[CentOS] One approach to dealing with SSH brute force attacks.

John Horne john.horne at plymouth.ac.uk
Mon Feb 4 15:12:11 UTC 2008


On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote:
> On Wed, Jan 30, 2008, Brian Mathis wrote:
> ...
> >
> >Log parsing scripts often don't provide the immediacy that rate
> >limiting does when under attack.  You'd have to run the script
> >constantly parsing logs, since most ssh scans come in bursts.
> 
> We use swatch for this and othter interesting events (e.g. NICs
> being put in promiscuous mode).  It continually monitors one or
> more log files using gnu-tail in a perl script, and can do
> various things depending on a configuration file.  It can send
> e-mail notifications and/or execute scripts which can do anything
> your heart desires.
> 
Hello,

Do you have any specific swatch config lines for detecting ssh
brute-force attacks? If so would you care to share them? (off-list if
you prefer). Likewise we use swatch for general log monitoring, and have
it report back anything unusual to our central monitoring system (Big
Brother).



John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: John.Horne at plymouth.ac.uk       Fax: +44 (0)1752 233839



More information about the CentOS mailing list