On Wed, 2005-01-12 at 16:57 +1100, Andrew Pollock wrote:
> Hi,
> I've done some cursory apt-cache searching, and nothing's jumped out at
> me...
> Is there software in Debian that will do something along the lines of a tail
> -f of a given logfile, looking for supplied regexs and do custom actions on
> matches?
> I want to tarpit excessive SSH login failures.

Are you talking about the recent (since July 27th 2004) brute force ssh
attempts? The ones with NO_USER attached to them?

things like this:
Jan 10 23:52:45 knight sshd[12863]: Failed password for illegal user test from port 35881 ssh2
Jan 10 23:52:51 knight sshd[12865]: Failed password for illegal user guest from port 35973 ssh2
Jan 10 23:52:55 knight sshd[12867]: Failed password for admin from port 36117 ssh2
Jan 10 23:52:57 knight sshd[12869]: Failed password for admin from port 36212 ssh2
Jan 10 23:53:00 knight sshd[12871]: Failed password for illegal user user from port 36284 ssh2
Jan 10 23:53:03 knight sshd[12873]: Failed password for root from port 36367 ssh2
Jan 10 23:53:07 knight sshd[12882]: Failed password for root from port 36457 ssh2
Jan 10 23:52:45 knight sshd[12863]: Illegal user test from
Jan 10 23:52:45 knight sshd[12863]: error: Could not get shadow information for 
Jan 10 23:52:50 knight sshd[12865]: Illegal user guest from
Jan 10 23:52:51 knight sshd[12865]: error: Could not get shadow information for 
Jan 10 23:53:00 knight sshd[12871]: Illegal user user from
Jan 10 23:53:00 knight sshd[12871]: error: Could not get shadow information for 

Or something else?

If it is that... well unless you are doing something stupid for
passwords, you really shouldn't worry about it. This goes back to tarpit
setups for mail... it won't stop them, just increase number of
connections you'll have tied up, possibly DoS style.

The technology that is
Stronger, better, faster:  Linux

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to