Re: Log file IDS package?

To: DebianSecurity List <debian-security@lists.debian.org>
Subject: Re: Log file IDS package?
From: Greg Folkert <greg@gregfolkert.net>
Date: Wed, 12 Jan 2005 10:16:24 -0500
Message-id: <[🔎] 1105542984.31898.5.camel@duke.gregfolkert.net>
In-reply-to: <[🔎] 20050112055740.GA31398@daedalus.andrew.net.au>
References: <[🔎] 20050112055740.GA31398@daedalus.andrew.net.au>

On Wed, 2005-01-12 at 16:57 +1100, Andrew Pollock wrote:
> Hi,
> 
> I've done some cursory apt-cache searching, and nothing's jumped out at
> me...
> 
> Is there software in Debian that will do something along the lines of a tail
> -f of a given logfile, looking for supplied regexs and do custom actions on
> matches?
> 
> I want to tarpit excessive SSH login failures.

Are you talking about the recent (since July 27th 2004) brute force ssh
attempts? The ones with NO_USER attached to them?

things like this:
Jan 10 23:52:45 knight sshd[12863]: Failed password for illegal user test from 220.75.202.225 port 35881 ssh2
Jan 10 23:52:51 knight sshd[12865]: Failed password for illegal user guest from 220.75.202.225 port 35973 ssh2
Jan 10 23:52:55 knight sshd[12867]: Failed password for admin from 220.75.202.225 port 36117 ssh2
Jan 10 23:52:57 knight sshd[12869]: Failed password for admin from 220.75.202.225 port 36212 ssh2
Jan 10 23:53:00 knight sshd[12871]: Failed password for illegal user user from 220.75.202.225 port 36284 ssh2
Jan 10 23:53:03 knight sshd[12873]: Failed password for root from 220.75.202.225 port 36367 ssh2
Jan 10 23:53:07 knight sshd[12882]: Failed password for root from 220.75.202.225 port 36457 ssh2
Jan 10 23:52:45 knight sshd[12863]: Illegal user test from 220.75.202.225
Jan 10 23:52:45 knight sshd[12863]: error: Could not get shadow information for NOUSER
Jan 10 23:52:50 knight sshd[12865]: Illegal user guest from 220.75.202.225
Jan 10 23:52:51 knight sshd[12865]: error: Could not get shadow information for NOUSER
Jan 10 23:53:00 knight sshd[12871]: Illegal user user from 220.75.202.225
Jan 10 23:53:00 knight sshd[12871]: error: Could not get shadow information for NOUSER

Or something else?

If it is that... well unless you are doing something stupid for
passwords, you really shouldn't worry about it. This goes back to tarpit
setups for mail... it won't stop them, just increase number of
connections you'll have tied up, possibly DoS style.
-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Log file IDS package?
  - From: Andrew Pollock <apollock@debian.org>

Prev by Date: Re: Log file IDS package?
Next by Date: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Previous by thread: Re: Log file IDS package?
Next by thread: Re: [SECURITY] [DSA 635-1] New exim packages fix arbitrary code execution
Index(es):
- Date
- Thread