Re: [tlug] Login/SSH Scan Detection

[Matt Doughty <mdoughty@example.com>]

Never mind that suggestion since it won't work with sshd daemonized.  I'm
having a bad reading day.

--Matt
On Mon, Feb 18, 2002 at 05:25:54PM +0900, Matt Doughty wrote:
> Another option is tcp wrappers. The following is example from the
> man page that mails illegal tftp attempts to root:
> 
>        /etc/hosts.allow:
>           in.tftpd: LOCAL, .my.domain
> 
>        /etc/hosts.deny:
>           in.tftpd: ALL: spawn (/some/where/safe_finger -l @%h | \
>                /usr/ucb/mail -s %d-%h root) &
> 
> --Matt
> On Mon, Feb 18, 2002 at 04:23:07PM +0900, ayako kato wrote:
> > 
> > 
> > Hi,
> > 
> > 
> > Just a few things i would try if I were you (not verified .. just
> > suggestions)
> > 
> > 
> > 1.) Portsentry
> > 
> > I thought portsentry had an option to run an external command. I've never
> > used it but looking at the sample config file, I imagine you could put
> > something like this:
> > 
> > KILL_RUN_CMD="/your/mail/or/pager/command option"
> > 
> > ... and receive an email/pager message when a scan is detected.
> > 
> > portsentry: www.psionic.com/products/portsentry.html
> > 
> > 
> > 2.) Snort + Syslog-ng
> > 
> > Or you could use snort/syslog-ng combination. Make snort write logs into
> > your syslog file. To do that you'd have something like this in your
> > snort.conf (very simplified):
> > 
> > ---<config>---
> > var HOME_NET [192.168.1.2/24]
> > 
> > alert tcp !HOME_NET any -> HOME_NET 22 (msg: "ssh scan from an unknown
> > host!";)
> > 
> > output alert_syslog: LOG_AUTH LOG_ALERT
> > ---<config>---
> > 
> >  ... and in your syslog-ng.conf:
> > 
> > ---<config>---
> > desination dest_prog { program("/your/mail/prog your option"); };
> > log { source(FOO); filter(BAR); destination(dest_prog); };
> > ---<config>---
> > 
> > snort: www.snort.org/
> > syslog-ng: www.balabit.hu/en/downloads/syslog-ng/
> > 
> > 
> > 3.) Write your own stuff
> > 
> > After all, writing a little daemon script that monitors your syslog file
> > may be the simplest solution ... (using perl or any language of your
> > choice.)
> > 
> > 
> > (corrections are welcome)
> > ak
> > 
> > 
> > On Mon, 18 Feb 2002, A.Sajjad Zaidi wrote:
> > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Hi,
> > >
> > > Ive been thinking of a way to detect whenever there is a login attempt
> > > and send an email notification if there is.
> > >
> > > It should send the alert as soon as possible so log file checkers that
> > > run very often (every minute or so) might be overkill.
> > >
> > > Has anyone done this or knows a simple way to do it? I can get syslog
> > > to write to a FIFO, but dont know how to do anything useful with it.
> > >
> > > - --
> > > A. Sajjad Zaidi
> > > System Administrator
> > > Technology & Operations Div.
> > > Digital Garage Inc.
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.0.6 (GNU/Linux)
> > > Comment: For info see http://www.gnupg.org
> > >
> > > iD8DBQE8cJVat1KjqyZ+DQ4RAjsxAJ9cP3xMPw42XlwvIVtlfegwG01YHQCeKEv2
> > > JC4XQ4CeCrwMuADPL7nMSGA=
> > > =2feQ
> > > -----END PGP SIGNATURE-----
> > >
> > 
> > 
> > 
> > 
> >