[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dumb way Re: SSH attack

On Mon, 3 Oct 2005, Landy Bible wrote:

> Marty wrote:
> > -configure the ssh server to report any successful ssh login using email,
> > and/or send a page or cell phone alert
> >
> > -do the same for mutliple failed connection attempts 
> >
> Could some one point me at a way to do this?

think dude ... not everybody will have the answers you want

dumb way
	grep sshd /var/log/auth.log

	- i assume you know how to grep and awk if you use
	bash and/or other filters for perl or even c/c++

	- if not .. hit the books and start writing code
	or even "dumb" scripts to get started

	- and than test and retest and test and double check
	because your "data" depends on your ability to test things
	and catch any bugs that makes "your thingie" or somebody
	elses programs you used which works or fail

it's good because you can run it as often as oyu like and tweek it
for whatever you want to do with it
	- check for ip#
	- check for time of day
	- check for acct id
	- check for blah-blah

	- do what you want with the "processed" data

- process all your other log files similarly with what you want
  to find or not find in it

	- do the same with each running process, NOT just the logs
	and of course double check the md5 of the binaries and libs too

- if you use 1 of the 1000's of other log analyzers,
  you're stuck with what it does or doesn't do

c ya

Reply to: