Re: SSH attack
Landy Bible wrote:
-configure the ssh server to report any successful ssh login using email,
and/or send a page or cell phone alert
I can only guess at this point because I've not tried it.
A crude example might be using a login script to detect whether the shell is
starting in an ssh session, e.g:
if [ "`pidof ssh`" != "" ]
/usr/bin/mail -s "ssh login at `date`" firstname.lastname@example.org<tail /var/log/authlog
Here I might call chat or a similar program to send the page or phone alert, using
a modem in the system that's not used for my main internet connection.
I would run something like this on the gateway/firewall and/or on an internal system
which has ssh forwarded to it. I'm not sure which method would be more secure.
-do the same for mutliple failed connection attempts
Could some one point me at a way to do this?
There are probably special tools for this, but an easy way is to use inetd:
If you would like to know about the failed connection attempts to your
machine then change the above entry to the following [in /etc/hosts.deny].
ALL:ALL:/bin/mail -s "%s connection attempt from %c" freeos@localhost
The inetd man page gives an example for use with a specific service:
in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \
/usr/bin/mail -s %d-%h root) &
An example using the "SPAWN" command is given here:
ALL: ALL: SPAWN ( \
echo -e "\n\
TCP Wrappers\: Connection refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
" | /usr/bin/mail -s "Connection to %d blocked" root) &