Re: illegal user logon
On Monday 22 August 2005 14:07, jeremy avnet wrote:
> Since a bunch of people contacted me for the script, I'm posting the
> URL here in case some web searcher finds this archive.
>
> http://brainsik.to/ssh-brute-stop
Doesn't work for me. Needs the following patch.
Paul
--- /root/ssh-brute-stop_20050805.pl 2005-08-22 13:27:46.000000000 +0100
+++ ssh-brute-stop 2005-08-22 15:42:45.000000000 +0100
@@ -65,8 +65,8 @@
my( $user, $ip );
# check for illegal (unknown) user attempts
- if ( /sshd\[\d+\]: Illegal user (\w+) from (?:::ffff:)?([\d.]+)/ ) {
- ($user, $ip) = ($1, $2);
+ if ( /sshd\[\d+\]: (Invalid|Illegal) user (\w+) from (?:::ffff:)?([\d.]+)/ ) {
+ ($user, $ip) = ($2, $3);
$points{$ip} += (exists $log{$ip}{$user}) ? $PTS_OLDILLEGAL : $PTS_NEWILLEGAL;
$log{$ip}{$user} = time
}
Reply to: