dumb way Re: SSH attack
On Mon, 3 Oct 2005, Landy Bible wrote:
> Marty wrote:
>
> > -configure the ssh server to report any successful ssh login using email,
> > and/or send a page or cell phone alert
> >
> > -do the same for mutliple failed connection attempts
> >
> Could some one point me at a way to do this?
think dude ... not everybody will have the answers you want
dumb way
grep sshd /var/log/auth.log
- i assume you know how to grep and awk if you use
bash and/or other filters for perl or even c/c++
- if not .. hit the books and start writing code
or even "dumb" scripts to get started
- and than test and retest and test and double check
because your "data" depends on your ability to test things
and catch any bugs that makes "your thingie" or somebody
elses programs you used which works or fail
it's good because you can run it as often as oyu like and tweek it
for whatever you want to do with it
- check for ip#
- check for time of day
- check for acct id
- check for blah-blah
- do what you want with the "processed" data
- process all your other log files similarly with what you want
to find or not find in it
- do the same with each running process, NOT just the logs
and of course double check the md5 of the binaries and libs too
- if you use 1 of the 1000's of other log analyzers,
you're stuck with what it does or doesn't do
c ya
alvin
Reply to: