[NTLUG:Discuss] Recommendation for "Log File Analysis" and firewall updater Software/system/program

Kevin Hulse jedi at mishnet.org
Fri Dec 17 15:48:04 CST 2004 

Quoting "Ralph Green, Jr." <sfreader at sbcglobal.net>:

> Dave,
>  I am a little behind on my NTLUG messages because the list has been so
> busy lately.  If you are still looking for feedback on this, read on. If
> not, just go to your next message.
>   On systems that are publicly accessible, I would second one of Chris's
> suggestions.  Disable authentication by password.  I  only use
> public/private key authentication on publicly available servers.  That
> is quite safe.  It does mean you can't connect from an arbitrary
> machine.  You can only connect from a machine that has the private key
> loaded.
>   This does not answer the question you actually asked.  Why do you want
> to analyze the logs?  I don't understand what you are trying to

    He probably wants to know who's trying to root his boxes. He might
even want to ban those people.

    This bit right here is from my own personal log miner. Anytime I
find that someone has tried to gain unauthorized access to my ssh
server, I put them on a blacklist and add a firewall rule to iptables
such that their entire immediate subdomain is cut off from any access
to my system.


function _ssh_process {

class="Invalid SSH User"

IPS=$( grep ssh $SSH | grep Illegal | sed 's/.*://g' | sort -u )

for ip in $IPS
do
     ###---- spit out the log entry as soon as we find the ip ---###
     if [ "$(_islogged $ip)" -eq 0 ]
     then
         echo "Putting $ip in the Blacklist."
         echo "$ip${SEP}$(date +$DATESPEC)${SEP}$class" >> $BLACKLIST
         _blacklist_process $ip

         ###--- If we are in daemon mode then regenerate the logs
         ###--- each time we find a new address to block.
         if [ "$2" = "daemon" ]
         then
             _generate_logs
         fi
     fi
done
}



> accomplish there, so I can't comment.
> Have a good day,
> Ralph
>
> On Sat, 2004-12-11 at 00:55, David Simmons, PE wrote:
> > Subject line say's it all...I keep noticing multiple ssh login failures
> > (which are not me) and while I feel good about my passwords - I know
> > it's just a matter of time!? Want something that auto-magically analyzes
> > the logs to secure the system.
> >
> > Thanks in advance - dave
>
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>


-- 
Under Construction.                       |||
                                         / | \


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Discuss mailing list