[CentOS] One approach to dealing with SSH brute force attacks.
John Horne
john.horne at plymouth.ac.uk
Mon Feb 4 15:12:11 UTC 2008
On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote:
> On Wed, Jan 30, 2008, Brian Mathis wrote:
> ...
> >
> >Log parsing scripts often don't provide the immediacy that rate
> >limiting does when under attack. You'd have to run the script
> >constantly parsing logs, since most ssh scans come in bursts.
>
> We use swatch for this and othter interesting events (e.g. NICs
> being put in promiscuous mode). It continually monitors one or
> more log files using gnu-tail in a perl script, and can do
> various things depending on a configuration file. It can send
> e-mail notifications and/or execute scripts which can do anything
> your heart desires.
>
Hello,
Do you have any specific swatch config lines for detecting ssh
brute-force attacks? If so would you care to share them? (off-list if
you prefer). Likewise we use swatch for general log monitoring, and have
it report back anything unusual to our central monitoring system (Big
Brother).
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: John.Horne at plymouth.ac.uk Fax: +44 (0)1752 233839
More information about the CentOS
mailing list