Set Up Swatch To Monitor Security LogsLinux is very secure but it still
doesn't prevent hackers from scouring the Internet looking for systems with
easily guessed passwords. Check your daily LogWatch for your Linux systems and
if you see something like this you probably should do something to prevent a
potential successful attempt. sshd:
Authentication Failures:
unknown (64.161.121.11): 699 Time(s)
root (211.136.107.81): 31 Time(s)
.
.
One way to solve this problem is to use iptables to filter these attempts but I
chose to go a slightly simpler route. First of all make sure you have swatch
installed to easily monitor logfiles. # yum install swatch
Then create a swatch configuration file called /etc/swatchrc containing the
following: # Bad login attempts
watchfor /Failed password for/
exec "/usr/local/admin/bin/bad_user $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11
$12 $13 $14 $15"
Then you will want the /usr/local/admin/bin/bad_user script to do the work.
Below is my script: #! /bin/bash
#
IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'`
ATTEMPTS=`grep $IP /var/log/secure | grep "Failed password for" | wc -l`
if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS - 2`
echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes 2>&1 >
/tmp/.bad_user.$$
(hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \
echo "Blocking for $MINUTES minutes" ; \
cat /tmp/.bad_user.$$ ) | Mail -s "bad user" root
fi
rm -f /tmp/.bad_user.$$
Briefly, what this does is allow two invalid logins before blocking any further
access from the offending IP address by routing return traffic to that IP to
the loopback interface for 1 minute. After that expires each further attempt
will cause access to be blocked for longer and longer periods of time.
Finally you need to start swatch to get it to watch your logfile and protect
your system: # /usr/bin/swatch --config-file=/etc/swatchrc
--tail-file=/var/log/secure \
--awk-field-syntax --tail-args "-F" &
Regards
Rahul Kolan
9867940077
**************************************************************************************************************
Every person has skill and talent, whether it’s big or small talent, use it
and create a masterpiece
P Save Trees. Print this e-mail only if you really need to.
[Non-text portions of this message have been removed]
