On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote:
On Wed, Jan 30, 2008, Brian Mathis wrote: ...
Log parsing scripts often don't provide the immediacy that rate limiting does when under attack. You'd have to run the script constantly parsing logs, since most ssh scans come in bursts.
We use swatch for this and othter interesting events (e.g. NICs being put in promiscuous mode). It continually monitors one or more log files using gnu-tail in a perl script, and can do various things depending on a configuration file. It can send e-mail notifications and/or execute scripts which can do anything your heart desires.
Hello,
Do you have any specific swatch config lines for detecting ssh brute-force attacks? If so would you care to share them? (off-list if you prefer). Likewise we use swatch for general log monitoring, and have it report back anything unusual to our central monitoring system (Big Brother).
John.