Re: Log file IDS package?
On Wed, Jan 12, 2005 at 04:57:41PM +1100, Andrew Pollock wrote: Hi, I've done some cursory apt-cache searching, and nothing's jumped out at me... Have you read this? http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-log-alerts Logcheck is more or less the standard way of doing this in Debian although others like alternative logchecking tools. I've been meaning to look at btail (a bayesian log filter that could probably make it easier to generate the logcheck ignore patters, see http://www.vanheusden.com/btail/. Also LoGS (http://savannah.nongnu.org/projects/logs/) might be of interested (still in active development, looks promising) Note that the URL that the document points to (Counterpane's) is not current, it should be http://www.loganalysis.org/ (wonderful source of log analysis information maintained by Tina Bird, of Standfor University) This is actually fixed in the document source (CVS) but it has not yet propagated to the online version :-( I want to tarpit excessive SSH login failures. You might want to review the discussion on this we had at this same list, available at http://lists.debian.org/debian-security/2004/10/msg00118.html (I'm not sure the PAM module developed by Kevin is useful for you, but the thread has a lot of suggestions from many people, me includd). Check out also http://ethernet.org/~brian/src/timelox/ which might or might not do what you are looking for (found this while reading http://seclists.org/lists/incidents/2004/Dec/0039.html, which is also an interesting read) Hope that helps Javier signature.asc Description: Digital signature
Re: Log file IDS package?
On Wed, 2005-01-12 at 16:57 +1100, Andrew Pollock wrote: Hi, I've done some cursory apt-cache searching, and nothing's jumped out at me... Is there software in Debian that will do something along the lines of a tail -f of a given logfile, looking for supplied regexs and do custom actions on matches? I want to tarpit excessive SSH login failures. Are you talking about the recent (since July 27th 2004) brute force ssh attempts? The ones with NO_USER attached to them? things like this: Jan 10 23:52:45 knight sshd[12863]: Failed password for illegal user test from 220.75.202.225 port 35881 ssh2 Jan 10 23:52:51 knight sshd[12865]: Failed password for illegal user guest from 220.75.202.225 port 35973 ssh2 Jan 10 23:52:55 knight sshd[12867]: Failed password for admin from 220.75.202.225 port 36117 ssh2 Jan 10 23:52:57 knight sshd[12869]: Failed password for admin from 220.75.202.225 port 36212 ssh2 Jan 10 23:53:00 knight sshd[12871]: Failed password for illegal user user from 220.75.202.225 port 36284 ssh2 Jan 10 23:53:03 knight sshd[12873]: Failed password for root from 220.75.202.225 port 36367 ssh2 Jan 10 23:53:07 knight sshd[12882]: Failed password for root from 220.75.202.225 port 36457 ssh2 Jan 10 23:52:45 knight sshd[12863]: Illegal user test from 220.75.202.225 Jan 10 23:52:45 knight sshd[12863]: error: Could not get shadow information for NOUSER Jan 10 23:52:50 knight sshd[12865]: Illegal user guest from 220.75.202.225 Jan 10 23:52:51 knight sshd[12865]: error: Could not get shadow information for NOUSER Jan 10 23:53:00 knight sshd[12871]: Illegal user user from 220.75.202.225 Jan 10 23:53:00 knight sshd[12871]: error: Could not get shadow information for NOUSER Or something else? If it is that... well unless you are doing something stupid for passwords, you really shouldn't worry about it. This goes back to tarpit setups for mail... it won't stop them, just increase number of connections you'll have tied up, possibly DoS style. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Log file IDS package?
Hi, I've done some cursory apt-cache searching, and nothing's jumped out at me... Is there software in Debian that will do something along the lines of a tail -f of a given logfile, looking for supplied regexs and do custom actions on matches? I want to tarpit excessive SSH login failures. regards Andrew -- linux.conf.au 2005 - http://linux.conf.au/ - Birthplace of Tux April 18th to 23rd - http://linux.conf.au/ - LINUX Canberra, Australia - http://linux.conf.au/ -Get bitten! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Log file IDS package?
On Wednesday, 2005-01-12 at 16:57:41 +1100, Andrew Pollock wrote: Is there software in Debian that will do something along the lines of a tail -f of a given logfile, looking for supplied regexs and do custom actions on matches? I'm using swatch. But swatch can only limit the number of actions performed on a match, not perform an action if a count is exceeded. That would need to be done in the script called when a match is found. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
