As original submiter wrote, the ssh scan noise is a problem as important
log entries may get hidden into hundreads of scan lines and workarounds
(rate limits, port changes etc.) result just problems for legimite use.
I wrote a small perl script that one can run instead of syslog-summary
by defining two lines in logcheck.conf:
SYSLOGSUMMARY=1
SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh
This will print out (instead of 1000+ lines of ssh entries) lines like
ones below:
(normal logcheck output...)
Dec 21 21:55:30 host getty[4302]: tty1: input overrun
Invalid SSH login attempts: 1056
425 192.0.2.1
391 192.0.2.2
121 192.0.2.3
59 192.0.2.42
44 192.0.2.9
12 192.0.2.65
3 192.0.2.39
1 192.0.2.144
User names tried:
0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1),
4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1),
Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1),
(cut...)
Inverse mapping failures: 44
44 192.0.2.9 !=> www.example.com
--
Markus Peuhkuri | http://www.iki.fi/puhuri/
#!/usr/bin/perl -wT
# log-summary-ssh
# Selects two lines that are very common with ssh scans.
# This script removes those from output and prints out aggregate
# statistics for those (both by host and by attempted user names).
#
# Reads from stdin or from command line arguments and prints to stdout.
#
# If you want to use this with logcheck, copy this to
# /usr/local/sbin/log-summary-ssh and add following lines to
# /etc/logcheck/logcheck.conf (or your config file):
#
# SYSLOGSUMMARY=1
# SYSLOG_SUMMARY=/usr/local/sbin/log-summary-ssh
#
# If you want to use both syslog-summary and this script, you need to
# write a some kind of wrapper around those.
# #!/bin/sh
# syslog-summary $* | log-summary-sh
#
# Markus Peuhkuri <[EMAIL PROTECTED]> 2005
# Use of this file is unrestricted.
use strict;
use Text::Wrap qw/wrap/;
my %h; # hosts for failed attempts
my %u; # user names for failed attemts
my $sshc = 0; # flag values
my %inv; # failed ip => host mappings
my $invf = 0; # flag values
while (<>) {
if (m/^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Illegal user (.*)
from (.*)$/) {
my $ip = $2;
chomp $ip;
$h{$ip} ++;
$u{$1} ++;
$sshc++;
} elsif (m/^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address (.*)
maps to (.*), but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!/) {
$inv{$1}{$2}++;
$invf++;
} else {
print $_; # just print
}
}
if ($sshc > 0) {
printf "\nInvalid SSH login attempts: %d\n", $sshc;
for (sort {$h{$b} <=> $h{$a}} keys %h) {
printf "% 4d %s\n", $h{$_}, $_;
}
my @users;
for (sort keys %u) {
push @users, sprintf("%s (%d)", $_, $u{$_});
}
print "\nUser names tried:\n", wrap(" ", " ", join(", ", @users)), "\n";
}
if ($invf > 0) {
printf "\nInverse mapping failures: %d\n", $invf;
for my $ip (sort keys %inv) {
for (sort keys %{$inv{$ip}}) {
printf "% 5d %s !=> %s\n", $inv{$ip}{$_}, $ip, $_;
}
}
}
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
