Hi Phill,
On Fri, 13 Jan 2006, Phill Coxon wrote: > I just jumped into the command line and noticed kernel messages for > failed ssh2 login attempts for bogus users. > > Checking my logs it turns out that someone has been trying to hack into > my ADSL connected computer since the 9th with a brute force script > trying different usernames and passwords. > > I've blocked ssh access for the moment. > > Questions: > > (1) Is there some desktop monitoring utility that will immediately > notify me of suscpious behaviour? I'm rather disturbed that it's taken > me 4 days to notice this. daemonshield runs as a daemon watching sshd logs and pam logs for failed logins. If these reach a threshold then an IPtables rule blocks the ip for a given period of time. > > (2) Recommendations for log parsing software that monitors suspicious > logs? logwatch will pick upthese attempts and also the sucessful ones > (3) Recommended strategies for dealing with break in attempts like this? > Ban the IPs for a while? > unplug you ADSL :-) > Thanks! Dave van Leeuwen Analyst Programmer University of Canterbury New Zealand
