[logs] Logsurfer and sshd brute force attacks

From: Kerry Thompson (kerry@private)
Date: Wed Dec 22 2004 - 23:36:33 PST 

I posted the following to the Incidents list a few hours ago, members of
the Loganalysis list may also be interested.

I've developed a version of Logsurfer which has the ability to group
events and raise alerts when the number of events reach certain
thresholds. With Logsurfer+ ( see http://www.crypt.gen.nz/logsurfer )
the rule to detect the sshd brute force login attacks seen recently
would look like: 

#
# detect ssh brute force
#
' ([^ ]+) sshd\[[0-9]*\]: Invalid user .* from ([^ ]+)' - - - 0
  open "$2 sshd\\[[0-9]*\\]: .* from $3" - 200 1800 600 10
    report "/bin/mailx -s \"Server $2 SSH Login attempts from $2\"
admin@private"
      "$2 sshd\\[[0-9]*\\]: .* from $3"

Its a little cryptic, but here 1800 is the absolute timeout from the
time of the first message occurring, 600 is the relative timeout between
messages and 10 is the minimum number of lines which are needed
to trigger the action ( mailx in this case ). The Email message sent
will include the collected log messages.
This has the advantage that it can watch the syslog server which
collects logs from any number of hosts, and the thresholds can be tuned
to your needs. Note that you should avoid using mailx in this case since
it has escape codes in its input stream. Use the start-mail script which
is included in the Logsurfer package.

Logsurfer+ can do a few other useful things as well. Say you have many
hosts logging to a central server, and you want an alert when one of
them stops logging ( maybe the remote server died, or its syslogd gets
killed or whatever ). Setup a cron on the host like

0,15,30,45 * * * * /bin/logger -t syslog_ping -p local7.info

then on the syslog server, the Logsurfer+ rule would be

  ' ([^ ]+) syslog_ping:' - - - 0
    open " $2 syslog_ping:" - - - 2100
      exec /usr/local/bin/start-mail operator@private
       "Alert: syslog pings from $2 have stopped"


-- 
Kerry Thompson CCNA CISSP
IT Security Consultant
kerry@private
http://www.crypt.gen.nz


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

This archive was generated by hypermail 2.1.3 : Wed Dec 22 2004 - 23:39:35 PST