Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Login/SSH Scan Detection
- To: tlug@example.com
- Subject: Re: [tlug] Login/SSH Scan Detection
- From: Matt Doughty <mdoughty@example.com>
- Date: Mon, 18 Feb 2002 17:25:54 +0900
- Content-disposition: inline
- Content-transfer-encoding: 7bit
- Content-type: text/plain; charset=us-ascii
- In-reply-to: <Pine.GSO.4.43.0202181530380.4735-100000@example.com>; from ayako.kato@example.com on Mon, Feb 18, 2002 at 04:23:07PM +0900
- Mail-followup-to: Matt Doughty <mdoughty@example.com>, tlug@example.com
- References: <20020218054708.GA13856@example.com> <Pine.GSO.4.43.0202181530380.4735-100000@example.com>
- User-agent: Mutt/1.2.4i-jp0
Another option is tcp wrappers. The following is example from the
man page that mails illegal tftp attempts to root:
/etc/hosts.allow:
in.tftpd: LOCAL, .my.domain
/etc/hosts.deny:
in.tftpd: ALL: spawn (/some/where/safe_finger -l @%h | \
/usr/ucb/mail -s %d-%h root) &
--Matt
On Mon, Feb 18, 2002 at 04:23:07PM +0900, ayako kato wrote:
>
>
> Hi,
>
>
> Just a few things i would try if I were you (not verified .. just
> suggestions)
>
>
> 1.) Portsentry
>
> I thought portsentry had an option to run an external command. I've never
> used it but looking at the sample config file, I imagine you could put
> something like this:
>
> KILL_RUN_CMD="/your/mail/or/pager/command option"
>
> ... and receive an email/pager message when a scan is detected.
>
> portsentry: www.psionic.com/products/portsentry.html
>
>
> 2.) Snort + Syslog-ng
>
> Or you could use snort/syslog-ng combination. Make snort write logs into
> your syslog file. To do that you'd have something like this in your
> snort.conf (very simplified):
>
> ---<config>---
> var HOME_NET [192.168.1.2/24]
>
> alert tcp !HOME_NET any -> HOME_NET 22 (msg: "ssh scan from an unknown
> host!";)
>
> output alert_syslog: LOG_AUTH LOG_ALERT
> ---<config>---
>
> ... and in your syslog-ng.conf:
>
> ---<config>---
> desination dest_prog { program("/your/mail/prog your option"); };
> log { source(FOO); filter(BAR); destination(dest_prog); };
> ---<config>---
>
> snort: www.snort.org/
> syslog-ng: www.balabit.hu/en/downloads/syslog-ng/
>
>
> 3.) Write your own stuff
>
> After all, writing a little daemon script that monitors your syslog file
> may be the simplest solution ... (using perl or any language of your
> choice.)
>
>
> (corrections are welcome)
> ak
>
>
> On Mon, 18 Feb 2002, A.Sajjad Zaidi wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi,
> >
> > Ive been thinking of a way to detect whenever there is a login attempt
> > and send an email notification if there is.
> >
> > It should send the alert as soon as possible so log file checkers that
> > run very often (every minute or so) might be overkill.
> >
> > Has anyone done this or knows a simple way to do it? I can get syslog
> > to write to a FIFO, but dont know how to do anything useful with it.
> >
> > - --
> > A. Sajjad Zaidi
> > System Administrator
> > Technology & Operations Div.
> > Digital Garage Inc.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> >
> > iD8DBQE8cJVat1KjqyZ+DQ4RAjsxAJ9cP3xMPw42XlwvIVtlfegwG01YHQCeKEv2
> > JC4XQ4CeCrwMuADPL7nMSGA=
> > =2feQ
> > -----END PGP SIGNATURE-----
> >
>
>
>
>
>
- Follow-Ups:
- Re: [tlug] Login/SSH Scan Detection
- From: Matt Doughty
- Re: [tlug] Login/SSH Scan Detection
- References:
- [tlug] Login/SSH Scan Detection
- From: A.Sajjad Zaidi
- Re: [tlug] Login/SSH Scan Detection
- From: ayako kato
- [tlug] Login/SSH Scan Detection
- Prev by Date: Re: [tlug] Login/SSH Scan Detection
- Next by Date: Re: [tlug] Login/SSH Scan Detection
- Previous by thread: Re: [tlug] Login/SSH Scan Detection
- Next by thread: Re: [tlug] Login/SSH Scan Detection
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |