From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EPJNY-0005k9-Df for garchives@archives.gentoo.org; Tue, 11 Oct 2005 12:37:13 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j9BCOCxj023108; Tue, 11 Oct 2005 12:24:12 GMT Received: from franklin.kinex.net (pop3.virtualtoursource.com [207.42.174.6]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j9BCFL0P005188 for ; Tue, 11 Oct 2005 12:15:21 GMT Received: from localhost (localhost [127.0.0.1]) by franklin.kinex.net (Postfix) with ESMTP id 7C7DF2BBEF for ; Tue, 11 Oct 2005 08:24:04 -0400 (EDT) Received: from franklin.kinex.net ([127.0.0.1]) by localhost (linus.kinex.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 04979-02-42 for ; Tue, 11 Oct 2005 08:23:58 -0400 (EDT) Received: from kinex.net (pop3.kinex.net [207.42.174.22]) by franklin.kinex.net (Postfix) with ESMTP id 847EF2BBE5 for ; Tue, 11 Oct 2005 08:23:58 -0400 (EDT) Received: (qmail 27247 invoked by uid 512); 11 Oct 2005 12:24:39 -0000 Received: from 172.20.1.202 by schroeder.kinex.net (envelope-from , uid 507) with qmail-scanner-1.25 (clamdscan: 0.87/1083. Clear:RC:1(172.20.1.202):. Processed in 4.344424 secs); 11 Oct 2005 12:24:39 -0000 X-Qmail-Scanner-Mail-From: scook@kinex.net via schroeder.kinex.net X-Qmail-Scanner: 1.25 (Clear:RC:1(172.20.1.202):. Processed in 4.344424 secs) Received: from unknown (HELO seanprog) (scook@172.20.1.202) by 0 with RC4-MD5 encrypted SMTP; 11 Oct 2005 12:24:35 -0000 From: "Sean Cook" To: Subject: RE: [gentoo-security] hackers Date: Tue, 11 Oct 2005 08:24:35 -0400 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0014_01C5CE3D.36E93FF0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: Thread-Index: AcXOXkr4j/P4Ahd4RmGi+VGGBii8LwAACCTA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Qmail-Scanner-Message-ID: <112903347768627129@schroeder.kinex.net> Message-Id: <20051011122358.847EF2BBE5@franklin.kinex.net> X-Virus-Scanned: amavisd-new at kinex.net X-Archives-Salt: 519b57cc-b221-4c2c-93bc-0ed1317b2111 X-Archives-Hash: 82ac84e5b7ddabc41f57a2c6ea232370 This is a multi-part message in MIME format. ------=_NextPart_000_0014_01C5CE3D.36E93FF0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Yes, you can set up triggers in syslog-ng that will trigger based on failed ssh login attempts. filter f_ssh_login_attempt { program("sshd.*") and match("(Failed|Accepted)") and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)"); }; log { source(src); filter(f_ssh_login_attempt); destination(mail-alert-perl); }; destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); }; Sean _____ From: APerez@cds.ca [mailto:APerez@cds.ca] Sent: Tuesday, October 11, 2005 8:22 AM To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] hackers I have a question: Is there an application/program which can send an email whenever this ssh attack happen? A few months ago I got 300 attempts which made me close ssh port and stop using it for a while. Thanks Alfredito Jochen Maes 10/10/2005 05:52 AM Please respond to gentoo-security@lists.gentoo.org To gentoo-security@lists.gentoo.org cc Subject [gentoo-security] hackers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, ok one off my servers i keep on getting one iprange that tries to login through ssh (200-300) attemps with other usernames. This is probably a script that's being ran all the time, but the isp doesn't mind, i allready sent my logs and my complaints and i don't get any response. Is there something like hackerwatch that i can send those logs to (preferrably automatically) when happening? I've blocked the range now so isn't a problem but hate it that the isp doesn nothing against it. greetings, SeJo - -- "Defer no time, delays have dangerous ends" Jochen Maes Gentoo Linux Gentoo Belgium http://sejo.be http://gentoo.be http://gentoo.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe ZPNqAHab5fXLdx11vdod5rc= =35Kg -----END PGP SIGNATURE----- -- gentoo-security@gentoo.org mailing list ------=_NextPart_000_0014_01C5CE3D.36E93FF0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Yes, you can set up triggers in = syslog-ng that will trigger based on failed ssh login = attempts.

 

filter f_ssh_login_attempt = {

      =   program("sshd.*")

      =   and match("(Failed|Accepted)")

      =   and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) = from (10.4.3.1)");

};

 

log {

      =   source(src);

      =   filter(f_ssh_login_attempt);

      =   destination(mail-alert-perl);

};

destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); = };

 

Sean

 

From: = APerez@cds.ca [mailto:APerez@cds.ca]
Sent: Tuesday, October = 11, 2005 8:22 AM
To: gentoo-security@lists.gentoo.org
Subject: Re: = [gentoo-security] hackers

 


I have a question:

Is there an application/program which can send an email whenever this =
ssh attack happen?

A few months ago I got 300 attempts which made me close ssh port
and stop using it for a while.

Thanks

Alfredito
 

Jochen Maes <sejo@gentoo.org> =

10/10/2005 05:52 AM

Please respond to
gentoo-security@lists.gentoo.org

To

gentoo-security@lists.gentoo.org

cc

 

Subject

[gentoo-security] = hackers

 

 

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,


ok one off my servers i keep on getting = one iprange that tries to
login through ssh (200-300) attemps with = other usernames.
This is probably a script that's being = ran all the time, but the isp
doesn't mind, i allready sent my logs and = my complaints and i don't
get any response.
Is there something like hackerwatch that = i can send those logs to
(preferrably automatically) when = happening?
I've blocked the range now so isn't a = problem but hate it that the isp
doesn nothing against it.

greetings,

SeJo

- --
"Defer no time, delays have = dangerous ends"

Jochen Maes         =            
Gentoo Linux
Gentoo Belgium
http://sejo.be
http://gentoo.be
http://gentoo.org
-----BEGIN PGP = SIGNATURE-----
Version: GnuPG v1.4.2 = (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe
ZPNqAHab5fXLdx11vdod5rc=3D
=3D35Kg
-----END PGP = SIGNATURE-----

--
gentoo-security@gentoo.org mailing = list

------=_NextPart_000_0014_01C5CE3D.36E93FF0-- -- gentoo-security@gentoo.org mailing list