[logs] Re: logsurfer ssh rule for attack

From: Klaus Moeller (moeller@dfn-cert.de)
Date: Mon Jun 06 2005 - 07:15:54 PDT


On Saturday 04 June 2005 04:13, Kerry Thompson wrote:

> Here's what it should look like (beware of line wrapping):
>
> ' ([^ ]+) sshd\[[0-9]*\]: Failed password for invalid user .* from
> (.*) port ' - 10 - 0
>          open "$2 sshd\\[[0-9]*\\]: .* from $3" - 1800 600 3
>          report "/usr/local/stow/logsurfer/sbin/startmail dave
> \"security incident from $2\"" "$2 sshd\\[[0-9]*\\]: .* from $3"

There are actually two different lines sshd uses to report passwort 
guessing, the one above for non-existant users and another for users 
that exist in the system:

... sshd[30910]: Failed password for illegal user demo from 160.79.87.3 
port 46942 ssh2

... sshd[30921]: Failed password for simon from 160.79.87.3 port 47582 
ssh2

So, a more precise rule would be

' ([^ ]+) sshd\[[0-9]*\]: Failed password( for invalid user | ).* from
(.*) port ' - 10 - 0

Regards,
		Klaus Moeller, DFN-CERT

-- 
Dipl. Inform. Klaus Moeller (CSIRT)               DFN-CERT Services GmbH
https://www.dfn-cert.de/                               +49-40-808077-555
PGP RSA/2048, 0BB7C8F9, 6D CC 59 0F 86 0C 58 4D  35 D7 0C 55 EF 4F 42 23



_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Jun 06 2005 - 11:44:04 PDT