On Mon, Feb 04, 2008, John Horne wrote: > >On Wed, 2008-01-30 at 13:11 -0800, Bill Campbell wrote: >> On Wed, Jan 30, 2008, Brian Mathis wrote: >> ... >> > >> >Log parsing scripts often don't provide the immediacy that rate >> >limiting does when under attack. You'd have to run the script >> >constantly parsing logs, since most ssh scans come in bursts. >> >> We use swatch for this and othter interesting events (e.g. NICs >> being put in promiscuous mode). It continually monitors one or >> more log files using gnu-tail in a perl script, and can do >> various things depending on a configuration file. It can send >> e-mail notifications and/or execute scripts which can do anything >> your heart desires. >> >Hello, > >Do you have any specific swatch config lines for detecting ssh >brute-force attacks? If so would you care to share them? (off-list if >you prefer). Likewise we use swatch for general log monitoring, and have >it report back anything unusual to our central monitoring system (Big >Brother). Here's part of the swatchrc file from one of our public servers. We get many more reports from sshd via tcp_wrappers (libwrap) which have been modified to use DNSRBLs to white and black list various hosts and IP ranges. perlcode 0 use Sys::Hostname::Long; perlcode 0 my $host_long = hostname_long; perlcode 0 my $email=qq(support\@$host_long); perlcode 0 my $secmail = qq(security\@$host_long); perlcode my ($month, $day, $time, $host_name, @message) = split(/\s+/); watchfor /device (\S+) entered promiscuous mode/ mail addresses=$secmail, subject=[swatch] $host_name promiscuous $1 watchfor /File name too long/ mail addresses=$email, subject=[swatch] BufferOverflow_attempt watchfor /DHCPREQUEST/ mail addresses=postmaster, subject=[swatch] $host_name at message watchfor /Failed password for.*from\s+(\S+)/ threshold track_by=$1,type=both,count=3,seconds=60 mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /Accepted password for root.*from\s+(\S+)/ mail addresses=$secmail, subject=[swatch] $host_name ssh password $1 watchfor /Accepted publickey for root.*from\s+(\S+)/ mail addresses=$secmail, subject=[swatch] $host_name ssh publickey $1 watchfor /Invalid login as admin/ mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /Invalid login as mainadmin/ mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /Successful login as mainadmin/ mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /DeliveryErrors/ mail addresses=postmaster, subject=[swatch] Postfix_Delivery_Errors watchfor /file system full/ mail addresses=$email, subject=[swatch] $host_name at message watchfor /refused connect from\s+(\S+)/ threshold track_by=$1,type=both,count=3,seconds=60 mail addresses=$secmail, subject=[swatch] $host_name at message # end of file Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things. Because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new. -- Machiavelli