On Mon, Feb 04, 2008, John Horne wrote:
>
>On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote:
>> On Wed, Jan 30, 2008, Brian Mathis wrote:
>> ...
>> >
>> >Log parsing scripts often don't provide the immediacy that rate
>> >limiting does when under attack. You'd have to run the script
>> >constantly parsing logs, since most ssh scans come in bursts.
>>
>> We use swatch for this and othter interesting events (e.g. NICs
>> being put in promiscuous mode). It continually monitors one or
>> more log files using gnu-tail in a perl script, and can do
>> various things depending on a configuration file. It can send
>> e-mail notifications and/or execute scripts which can do anything
>> your heart desires.
>>
>Hello,
>
>Do you have any specific swatch config lines for detecting ssh
>brute-force attacks? If so would you care to share them? (off-list if
>you prefer). Likewise we use swatch for general log monitoring, and have
>it report back anything unusual to our central monitoring system (Big
>Brother).
Here's part of the swatchrc file from one of our public servers.
We get many more reports from sshd via tcp_wrappers (libwrap)
which have been modified to use DNSRBLs to white and black list
various hosts and IP ranges.
perlcode 0 use Sys::Hostname::Long;
perlcode 0 my $host_long = hostname_long;
perlcode 0 my $email=qq(support\@$host_long);
perlcode 0 my $secmail = qq(security\@$host_long);
perlcode my ($month, $day, $time, $host_name, @message) = split(/\s+/);
watchfor /device (\S+) entered promiscuous mode/
mail addresses=$secmail, subject=[swatch] $host_name promiscuous $1
watchfor /File name too long/
mail addresses=$email, subject=[swatch] BufferOverflow_attempt
watchfor /DHCPREQUEST/
mail addresses=postmaster, subject=[swatch] $host_name at message
watchfor /Failed password for.*from\s+(\S+)/
threshold track_by=$1,type=both,count=3,seconds=60
mail addresses=$secmail, subject=[swatch] $host_name at message
watchfor /Accepted password for root.*from\s+(\S+)/
mail addresses=$secmail, subject=[swatch] $host_name ssh password $1
watchfor /Accepted publickey for root.*from\s+(\S+)/
mail addresses=$secmail, subject=[swatch] $host_name ssh publickey $1
watchfor /Invalid login as admin/
mail addresses=$secmail, subject=[swatch] $host_name at message
watchfor /Invalid login as mainadmin/
mail addresses=$secmail, subject=[swatch] $host_name at message
watchfor /Successful login as mainadmin/
mail addresses=$secmail, subject=[swatch] $host_name at message
watchfor /DeliveryErrors/
mail addresses=postmaster, subject=[swatch] Postfix_Delivery_Errors
watchfor /file system full/
mail addresses=$email, subject=[swatch] $host_name at message
watchfor /refused connect from\s+(\S+)/
threshold track_by=$1,type=both,count=3,seconds=60
mail addresses=$secmail, subject=[swatch] $host_name at message
# end of file
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
there is nothing more difficult to take in hand, more perilous to
conduct, or more uncertain in its success, than to take the lead in
the introduction of a new order of things. Because the innovator has
for enemies all those who have done well under the old conditions,
and lukewarm defenders in those who may do well under the new.
-- Machiavelli