH Scan Detection
- From: A.Sajjad Zaidi
- Re: [tlug] Login/SSH Scan Detection
- From: Matt Doughty
- Re: [tlug] Login/SSH Scan Detection
- References:
- [tlug] Login/SSH Scan Detection
- From: A.Sajjad Zaidi
- [tlug] Login/SSH Scan Detection
- Prev by Date: [tlug] Login/SSH Scan Detection
- Next by Date: Re: [tlug] Login/SSH Scan Detection
- Previous by thread: [tlug] Login/SSH Scan Detection
- Next by thread: Re: [tlug] Login/SSH Scan Detection
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |