Re: illegal user logon

To: jeremy avnet <mlist-debian@theory.org>
Cc: amd64list <debian-amd64@lists.debian.org>
Subject: Re: illegal user logon
From: Paul Brook <paul@codesourcery.com>
Date: Mon, 22 Aug 2005 15:49:09 +0100
Message-id: <[🔎] 200508221549.10150.paul@codesourcery.com>
In-reply-to: <[🔎] CA468F10-3A8F-47EC-B534-EB56077E519D@theory.org>
References: <[🔎] 1124565007.4392.3.camel@localhost.localdomain> <[🔎] FB0E6E7B-00BA-4E07-8AE1-2FF9D97F7292@theory.org> <[🔎] CA468F10-3A8F-47EC-B534-EB56077E519D@theory.org>

On Monday 22 August 2005 14:07, jeremy avnet wrote:
> Since a bunch of people contacted me for the script, I'm posting the
> URL here in case some web searcher finds this archive.
>
> http://brainsik.to/ssh-brute-stop

Doesn't work for me. Needs the following patch.

Paul

--- /root/ssh-brute-stop_20050805.pl	2005-08-22 13:27:46.000000000 +0100
+++ ssh-brute-stop	2005-08-22 15:42:45.000000000 +0100
@@ -65,8 +65,8 @@
         my( $user, $ip );
         
         # check for illegal (unknown) user attempts
-        if ( /sshd\[\d+\]: Illegal user (\w+) from (?:::ffff:)?([\d.]+)/ ) {
-            ($user, $ip) = ($1, $2);
+        if ( /sshd\[\d+\]: (Invalid|Illegal) user (\w+) from (?:::ffff:)?([\d.]+)/ ) {
+            ($user, $ip) = ($2, $3);
             $points{$ip} += (exists $log{$ip}{$user}) ? $PTS_OLDILLEGAL : $PTS_NEWILLEGAL;
             $log{$ip}{$user} = time
         }

Reply to:

References:
- illegal user logon
  - From: Dr Gavin Seddon <gavin.m.seddon@man.ac.uk>
- Re: illegal user logon
  - From: jeremy avnet <mlist-debian@theory.org>
- Re: illegal user logon
  - From: jeremy avnet <mlist-debian@theory.org>

Prev by Date: OT: illegal user logon
Next by Date: Re: illegal user logon
Previous by thread: Re: illegal user logon
Next by thread: Re: illegal user logon
Index(es):
- Date
- Thread