How to react to "authentication failures" in log file - SSH

This is a discussion on How to react to "authentication failures" in log file - SSH ; Is it possible to run a script when the server logs one of this message? Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname= uid=0 euid=0 tty=ssh ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: How to react to "authentication failures" in log file

  1. How to react to "authentication failures" in log file

    Is it possible to run a script when the server logs one of this message?

    Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname=
    uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname=
    uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    Feb 28 05:25:29 www sshd(pam_unix)[27452]: authentication failure; logname=
    uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root

    I'm getting several of this every night. It seem that someone finds some
    break-in script an try to run it against my server. Currently I'm just
    reacting to it. When logwatch report comes in the morning, I use Iptables
    to block the remote IP. I like to automate that process.

    I'm thinking that either sshd can launch a script in reaction to this event
    or one can run a script periodically to scan the logfile and determine which
    IP to add to iptables. Maybe even flush iptables periodically to keep the
    reject list short.

    Before I start to re-invent the wheel, any suggestions about this? Maybe
    there are tools already available for this purposes?

    PS. Any options in sshd to throttle down this logon events?

    Saludos,
    Orlando



  2. Re: How to react to "authentication failures" in log file

    "Orlando Amador" writes:

    > Is it possible to run a script when the server logs one of this message?
    >
    > Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    > Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    > Feb 28 05:25:29 www sshd(pam_unix)[27452]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    >
    > I'm getting several of this every night. It seem that someone finds some
    > break-in script an try to run it against my server.



    These automated attacks on sshd on the root account are extremely
    common now. An extremely effective way to get around this, if your
    users will tolerate it, is to simply move sshd to a high numbered port
    other than 22.

    > Currently I'm just reacting to it. When logwatch report comes in
    > the morning, I use Iptables to block the remote IP. I like to
    > automate that process.
    >
    > I'm thinking that either sshd can launch a script in reaction to this event
    > or one can run a script periodically to scan the logfile and determine which
    > IP to add to iptables. Maybe even flush iptables periodically to keep the
    > reject list short.
    >
    > Before I start to re-invent the wheel, any suggestions about this? Maybe
    > there are tools already available for this purposes?


    IPS systems for intrustion prevention are basically an intrusion
    detection engine coupled with something to modify some firewall rules
    dynamically to choke off such attempts.

    But you add a new thing to maintain at that point. If you can just
    move the listening port to another port....

    --
    Todd H.
    http://www.toddh.net/

  3. Re: How to react to "authentication failures" in log file

    Orlando Amador wrote:
    > Is it possible to run a script when the server logs one of this message?
    >
    > Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    > Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    > Feb 28 05:25:29 www sshd(pam_unix)[27452]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root


    Disable password authentication for root and use a public/private key
    scheme. You can keep your private key (with passphrase!) on an USB stick
    and your other boxen. This, effectively increases the amount of
    possibilities for an attacker without the key to about 2048 bits. On the
    other hand it's easier to break a stolen encrypted private key than it
    is to guess the same passphrase over the network. In the end, I think
    the trade-offs are very much in favor of public/private key, though.

    There's also a piece of software called denyhosts, but make sure you
    configure it correctly or you'll find yourself unable to login.

    It's best to use a combination of both. (And always enforce strong user
    passwords, duh).

  4. Re: How to react to "authentication failures" in log file

    set

    PermitRootLogin without-password

    that means that you can log on as root, but only using keys (use of
    root password is not going to get you logged on).

    i

    On Thu, 01 Mar 2007 08:37:25 +0100, Steven Mocking wrote:
    > Orlando Amador wrote:
    >> Is it possible to run a script when the server logs one of this message?
    >>
    >> Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname=
    >> uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    >> Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname=
    >> uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    >> Feb 28 05:25:29 www sshd(pam_unix)[27452]: authentication failure; logname=
    >> uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root

    >
    > Disable password authentication for root and use a public/private key
    > scheme. You can keep your private key (with passphrase!) on an USB stick
    > and your other boxen. This, effectively increases the amount of
    > possibilities for an attacker without the key to about 2048 bits. On the
    > other hand it's easier to break a stolen encrypted private key than it
    > is to guess the same passphrase over the network. In the end, I think
    > the trade-offs are very much in favor of public/private key, though.
    >
    > There's also a piece of software called denyhosts, but make sure you
    > configure it correctly or you'll find yourself unable to login.
    >
    > It's best to use a combination of both. (And always enforce strong user
    > passwords, duh).


  5. Re: How to react to "authentication failures" in log file


    "Todd H." wrote in message
    news:84slcqp5k9.fsf@ripco.com...
    > "Orlando Amador" writes:
    >>
    >> I'm thinking that either sshd can launch a script in reaction to this
    >> event
    >> or one can run a script periodically to scan the logfile and determine
    >> which
    >> IP to add to iptables. Maybe even flush iptables periodically to keep
    >> the
    >> reject list short.
    >>
    >> Before I start to re-invent the wheel, any suggestions about this? Maybe
    >> there are tools already available for this purposes?

    >
    > IPS systems for intrustion prevention are basically an intrusion
    > detection engine coupled with something to modify some firewall rules
    > dynamically to choke off such attempts.
    >
    > But you add a new thing to maintain at that point. If you can just
    > move the listening port to another port....
    >
    > --
    > Todd H.
    > http://www.toddh.net/


    Thanks for the pointer to the IPS systems. I did a search a found several
    open source options, including denyhost (http://denyhosts.sourceforge.net/).
    One other system is fail2ban (http://www.fail2ban.org). This last one will
    scan multiple log files. One can configure which log files to scan, what
    messages will trigger an action, and how long to ban the source IP. It
    works with iptables and it only requires python. I'm trying that one and
    we'll see how it works.

    Once again, Thanks for the response.

    Saludos,
    Orlando



  6. Re: How to react to "authentication failures" in log file

    "Orlando Amador" writes:

    > Thanks for the pointer to the IPS systems. I did a search a found several
    > open source options, including denyhost (http://denyhosts.sourceforge.net/).
    > One other system is fail2ban (http://www.fail2ban.org). This last one will
    > scan multiple log files. One can configure which log files to scan, what
    > messages will trigger an action, and how long to ban the source IP. It
    > works with iptables and it only requires python. I'm trying that one and
    > we'll see how it works.
    >
    > Once again, Thanks for the response.
    >


    Cool! Glad to help point ya in the right direction for your needs.


    --
    Todd H.
    http://www.toddh.net/

  7. Re: How to react to "authentication failures" in log file

    On Wed, 28 Feb 2007 08:40:18 -0400, Orlando Amador wrote:

    > Is it possible to run a script when the server logs one of this message?
    >
    > Feb 28 05:25:18 www sshd(pam_unix)[27446]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    > Feb 28 05:25:23 www sshd(pam_unix)[27450]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    > Feb 28 05:25:29 www sshd(pam_unix)[27452]: authentication failure; logname=
    > uid=0 euid=0 tty=ssh ruser= rhost=222.90.234.68 user=root
    >
    > I'm getting several of this every night. It seem that someone finds some
    > break-in script an try to run it against my server. Currently I'm just
    > reacting to it. When logwatch report comes in the morning, I use Iptables
    > to block the remote IP. I like to automate that process.
    >
    > I'm thinking that either sshd can launch a script in reaction to this event
    > or one can run a script periodically to scan the logfile and determine which
    > IP to add to iptables. Maybe even flush iptables periodically to keep the
    > reject list short.
    >
    > Before I start to re-invent the wheel, any suggestions about this? Maybe
    > there are tools already available for this purposes?
    >
    > PS. Any options in sshd to throttle down this logon events?
    >
    > Saludos,
    > Orlando


    I have had the same problem so i've been working on a script for this.
    Accually been devoloping on it for a couple of years now, it is now called
    SSH Block 2. You can download it from the following address:
    http://bluedogsecurity.cyberinfo.se/sshblock2/
    Hope it will work alright for you!

    --
    Jack-Benny
    http://bluedogsecurity.cyberinfo.se
    http://jke.mine.nu

+ Reply to Thread