Good day:
This past weekend, we are seeing a lot of rule 5701 being triggered for SSH
version gathering.
Rule: 5701 fired (level 10) -> "Possible attack on the ssh
server (or version gathering)."
>From doing some digging, I believe I can get the IP address of the attacker
with the following console / SSH command:
grep -B1 'Bad protocol' /var/log/secure
Example output
grep -B1 'Bad protocol' /var/log/secure
Jun 24 06:51:16 vps sshd[14930]: Connection from 14.42.237.139
port 3760
Jun 24 06:51:16 vps sshd[14930]: Bad protocol version
identification '\026\003' from UNKNOWN
--
Jun 24 12:33:56 vps sshd[26349]: Connection from 109.166.171.24
port 1853
Jun 24 12:33:56 vps sshd[26349]: Bad protocol version
identification '\026\003' from UNKNOWN
What's the best way to translate this into a rule that when rule 5701 is
triggered, ossec would look at the same time stamp line before it to get
the IP address so ossec could block the IP?
Thank you.
