Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Blocking bad sshd bruteforce attempt
- Date: Tue, 11 Jul 2006 09:45:15 -0700
- From: "Hung Vu Nguyen" <vuhung16plus@example.com>
- Subject: Re: [tlug] Blocking bad sshd bruteforce attempt
- References: <78d7dd350607102243j32a8b5f1od4f1ff847e096de0@example.com> <Pine.BSF.4.58.0607110240440.88730@example.com>
Hi, 2006/7/10, Joe Larabell <fred62@???>:
> Jul 11 07:02:05 aoclife sshd[24861]: Illegal user sysadmin from 202.158.162.53
>
> ...
>
> I remember that someone in TLUG has posted a ruby (?) script to the
> list but I couldn't find the post in the archives.
I have a simple but effective filter on my home machine. I added the
following lines to /etc/syslog-ng/syslog-ng.conf to send the offending
messages to my detection script:
filter f_anticrack { match("Invalid user"); };
destination d_anticrack { program("/root/bin/crackDetect"); };
log { source(src); filter(f_anticrack); destination(d_anticrack); };
All I had to changed is
log { source(a_src); filter(f_anticrack); destination(d_anticrack); };
syslog now works perfect.
The target of the syslog filter is a script (if you're really paranoid, you should re-write this in a compiled language instead of a perl script): #!/usr/bin/perl ... [snip]
It just works. Because it sits in /root i.e, only root can read the script, do you think we have another reasons other than "paranoid" to make an C version for your script?
very early in the chain. Essentially, every packet coming into the machine goes through this list and hack attempts earn one the hacker his very own place on the list. From his point-of-view, the machine disappears (script kiddies probably go off thinking they've crashed the machine ;-).
:), I am thinking the same. In opposite point-of-view.
It works fine for me. When I review the log, I often see a short burst of hack attempts (mostly 'a' usernames, since the list they use seems to be alphabetical) followed by silence. I use pretty much the same scheme (syslog->filter->iptables) to screen out port scanners. For that, you have to also add dropped packet logging to your iptables script but it's worth is.
I am working remote now so it is not the right time to restart the firewall. I will get back to you later. Hope it works fine.
You also may notice that after a couple months, sites such as webshots apparently stop working. When that happens, it's probably time to clean out the SHITLIST chain. Seems some of the hacking traffic comes from IP addresses that belong to webshots.com ;-)...
My website get 15000 hit per day. Robot like Yahoo or Google knock my
web server every 1 second but I never seen any hit from webshot. Maybe
I am so lucky :D.
Thank you for the script!
Best Regards,
Nguyen Hung Vu
vuhung16plus{remove}@example.com
- Follow-Ups:
- Re: [tlug] Blocking bad sshd bruteforce attempt
- From: Joe Larabell
- Re: [tlug] Blocking bad sshd bruteforce attempt
- References:
- [tlug] Blocking bad sshd bruteforce attempt
- From: Hung Vu Nguyen
- Re: [tlug] Blocking bad sshd bruteforce attempt
- From: Joe Larabell
- [tlug] Blocking bad sshd bruteforce attempt
- Prev by Date: Re: [tlug] sshd writes password in clear text into /var/log/messages
- Next by Date: Re: [tlug] Blocking bad sshd bruteforce attempt
- Previous by thread: Re: [tlug] Blocking bad sshd bruteforce attempt
- Next by thread: Re: [tlug] Blocking bad sshd bruteforce attempt
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |