I've noticed over the last few months that ssh attack scanning scripts have
been proliferating. The scripts attack using a common set of usernames with
weak password combinations, and result in a long line of log entries like:
Nov 6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3
Nov 6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41
The common usernames are admin root webmaster data rolo guest test patrick
iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51
cip52 sybase oracle mysql master account server henry frank adam george
(included here for easier googling on the problem)
I use the excellent portsentry to detect and shut down IP's that do
traditional nmap-style portscans of my machines. This attack script isn't a
port scan, so it just shows up in my security log summaries every morning.
Can anyone help me out with a simple log scanning script that could detect the
'illegal user xxx' strings in /var/log/secure and issue the
"/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these
addresses down.
The scan volume is up to about two a day on each of my servers, and I'd like
to get this crap out of my logs
Any assistance appreciated: I and many other people would thank anyone who
would whip up a script to block this stuff.
Regards,
- Brian
--
gentoo-security@gentoo.org mailing list
been proliferating. The scripts attack using a common set of usernames with
weak password combinations, and result in a long line of log entries like:
Nov 6 17:44:18 ethos sshd[3808]: Illegal user test from 211.185.202.3
Nov 6 23:06:27 ethos sshd[8521]: Illegal user rolo from 222.47.83.41
The common usernames are admin root webmaster data rolo guest test patrick
iceuser www horde wwwrun cyrus courier www-data irc jane pamela cosmin cip51
cip52 sybase oracle mysql master account server henry frank adam george
(included here for easier googling on the problem)
I use the excellent portsentry to detect and shut down IP's that do
traditional nmap-style portscans of my machines. This attack script isn't a
port scan, so it just shows up in my security log summaries every morning.
Can anyone help me out with a simple log scanning script that could detect the
'illegal user xxx' strings in /var/log/secure and issue the
"/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut these
addresses down.
The scan volume is up to about two a day on each of my servers, and I'd like
to get this crap out of my logs
Any assistance appreciated: I and many other people would thank anyone who
would whip up a script to block this stuff.
Regards,
- Brian
--
gentoo-security@gentoo.org mailing list